May 3, 2011

Hide your links to prevent automatic URL discovering

As was previously promissed I'll show a technique how you can hide your media links in your pages. As was previously discussed if you just provide client a code like this:

<object id        = "MediaPlayer"
                        width        = "320"
                        height        = "250"
                        classid        = "CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
                        codebase    = "http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701"
                        standby        = "Loading Microsoft Windows Media Player components..."
                        type        = "application/x-oleobject">
                   
                        <param name="FileName" value="rtsp://myserver/mypublishpoint"></object>
a thief can parse your page and get this link. But you can set FileName attribute in javascript and this will prevent automatical parsing of your script. For example

<html>
<head>
<title>Embedding Windows Media Player</title>
<script type="text/javascript">
          
window.onload= function() {

   if(document.getElementById) {
    if(document.MediaPlayer){
        document.MediaPlayer.setAttribute('FileName', 'rtsp://myserver/mypublishpoint')
    }
   }
}
</script>
</head>
<body>
<object id        = "MediaPlayer"
                        width        = "320"
                        height        = "250"
                        classid        = "CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
                        codebase    = "http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701"
                        standby        = "Loading Microsoft Windows Media Player components..."
                        type        = "application/x-oleobject">
                   
                        <param name="FileName"></object>
</body>
</html>

Then you should apply additional mix on 'rtsp://myserver/mypublishpoint' string and finally you will get something like that:

window.onload= function() {
   if(document.getElementById) {
    var filename= new Array('m','y','p','u','b','l','i','s','h','p','o','i','n','t')
    if(document.MediaPlayer){
        document.MediaPlayer.setAttribute('FileName', 'rtsp://myserver/' + filename.join("") )
    }
   }
}

In addition you can rotate the array, mix it, encode/decode, return several different scripts randomly. After adding new publish point a thief has to open your page and get new links manually. Each time all the time. And since you don't have RSS his job becomes boring and very hard.

Next time we will start series of articles about a new system we are working on. As previously described it will be more complex solution what will help you with WMS server administration not only from security perspective. Stay tuned and subscribe our blog.

Take a look at WMSAuth plugin for Windows MediaPaywall framework for Wowza Media Server and hot-linking protection for Nimble Streamer.


Related documentation


Paywall for WowzaGeo and IP range restriction for WowzaWowza hotlinking re-publishing and re-streaming protectionNimble Streamer HTTP hotlinking protectionNimble Streamer geo-location restrictionPay-per-view for Wowza Media ServerWMSPanel control and reporting panel for Wowza Media Server

No comments:

Post a Comment