September 4, 2013

Hotlinking and domain lock WMSAuth protection

Protection and restriction against the un-authorized access to the media is crucial for streaming business. WMSPanel team originally started its path by creating WMSAuth hotlink protection for Windows Media. Later on when we switched to Wowza Media Server, one of the first things we did there was WMSAuth hotlink protection. BTW, you can read a brief history of our solution in Dan Rayburn's blog post.

Now about 1/3 of our subscribed customers use WMSAuth hot-linking protection or connections limitation capabilities.

Hot-linking re-streaming protection has simple yet powerful architecture. A customer signs up links to available media with a hash and WMSPanel agent checks the signature when a viewer tries to connect.

WMSAuth mechanics in action. 

One interesting use case which obviously follows from described links protection is that the link may be presented via designated domains and websites only.

Here's how it works if a regular user tries to play media and if some grabber tries to do the same.

  1. Customer changes his media web pages which show video. Each video has a hash signature which is based on several parameters, including IP and secret password known to a customer only.
  2. If an authorized user opens a page, the link gets signed with signature where his IP is hashed among other parameters.
  3. When the viewer connects to media, the WMSPanel agent checks the hash considering user IP and allows connection.
  4. If the some grabber opens the page, the grabber's IP is used to access so the media is signed respectively.
  5. When the grabbed page is shown somewhere else, the unauthorized viewer tries to open it with his own IP - the new IP which is not hashed in the media signature. The agent checks new IP with IP from the signature and denies connection.
Here's the flow chart for this scenario.

Hotlinking protection with WMSPanel Wowza agent.
This functionality is more reliable than domain lock solutions which are based on Referrer header check. An abuser may easily fake any headers and get these streams while WMSAuth simply cannot be faked at all.

User IP might not be enough for this kind of media protection just because some users may watch the media from behind the proxy or firewall. In this case you can go beyond that and use pay-per-view framework for Wowza. It uses the same principle but it embeds user unique ID into the signature instead of an IP. It also brings wide variety of possibilities for building your own paywall.

To try these hotlink protection mechanics you can sign up for free trial and use it free of charge during first 2 weeks.

Notice that hotlinkng protection is available for Nimble Streamer. With Nimble, you can make unique signature for each individual streamNimble Streamer is the light-weight HTTP streaming server for HLS, Smooth and progressive download. WMSPanel is an official GUI for Nimble Streamer.

Related documentation


Paywall for WowzaGeo and IP range restriction for WowzaWowza hotlinking re-publishing and re-streaming protectionNimble Streamer HTTP hotlinking protectionHotlinking protection with stream-based signatureNimble Streamer geo-location restrictionIntegrating WMSAuth to your websitePay-per-view for Wowza Media ServerBandwidth limitation for Wowzagithub code samples

No comments:

Post a Comment