This article is intended for technical staff and managers who know how Windows Media Server works internally. I hope everybody else find it useful as well.
Lets propose we are bad guys who want to steal somebody's contents. What should we do?
First of all we will try to find somebody who is not protected from link republishing. But thanks to our previous article there are no people who are not protected from republishing. If we are cheap thieves we will try to steal something else but not media contents from Windows Media Server. If we have enough resources we will try to restream contents.
What is restreaming from technical point of view?
1) we need to get media stream. Even if you are protected from link republishing we can open stream as an authorized user.
2) we need to save stream somewhere. Depending on our needs we probably need big some storage to save stolen content.
3) we need to stream stolen content to our customers.
Lets see how we can get media contents. First of all there are three protocols that Windows Media Server supports: MMS, HTTP, RTSP. MMS is supported only by Windows Media Server 2003 and his younger brother - 2008 Server - doesn't support it. So let's cover just HTTP and RTSP protocols.
HTTP
HTTP was not originally designed for media streaming but using binary chunking (no transport encoding applied to media stream so less data transferred through network) it's good enough for media streaming. It's widely used when media player is embedded into web pages. There is "Referrer" HTTP header related protection from republishing for HTTP protocol. When I tried to hack this protection it was not so easy to me. Additionally this protection works only for HTTP protocol. So use our solution since it's more secure and works for both HTTP, RTSP and even for MMS on Windows Media Server 2003.
We can re-stream HTTP stream produced by Windows Media Server using:
RTSP
It's supported both by 2003 and 2008 server versions and it's preferable transport protocol for 2008 server since MMS is not supported here. RTSP was initially created for media streaming and supported by many media servers and players. To re-stream WMV+WMA(ASF) produced by Windows Media Server it's not enough to support RTSP so there is software we can use to steal contents produced by Windows Media Server:
There are a lot of commercial and free software available in Internet for re-streamers. I don't want to advertise this soft here but want to say that re-streaming in general is very complex task. It's not so easy since web pages are changing all the time, media URLs changing as well so there is no fully-automated solution where we can say "ok, here is a good site and we want to steal all of its content". All re-streamers have their own solution for stealing contents depending on what they are trying to steal. They may share their scripts of course but when the re-streamer have stolen your content, he has the same problem as you - he needs to protect his investments. It's not too rare case when contents is restolen. Yeah, it's a crazy world.
We've covered just re-streaming part but didn't say anything about how re-streamer can get valid URL to your media contents. Usually you just returns URL to content inside the web page. If that's the case, it's a bad idea since re-streamer can easily parse this page and get your link. In the next article I'll try to help you protect your media URLs from automatic grabbing.
Take a look at WMSAuth plugin for Windows Media, Paywall framework for Wowza Media Server and hot-linking protection for Nimble Streamer.
Paywall for Wowza, Geo and IP range restriction for Wowza, Wowza hotlinking re-publishing and re-streaming protection, Nimble Streamer HTTP hotlinking protection, Nimble Streamer geo-location restriction Pay-per-view for Wowza Media Server, WMSPanel control and reporting panel for Wowza Media Server
Lets propose we are bad guys who want to steal somebody's contents. What should we do?
First of all we will try to find somebody who is not protected from link republishing. But thanks to our previous article there are no people who are not protected from republishing. If we are cheap thieves we will try to steal something else but not media contents from Windows Media Server. If we have enough resources we will try to restream contents.
What is restreaming from technical point of view?
1) we need to get media stream. Even if you are protected from link republishing we can open stream as an authorized user.
2) we need to save stream somewhere. Depending on our needs we probably need big some storage to save stolen content.
3) we need to stream stolen content to our customers.
Lets see how we can get media contents. First of all there are three protocols that Windows Media Server supports: MMS, HTTP, RTSP. MMS is supported only by Windows Media Server 2003 and his younger brother - 2008 Server - doesn't support it. So let's cover just HTTP and RTSP protocols.
HTTP
HTTP was not originally designed for media streaming but using binary chunking (no transport encoding applied to media stream so less data transferred through network) it's good enough for media streaming. It's widely used when media player is embedded into web pages. There is "Referrer" HTTP header related protection from republishing for HTTP protocol. When I tried to hack this protection it was not so easy to me. Additionally this protection works only for HTTP protocol. So use our solution since it's more secure and works for both HTTP, RTSP and even for MMS on Windows Media Server 2003.
We can re-stream HTTP stream produced by Windows Media Server using:
- Windows Media Server itself. Yes, the server can re-stream contents. In general this function is used for load balancing in Windows Media Server field.
- VLC player. This tool has command-line interface and can restream variary formats. It's opensource and if something is missing (for example you cannot add HTTP Referrer header in VLC but you can download code and add this possibility. You can change "User-Agent" as well. So patched VLC player can pretend regular Windows Media Player or even Windows Media Player embedded into Web page.
RTSP
It's supported both by 2003 and 2008 server versions and it's preferable transport protocol for 2008 server since MMS is not supported here. RTSP was initially created for media streaming and supported by many media servers and players. To re-stream WMV+WMA(ASF) produced by Windows Media Server it's not enough to support RTSP so there is software we can use to steal contents produced by Windows Media Server:
- As in previous case Windows Media Server itself. Actually we can protect ourself from re-streaming by Windows Media Server using our solution. You can specify supported players and it will skip others. In order to workaround this simple protection, re-streamer need to either have RTSP proxy with possibility to change "User-Agent" name. I've never heard about such proxy and even if it exists it's not such robust like HTTP proxies exists many years and works fine and very stable. So it looks like while you use RTSP + our solution, re-streamer has to move from Windows Media Server to something else. But of course he can put something first and then stream to Windows Media Server for further re-streaming. So as I said in previous article there is no simple solution for re-stream prevention.
- And as for HTTP, we can use VLC as well. Taking into account that we can get source and change everything we need to looks like for example Windows Media player this tool is great for re-streamers and very widely used. It's opensource and anybody can capture traffic between Media Player and try to fix re-streaming software to behave similarly.
There are a lot of commercial and free software available in Internet for re-streamers. I don't want to advertise this soft here but want to say that re-streaming in general is very complex task. It's not so easy since web pages are changing all the time, media URLs changing as well so there is no fully-automated solution where we can say "ok, here is a good site and we want to steal all of its content". All re-streamers have their own solution for stealing contents depending on what they are trying to steal. They may share their scripts of course but when the re-streamer have stolen your content, he has the same problem as you - he needs to protect his investments. It's not too rare case when contents is restolen. Yeah, it's a crazy world.
We've covered just re-streaming part but didn't say anything about how re-streamer can get valid URL to your media contents. Usually you just returns URL to content inside the web page. If that's the case, it's a bad idea since re-streamer can easily parse this page and get your link. In the next article I'll try to help you protect your media URLs from automatic grabbing.
Take a look at WMSAuth plugin for Windows Media, Paywall framework for Wowza Media Server and hot-linking protection for Nimble Streamer.
Related documentation
Paywall for Wowza, Geo and IP range restriction for Wowza, Wowza hotlinking re-publishing and re-streaming protection, Nimble Streamer HTTP hotlinking protection, Nimble Streamer geo-location restriction Pay-per-view for Wowza Media Server, WMSPanel control and reporting panel for Wowza Media Server
No comments:
Post a Comment