search

kaltura / nginx-vod-module

NGINX-based MP4 Repackager
GNU Affero General Public License v3.0
1.99k stars 439 forks source link

Security Issue with Chrome/Firefox Extension Video DownloadHelper #1125

Open jenridunn opened 4 years ago

jenridunn commented 4 years ago

Hello @erankor ! I hope you are well. I'm having quite a hard time to think how can I prevent that people who use the extension Video DownloadHelper, can download my VOD videos. I'm implementing AES encryption but it's not enough. I need to clear the key but so far I couldn't have found any tutorial to clear the key for HLS VOD videos. Here's my nginx.conf so far, is quite simple. I'm testing the location /tras/ , but as you can see I also have the location /content/ where I have secure links but still the browser extension is able somehow to download the videos. I think that the extension detects the m3u8 manifest and from there extracts the segments and no matter how well the url is protected the video is vulnerable, do you have any suggestions to protect my content against this browser extension? Maybe uri encryption might work, but so far I haven't had luck trying this, the conf in the second block returns a file without extension named as the encrypted url it's live now so you can try it if you want just click the second link. And somehow the first link works too despite the uri is not encrypted. So I think i'm doing something wrong but I don't what it is. Thank you @erankor !

Original Link: https://4466mr373txf6j.xyz/tras/VID1,144,360,540,720,k.mp4.urlset/playlist.m3u8

URI Encrypted Link: https://4466mr373txf6j.xyz/tras/suhj7TDbeV7m-Yl67Z4kOCHbThfU-ILNa12LzUHEQoQ9IJb7BZs3aQWeB_mS9qSNplL0faSiI11LB0hUBnz6fg

FIRST BLOCK

location /tras/ {
            root /usr/local/nginx/;
            vod hls;
            vod_secret_key "SomeSecret$vod_filepath";
            vod_hls_encryption_method aes-128;
            add_header Access-Control-Allow-Headers '*';
            add_header Access-Control-Expose-Headers 'Server,range,Content-Length,Content-Range';
            add_header Access-Control-Allow-Methods 'GET, HEAD, OPTIONS';
            add_header Access-Control-Allow-Origin '*';
            # It causes issues while streaming dont use it unless you forcely need to.
            #add_header 'X-Frame-Options' 'DENY' always;
            expires 100d;
        }

location /content/ {            
            root /usr/local/nginx/;
            secure_token $token;
            secure_token_types application/vnd.apple.mpegurl video/f4m application/dash+xml text/xml;
            secure_token_expires_time 100d;
            secure_token_query_token_expires_time 1h;
            akamai_token_validate $arg___hdnea__;
            akamai_token_validate_key 8af2bf70;

            vod hls;

            add_header Access-Control-Allow-Headers '*';
            add_header Access-Control-Expose-Headers 'Server,range,Content-Length,Content-Range';
            add_header Access-Control-Allow-Methods 'GET, HEAD, OPTIONS';
            add_header Access-Control-Allow-Origin '*';

            # It causes issues while streaming dont use it unless you forcely need to.
            #add_header 'X-Frame-Options' 'DENY' always;
            expires 100d;
        }

SECOND BLOCK


        location /tras/ {
            root /usr/local/nginx/;
            vod hls;
            vod_secret_key "password$1";
            secure_token_encrypt_uri on;
            secure_token_encrypt_uri_key 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f;
            secure_token_encrypt_uri_iv 00000000000000000000000000000000;
            secure_token_encrypt_uri_part $1;
            secure_token_types application/vnd.apple.mpegurl;
            add_header Access-Control-Allow-Headers '*';
            add_header Access-Control-Expose-Headers 'Server,range,Content-Length,Content-Range';
            add_header Access-Control-Allow-Methods 'GET, HEAD, OPTIONS';
            add_header Access-Control-Allow-Origin '*';
            # It causes issues while streaming dont use it unless you forcely need to.
            #add_header 'X-Frame-Options' 'DENY' always;
            expires 100d;
        }
ufukomer commented 4 years ago

@jenridunn your first link is not working on my machine, responding http 400 code. Second one is working.

erankor commented 4 years ago

We need to distinguish between 2 different threats -

  1. Allowing only specific individual to watch/download the video
  2. Preventing someone who is allowed to watch the video from downloading it

The first one can be solved quite easily by tokenization, e.g. secure link. The second one is harder, and I think the only solution that provides a fair level of protection is DRM.

openaspace commented 1 year ago

put in nginx.conf limit_req_zone $binary_remote_addr zone=mylimit:10m rate=1;

and limit_req zone=mylimit burst=1 nodelay;

in your vhost and no plugin will be able to download it ! ;) no aes - no drm ;)

erankor commented 1 year ago

no aes - no drm ;)

also - no CDN, no multiple users behind a single IP address, and no ability to reload the player :-)

openaspace commented 1 year ago

also - no CDN, no multiple users behind a single IP address, and no ability to reload the player :-)

I can't limit per ip ..my video are public, what you mean for avod to reload the player?

erankor commented 1 year ago

I meant that if you implement your suggestion of rate limiting the requests so that a user can't download the same segment twice, if a legit user (=just trying to watch the video, not downloading it) has some temp network error or something, and tries to reload the player, it won't work.