search

videojs / videojs-contrib-hls

HLS library for video.js
http://videojs.github.io/videojs-contrib-hls/
Other
2.84k stars 792 forks source link

Encrypted stream exposes decryption key #1337

Closed robov closed 6 years ago

robov commented 6 years ago

In the manifest of the m3u8 encrypted file there is a call to the license acquisition url to get the key info. When I look in my chrome console I can see and inspect the actual returned keyfile, hence I have the decrypt key. Any suggestions how to increase security on this ?

A possibility it to acutally encrypt the key that is returned from the license acquisition url and decrypt that key after the key is retrieved... but where is the code that retrieves the key ?

gesinger commented 6 years ago

Hey @robov , are you using https://github.com/videojs/videojs-contrib-eme for EME management, AES encryption, or something else?

robov commented 6 years ago

AES encryption The manifest pulls the key from the server and in the chome console I can see this pulling and see the actual base64 encrypted key I am using : videojs-contrib-hls

robov commented 6 years ago

@gesinger .. If I know where your code gets pulls they key from the manifest url, then I can handle the encryption myself. Adding this is an important security feature.. ps. flowplayers implementation has the same leak : https://flowplayer.blacktrash.org/hls-crypt/ exposes their encryption key in base64

nampdn commented 6 years ago

@robov Have you get the idea where the fetch key is written in this project?

robov commented 6 years ago

@nampdn ... no... If I knew I could fix this issue by decrypting the key (and encrypting it on the key store) but I have not looked into this yet... please update when you know where they key is fetched... or even better.. how we can edit the key before it is used by the player itself

gesinger commented 6 years ago

When a key is returned from the server the response can still be seen in the network tab, regardless of what is accessible through the console.

gesinger commented 6 years ago

Closing for now as it's expected that browser requests will be present in the network tab, and since key requests are made through the browser, they will be visible.

If you want to try obfuscating the requests, so long as you implement your server and custom client code to handle the obfuscation, you can use the techniques in https://github.com/videojs/videojs-contrib-hls#hlsxhr to hook into or override the XMLHttpRequest module and can implement custom code there.