Friday, May 18, 2007

Online media protection

I recently came upon an online radio website with an impressive library of old rock. After the visitor selects the artist, the album and the song a popup opens with an embedded Windows Media Player and the song begins.



Since the website is the online presence of a well known public radio station, they took their time to protect all their hosted music, so only site visitors listen and comment the music and not allow illegal downloads.

I will now give here the web site address but instead I’ll present their protection mechanism, which I consider may be useful to other online radio webmasters to protect their hosted music. It may be also useful to online video hosting services to protect their video clips.

To ease the understanding let’s invent a virtual site called radio4.net, with a song archive located at: http://library.radio4.net/ (please remember that the address is not real and was invented for exemplification only). The key to this implementation is to have a server side technology that supports the concept of Session (see PHP or ASP.NET).

Let’s now examine step by step browser-server communication:

Step 1. The visitor browses the archive and selects a song. The browser makes an Http request like the following:

GET http://library.radio4.net/playme.php?songid=63 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
...


Step 2. To the above request the server will send a response like this:

HTTP/1.1 200 OK
Date: Sat, 19 May 2007 01:08:20 GMT
Server: Apache/2.0.59 (Win32) PHP/4.4.4
X-Powered-By: PHP/4.4.4
Set-Cookie: SID=ff1a17742e953d21571baea03bfaab87; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 2213
Content-Type: text/html

...

[object classid="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
codebase="http:// activex.microsoft.com/nsmp2inf.cab"
type="application/x-oleobject" align="middle"]
[param name="FileName"
value="http:// library.radio4.net/song-ff1a17742e953d21571baea03bfaab87-63.wma"]
[embed type="application/x-mplayer2"
src="http:// library.radio4.net/song-ff1a17742e953d21571baea03bfaab87-63.wma"]
[/embed]
[/object]


...

Step 3. The embedded Windows Media Player will make the request to specified Url:

http:// library.radio4.net/song-ff1a17742e953d21571baea03bfaab87-63.wma

If you examine carefully the above steps you’ll notice that the song Url contains embedded 2 pieces of information: the actual song id and the session id. The session id information coded inside the url should match the web session id of the server otherwise the request will be denied.

If an attacker will copy the song url and try to download it using a download manager, or even try open it with an external Media Player the server will detect this and will not provide the song content.

The method can be further improved by checking on the server side the UserAgent string of the application that requests the song. In case of Windows Media Player this will be “NSPlayer”. Requests coming from other clients will again be denied.

Although not hacker proof, this method contains enough protections to discourage the majority of users to download the content. Almost all standard download tools will fail on such protection.

For other methods of protecting web pages and web content, see also Prevent content stealing by protecting web pages article. And don’t forget that your feedback is very important. If you feel the need to comment anything please go ahead and do it.

No comments: