Can you play S3 signed url FLV videos in Flash 10?
https://stackoverflow.com/questions/685395
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am wanting to load FLV videos from S3 server into my Flash application. The original files will need to be protected (ie permissions set to read only for authenticated users) so the video files will be called with a signed url... I have managed to load and play non-signed url FLV's into the Flash app.
1) Any issues I should be aware of before diving in?
2) Will I need to use the AS3 S3 library to generate signatures?
3) Can I generate 1 signature when the app loads (eg from PHP) and send this to Flash to use with each FLV file it loads?
4) Images and audio will also be loaded into the Flash app and will need to be protected also.
Thanks Stephen
Solution
Yes you can play signed urls in Flash no problem...
from reading around I have managed to answer a couple of my own questions -
1) Yes lots!
2) Not a good idea to sign urls from within Flash as the secret key would need to be in the SWF or loaded from PHP so could be a security risk here. It is probably best to call a PHP method on the server to generate a signed url and return the file to Flash / return the path to the file (sendAndLoad?). But this does seem like an extra step that could be bypassed somehow!
3) Still not sure about this but I think that the signing process involves using the path to the file so each signature for each url is unique - is this correct?
Anyone have further advice on this? Stephen
OTHER TIPS
Apparently I have spent a gazillion hours trying the same with MP3 files for my web site. To answer:
1) Not too complicated a task. (despite my Gazillion hrs)
2) Do not sign URLs from within Flash. Use an Hosted PHP file to which you can make an AJAX request to obtain signed URLs. For this the directory structure of ur S3 bucket must have a consistent pattern that makes the file location, given some input, programatically determinable.
I don't this this is a process that can be bypassed. URL Signing must only be done server side and never client side. Let me know if you want to see my AJAX sample code. Ill paste it here for you
3) The signing process uses a minimum of three variables to create a signature - the timestamp, file location (bucket/folder/floder/file) , S3 Secret Key . Hence, Each request for a file shall have a separate signature. The signed URLs should have a very limited validity (say 10 seconds). Users who can find out the URL withse those 10 seconds shall be able to download the file.
Having signatures that vary with timestamp alone might defeat (largely if not fully) the whole purpose of having signed URLs.
To sign URLs, use the script below. It works like charm and would have save me a lot of hours had I got it on time. Also look at point 5 below for additional security.
http://www.richardpeacock.com/blog/2010/07/amazon-aws-s3-query-string-authentication-php
4) For some reason FLASH players are not playing Signed S3 URLs for MP3 Files. I think (GUESS) they ignore the part of the url once the .mp3 extention in the URL is read. Thus the query string part of the URL is ignored by the player and it can't read the file. They play publically reabable files in my S3 Bucker though. I have been using silverlight for my site amd am desparately using for a FLASH solution. If that be the reason protected FLV Files wont play either. In this case you will have to proxy the whole file to your client insted of the URL alone. A solution I am trying to avoid.
5) to further protect ur URLs, obfuscate them using one or more of the methords in the link below. They are very simple.
http://www.pc-help.org/obscure.htm
6) Further, your security approach must be to be initiate playback of the file on the browser before the URL expires. Th expiry time period must be short enough to prevent URL detection before expiry and must be long enough to provide enuf latency to begin playback. This is more or less the crux of reasonably secure streaming using self expiring URLs.
To answer your specific points
Issues you need to be aware of : Point 4 in the my 1st answer ;
Amazon S3 Library Required ? : Yes but not really, Point 3 in my 1st answer, Script in the link can be used without referring to the documentation, But youll need to understand Amazons signing method
Just use 1 signature ? : Not Recommended, Defeats all purpose of using a signature, Probably no since I think signature mandatorly uses the file path and name
Audio & Image Protection: All protection is only reasonable (assuming your end uses have no time or knowledge constraint and can write code).
Images : Use Javascript to disable right click, Audio : Streams can be downloaded with some tinkering which you can complicate.
Images would be certainly downloadable by disabling JavaScript or punching JS code from the JS Scratchpad / Console.. So even detecting if JS is enabled won't help protect images.
