Ask HN: My Solution for Securing Paywalled Videos with AWS
Constraints: Minimize theft and sharing of videos to any client which has not paid. Prevent videos from being downloaded(?).
Worst Case: Video is bought by a user, screen-captured, and redistributed. Alternatively, paying user decides to share their username/password with other users.
Solution:
1. Implement a basic user accounts system.
2. Dynamically watermark/brand all videos to mitigate screen-capture theft.
3. Store encrypted/restricted videos on S3, restrict access via CloudFront.
4. Use Braintree/Stripe/Cryptocurrency to capture payments for a given video. Upon payment by client, mark the user as having access to the corresponding video.
5. Use a short-lived/one-time token[0] to grant access to CloudFront endpoint for any paid client. Upon accessing the video after token expiration, a new token will be issued. This prevents users from sharing URLs with friends who haven't signed up and paid. The user would be forced to share their sign-in token or username/password, which is not preferable. Mitigating this with IP restrictions may not be worth the implementation time.
Are there any other major steps that need to be taken here, or have I covered all my bases?
With the above solution, generalizing to recurrent (subscription-based) payments or paying for a set of videos shouldn't be hard. Are there any additional steps required for these generalizations, or are they relatively straightforward alterations to the solution above?
[0] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
3 comments
[ 3.9 ms ] story [ 21.6 ms ] threadIn fact, attempting to make it as difficult as possible (which might lead to usability issues for the "honest" folks) might be seen as a "challenge". In other words, you may inadvertantly cause some people to try to acquire and/or distribute your videos just to see if they can.
Finally, after a certain point, you are likely just wasting time and effort (and possibly money). If your videos are of any value at all, they will be "stolen".
However, I think there are attack vectors which are worth mitigating. The biggest one would be preventing signed URLs from being shared from an authenticated, paying client to a non-paying or unauthenticated client.
Do you know of any illegitimate sources for paid Coursera videos? Do you think the majority of Coursera users are being funneled through this illegitimate channel? I think not; the majority of users would rather pay a small amount for information from the source than some third-hand, sketchy website or server.
Edit: Unfortunately, it is pretty trivial to download content from a signed CloudFront URL (see, for example this[0] demonstration). I am wondering if there is some way to at least mitigate this...
[0] https://www.youtube.com/watch?v=xAGc8cxdiVM
[0] http://improve.dk/how-to-set-up-and-serve-private-content-us...