Topic: Securing video...? (Page 1 of 1)

I'm curious if anybody has any "best practices" or good tutorials on protecting video/files from outside access. Basically I have a system where only admin's can upload content but I want to insure that not just anybody can browse directly to the directory and download. I've used the process of storing files outside the webroot and moving when needed but I can't sacrifice speed/performance and am wondering if there is a good way to do this (maybe in combination with apache or something).

So... what are the security implications of turning of file listing in apache?
Apart from having a dumb admin (who'd be capable of exposing you anyhow)?

That works as long as the file name is unkown, correct? (Apache is one of my many weak points)

yes, it will prevent people from acidentially finding your videos by 'browsing direcetly to the directory'.
It will not prevent someone leaking the URL.

Redroy, you're not providing enough information on why and in which regards you want to 'secure' the files, and
whys 'speed' in delivering is so important (as long as the server streams fast enough for playback?).

what 'attacks' do you want to protect against? How big is your 'may access' group? Is it the same
group for each video? Who are the guys we're protecting against? Random websurfers? Users
with less privileges? Automated bots?

so long,

->Tyberius Prime

My top concerns are

- speed (because the main focus of the site will eventually fall to streaming vids, I want to keep things as fast as possible to avoid future probs)
- security from outside attacks/random surfers (basically I want the admins to know they can upload their sensitive files/videos and they won't end up on youtube unless one of their users leak it)

Validation internally (when users are logged in) shouldn't be any problems once I have a good procedure figured out.

Hopefully that makes more sense... I was looking into mod_rewrite and HTTP_COOKIES, something along these lines if working would be great. Any thoughts on that?

Hm, I wouldn't go for mod_rewrite and cookies if I already had a (scripting language based) log in system.

Here's what I'd do:
a) store the videos outside the web root.
b) have a small script that checks the login, sends the right (caching) headers for streaming and pipes through the appropriate video.

Secure as anything on the web - and the speed difference compared to 'delivering file straight from the webserver' (given that
you need to do something about the authentication anyhow, and that's gonna cost time, because your mod_rewrite can't
discern between a legitimate session cookie and a fake one)) will probably not even be measurable until you're in
'we need a cluster of machines'-land anyhow.

so long,

->Tyberius Prime

As always, thanks for your advice... much appreciated!

you're - as always - most welcome.
Just need enough information to actually give advice

so long,

->Tyberius Prime