Topic awaiting preservation: Securing video...? $Pages that link to <a href="https://ozoneasylum.com/backlink?for=30707" title="Pages that link to Topic awaiting preservation: Securing video...?" rel="nofollow" >Topic awaiting preservation: Securing video...?\$

Author	Thread
redroy Paranoid (IV) Inmate From: 1393 Insane since: Dec 2003	posted 12-15-2008 17:18 I'm curious if anybody has any "best practices" or good tutorials on protecting video/files from outside access. Basically I have a system where only admin's can upload content but I want to insure that not just anybody can browse directly to the directory and download. I've used the process of storing files outside the webroot and moving when needed but I can't sacrifice speed/performance and am wondering if there is a good way to do this (maybe in combination with apache or something).
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-15-2008 18:04 So... what are the security implications of turning of file listing in apache? Apart from having a dumb admin (who'd be capable of exposing you anyhow)?
redroy Paranoid (IV) Inmate From: 1393 Insane since: Dec 2003	posted 12-15-2008 18:22 That works as long as the file name is unkown, correct? (Apache is one of my many weak points)
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-15-2008 21:23 yes, it will prevent people from acidentially finding your videos by 'browsing direcetly to the directory'. It will not prevent someone leaking the URL. Redroy, you're not providing enough information on why and in which regards you want to 'secure' the files, and whys 'speed' in delivering is so important (as long as the server streams fast enough for playback?). what 'attacks' do you want to protect against? How big is your 'may access' group? Is it the same group for each video? Who are the guys we're protecting against? Random websurfers? Users with less privileges? Automated bots? so long, ->Tyberius Prime
redroy Paranoid (IV) Inmate From: 1393 Insane since: Dec 2003	posted 12-15-2008 22:59 My top concerns are - speed (because the main focus of the site will eventually fall to streaming vids, I want to keep things as fast as possible to avoid future probs) - security from outside attacks/random surfers (basically I want the admins to know they can upload their sensitive files/videos and they won't end up on youtube unless one of their users leak it) Validation internally (when users are logged in) shouldn't be any problems once I have a good procedure figured out. Hopefully that makes more sense... I was looking into mod_rewrite and HTTP_COOKIES, something along these lines if working would be great. Any thoughts on that?
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-16-2008 10:41 Hm, I wouldn't go for mod_rewrite and cookies if I already had a (scripting language based) log in system. Here's what I'd do: a) store the videos outside the web root. b) have a small script that checks the login, sends the right (caching) headers for streaming and pipes through the appropriate video. Secure as anything on the web - and the speed difference compared to 'delivering file straight from the webserver' (given that you need to do something about the authentication anyhow, and that's gonna cost time, because your mod_rewrite can't discern between a legitimate session cookie and a fake one)) will probably not even be measurable until you're in 'we need a cluster of machines'-land anyhow. so long, ->Tyberius Prime
redroy Paranoid (IV) Inmate From: 1393 Insane since: Dec 2003	posted 12-16-2008 16:04 As always, thanks for your advice... much appreciated!
Tyberius Prime Maniac (V) Mad Scientist with Finglongers From: Germany Insane since: Sep 2001	posted 12-16-2008 18:47 you're - as always - most welcome. Just need enough information to actually give advice so long, ->Tyberius Prime

Topic awaiting preservation: Securing video...?\$

Author

Thread

redroy
Paranoid (IV) Inmate

From: 1393
Insane since: Dec 2003

posted 12-15-2008 17:18

I'm curious if anybody has any "best practices" or good tutorials on protecting video/files from outside access. Basically I have a system where only admin's can upload content but I want to insure that not just anybody can browse directly to the directory and download. I've used the process of storing files outside the webroot and moving when needed but I can't sacrifice speed/performance and am wondering if there is a good way to do this (maybe in combination with apache or something).

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-15-2008 18:04

So... what are the security implications of turning of file listing in apache?
Apart from having a dumb admin (who'd be capable of exposing you anyhow)?

redroy
Paranoid (IV) Inmate

From: 1393
Insane since: Dec 2003

posted 12-15-2008 18:22

That works as long as the file name is unkown, correct? (Apache is one of my many weak points)

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-15-2008 21:23

yes, it will prevent people from acidentially finding your videos by 'browsing direcetly to the directory'.
It will not prevent someone leaking the URL.

Redroy, you're not providing enough information on why and in which regards you want to 'secure' the files, and
whys 'speed' in delivering is so important (as long as the server streams fast enough for playback?).

what 'attacks' do you want to protect against? How big is your 'may access' group? Is it the same
group for each video? Who are the guys we're protecting against? Random websurfers? Users
with less privileges? Automated bots?

so long,

->Tyberius Prime

redroy
Paranoid (IV) Inmate

From: 1393
Insane since: Dec 2003

posted 12-15-2008 22:59

My top concerns are

- speed (because the main focus of the site will eventually fall to streaming vids, I want to keep things as fast as possible to avoid future probs)
- security from outside attacks/random surfers (basically I want the admins to know they can upload their sensitive files/videos and they won't end up on youtube unless one of their users leak it)

Validation internally (when users are logged in) shouldn't be any problems once I have a good procedure figured out.

Hopefully that makes more sense... I was looking into mod_rewrite and HTTP_COOKIES, something along these lines if working would be great. Any thoughts on that?

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-16-2008 10:41

Hm, I wouldn't go for mod_rewrite and cookies if I already had a (scripting language based) log in system.

Here's what I'd do:
a) store the videos outside the web root.
b) have a small script that checks the login, sends the right (caching) headers for streaming and pipes through the appropriate video.

Secure as anything on the web - and the speed difference compared to 'delivering file straight from the webserver' (given that
you need to do something about the authentication anyhow, and that's gonna cost time, because your mod_rewrite can't
discern between a legitimate session cookie and a fake one)) will probably not even be measurable until you're in
'we need a cluster of machines'-land anyhow.

so long,

->Tyberius Prime

redroy
Paranoid (IV) Inmate

From: 1393
Insane since: Dec 2003

posted 12-16-2008 16:04

As always, thanks for your advice... much appreciated!

Tyberius Prime
Maniac (V) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted 12-16-2008 18:47

you're - as always - most welcome.
Just need enough information to actually give advice

so long,

->Tyberius Prime