If you’re looking for a way to control who has access to your video content, choosing to work with a paid Online Video Platform (OVP) might be the way to go. To protect your content, there are various methods that can be divided into two categories:
- Protect the content itself through Digital Rights Management.
- Limiting content access to selected viewers.
For the sake of this post, we’re gonna focus on the ways you can limit who can access your videos. We’ll provide an overview of the various options offered by our OVP for protecting your video content. We’ll also examine the implications of these options and determine which is best for different situations.
If you’d like more information on DRM, please get in touch.
Online Video Platform level security: Hidden stream urls
Hiding stream URLs is a simple but effective way to protect your video content. It could also be called: “Security by obscurity”. This approach to video content protection involves keeping the links to the video streams hidden or only displaying a link to a brief preview version. In order to access the full video content, users must first demonstrate that they have the necessary permissions.
There are various ways to verify a user’s access permissions, such as looking at the context in which the video is being viewed, checking the user’s geographic location, or whitelisting specific IP addresses and networks. These options can all be implemented using plugins in the content filter mechanism that our platform provides.
Shared secret and secure token
Shared secret and secure token are common methods for providing authentication information. A secure token can take the form of a one-time access code based on a shared secret. Our platform supports a basic shared secret-based one time password mechanism using the HOTP (HMAC based One Time Password algorithm).
Another option is to generate the token on the issuer’s side and let the Online Video Platform backend verify it. The received token can be sent along with specific request information such as the Content ID and category.
The best option for you will depend on the level of control you need over granting and withholding access to your content.
For example, the “shared secret” method of generating and verifying tokens is a great choice when you have a small set of generic rules and content classes. A great use case for this would be if you have a premium section on your website and you only want to give premium subscribers access to it.
Issuing secure tokens for specific content rules that are sensitive to context typically requires a “callback” approach. This involves gathering the token and any relevant information and sending it back to the source (decision-making platform) for verification. An example use case for this would be if you have a birthday-video to celebrate a birthday for a specific individual or group of people, and you want to check the issued token along with user information to determine if the video should be shown or not.
Content Delivery Network level security: Issue one-time protected stream urls
The main drawback of simply hiding direct links to your video content is that it does not prevent “hot linking,” which is when someone uses another player or platform to link to your stream URLs and host –or even monetize– your content.
To combat this issue we recommend you protect that actual stream URls. Our platform makes use of Amazon Cloudfront CDN, which offers three methods of securing access to video content: signed URLs, signed cookies, and geographic or IP-address-based content restrictions.
Signed URLs
Signed URLs are the only option when you need fine grained, URL based access control. A good use case for this would if a user has bought a one-time pass to an exclusive video clip. The video stream url must be a one-time URL and the user should not be allowed to share this URL. A technical downside of this method is that the player or video platform must have a specific per URL signing mechanism. Our platform has built-in support for Amazon Cloudfront signed URLs using a so-called “Canned Policy”. This means that a pre-made policy statement is reused for each request.
Read more information on AWS Cloudfront canned policies.
Signed cookies
Signed cookies are a good choice when you want to give a user access to multiple video streams that can be scoped or limited by a certain path reference. For example: if a user has proven to be a sports subscriber, they would receive a cookie that gives them access to the entire ‘/sports’ folder on the CDN. This method does not provide fine-grained access or time-limiting methods per URL, but it has the advantage that the player or platform does not need specific authorization support built-in. Once the authorization cookie is placed on the user’s computer, it will automatically be sent with each request the computer makes to the CDN.
Geographic/ ip address based content restriction
Geographic content restriction, as offered by default in Amazon Cloudfront, can only be enabled for an entire “Web distribution.” This means that all the content of a certain online video platform customer or publication will be restricted by the same policy, which can be limiting in some situations. However, Amazon Cloudfront can be configured to use an external IP restriction backend, like the one provided by our platform.
On each user request the ip address and requested URL will be sent to the external (OVP) backend, and the OVP backend will decide whether the user is entitled to view the content. As the geographic location is solely determined by comparing the requested IP address with a hosted GEOIP database – the accuracy of this method depends on the accuracy of the hosted GEOIP database that is used. Our platform uses a regularly updated GEOIP database that claims an above 70% accuracy on a city level.
Final words
Although it can sometimes feel like a necessary evil, content restriction is an important part of your video content management strategy. Hopefully this blog post has helped you understand the options and solutions when it comes to video content protection. If you want more advice, don’t hesitate to reach out to us. Additionally, if you’re considering other forms of content protection, such as a full Digital Rights Management system integration, feel free to contact us for assistance.