3

Im trying to wrap my head around Cloudfront. We notice some video sites don't allow us to download the video. I.e. there is no physical link to the file. Or at least, I am not able to locate it in the flash player's source code using Firebug.

On some sites, a typical block of code could look like the following:

<object width="496" height="24" type="application/x-shockwave-flash" id="media_player" name="media_player" data="/flash/jwplayer/player.swf" ....>

  <param name="flashvars" value="file=http://some_bucket_name.s3.amazonaws.com/uploads/users/1/foo.mp3&amp;title=Test&amp;author=Foobar&amp;plugins=&amp;autostart=true&amp;controlbar=bottom&amp;repeat=none&amp;screencolor=000000">

</object>

Above, you notice, from the html source code, that the file can be 'cleverly' downloaded through the physical link: http://some_bucket_name.s3.amazonaws.com/uploads/users/1/foo.mp3.

I understand what a CDN is. A good explanation can be found here.

If we use Cloudfront, will this disallow end-users from 'cleverly' downloading media files directly from our app since the files will be streamed?

Community
  • 1
  • 1
Christian Fazzini
  • 19,613
  • 21
  • 110
  • 215
  • 1
    My opinion is: If the browser/flash plugin can load it, so can the user. They might need to be more sophisticated, but it will be possible. Youtube videos for example are protected with expiring tokens etc. but you can still get the file from the browser cache. – Wukerplank Apr 08 '11 at 08:06
  • Hmm, so there is no way of not letting the user download the media? i.e. protecting the media from being downloaded? – Christian Fazzini Apr 08 '11 at 09:34
  • 4
    You can make it difficult, but you can't make it impossible. – Wukerplank Apr 08 '11 at 09:38

3 Answers3

3

As Wukerplank suggested: "You can make it difficult, but you can't make it impossible."

Christian Fazzini
  • 19,613
  • 21
  • 110
  • 215
  • This answer is no longer true as Amazon added a "Signed URL" option that solves this very issue. – recluze May 08 '14 at 09:23
  • 1
    Signed URLS only obscure the process of making the file downloadable – Christian Fazzini May 22 '14 at 02:12
  • Oh, they have a timeout etc. in them. If you put cloudfront in the middle and restrict access only through that, you can protect the files. Please correct me if I'm wrong, hehe. – recluze May 22 '14 at 04:13
  • 2
    The timeout only keeps it accessible via the url for a limited time. Which is good to prevent hotlinking. Cloudfront still points to an origin. So the files are, in practice, still downloadable – Christian Fazzini May 23 '14 at 07:39
2

Actually, the only thing CloudFront would do is not make S3 / EC2 requests. It's not designed for adding security, but caching and speed. Here's something that should make it harder to download the contents of the link: How do I prevent hotlinking on Amazon S3 without using signed URLs? (checking for a correct referrer).

Community
  • 1
  • 1
andreimarinescu
  • 3,541
  • 2
  • 25
  • 32
0

Using rtmpe adds another layer of protection. Most download apps have difficulties with it, but as Wukerplank says, nothing is bullet proof.

Rudolf Boogerman
  • 21
  • 2