Re: Help! (Repeat Post) Possible to bypass security for Windows Media files?

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Neil,

Sorry to belabour this issue. However, it appears that Windows
Authentication and Authorization might not be right for me. I am using
a regular HTTP login process with a database. I'm not using any of
windows built in access controls for the website.

So, I would like to explore how www.rajshri.com achieves something
that I am trying to do
=================================================================

If you look at www.rajshri.com, you will see that the wmv files are
addressed as:

mms://rajshri-45.wmod.llnwd.net/a1005/d1/secure/musicvideos/lowbw/DekhaHaiAiseBhi_WMV_Low_stream.wmv?e=1179100800&h=b4e4e5a512a5b1a2f843a8f7f4be678e

You can see that the session (more on the word "session" later) is
embedded in the .wmv name. If one shares the URL, it is not helpful,
because the URL "expires" after some time and no one can see the video
directly. Of course, this does not mean that the URL cannot be shared
immediately (i.e. it does take some time to expire). However, this
helps reduce the likelyhood of the URL being shared by the averge
user.

I have a few questions:

1. Would fiddler tool crack this mechanism?
2. Regardless of the answer above, since it does provide "some
security", how would I be able to implement this? Would I need windows
media or authentication?
3. If the URL were to "expire" while someone were watching the video
what would happen? (or is that just not possible). The reason I ask
this question is that the URL seems the same if I access it from
different computers and really doesnt seem to have the "user"
information embedded. This means it is not really a "user session" but
a temporary URL that somehow embeds the time or "life" of the URL as a
security feature.
4. I would like to embed the "time" and the "user" info into the URL,
to further limit sharing, if it is possible. If not, the mechanism
that they provide would work just as well. How would I do this?

I am aware the the "solutions" I am looking at are not 100% solutions.
I am looking for something that restricts the average user.

Thanks a lot!




On May 7, 1:06 am, "Neil Smith [MVP Digital Media]" <n...@xxxxxxxxxx>
wrote:
Trust me on this - all this obfuscation / hiding nonsense won't work,
I can trivially sniff the http transaction between my machine and the
web server to discover the real URL to the stream.

Let's see :http://www.fiddlertool.com/fiddler/

Unless you set up authentication and authorisation plugins on the
media server, there's just no way to have an open access server
publishing point "invisible".

Without authentication and session expiry managed against a user login
database, all I have to do as a user is to share my credentials, and
somebody else is in on my account.

So you'll have to make your authentication system work with the server
plugin (which is non trivial if you don't have programming experience
with the server object model)

The extent to which that's necessary is dependent on how expensive
your content is to provide, and if it's sufficiently valuable you may
be considering using DRM to provide a better fine grained approach to
access and account revocation.

HTH
Cheers - Neil

On 6 May 2007 04:18:12 -0700, janefield2...@xxxxxxxxx wrote:





Thanks, Neil for all your help thus far.

I wanted to clarify that I actually did change the scenario a bit - I
wanted to know how it would work if I did it in the http (and not the
mms) namespace? I guess there must be a way to restrict a static html
page to be viewed by only registered users, i.e. by obfuscating the
URL? And if one could restrict static HTML, one could restrict a .wmv
file as well...

Another thing I was thinking of was a trick I used a few years ago
using image tags such as:

IMG =http://www.mydomain.com/ServersideCode

Now, the IMG tag actually pointed to a servlet (Java) and the Java did
some processing and would conditionally load different images after
completing the server side processing.

Borrowing from that idea, I was thinking that if I were to use

MMS:http://www.mydomain.com/ServerSideCode

Such that the ServerSideCode had the following Pseudo code -
1. Check if valid session.
2. If session is valid, redirect to actual .wmv file, else load
nothing (or specify "failed to load video" error message)
...thereby providing conditional access to the video. Since the video
is embedded in the html file, no one would know the "actual URL" of
the file.

Would that work?

The thing is that I absolutely need to provide secure access to .wmv
files (or any other video files) and I am willing to do whatever
neccessary to achieve that. I find it strange that no one has faced
the same issue of restricting user access to video files before. I
have this nagging feeling that I am missing something... If I am down
the wrong path, I feel there must be SOME other way... ANY other way
to achieve a *similar* or equivalent result, even if it is not the
same... Whether it is HTTP, MMS, RTSP with .WMV, quicktime, or .ASX
files...

Thanks a lot. Sorry for the trouble.

Jane

--------------------------------------------------------------------------­--------------

On May 5, 7:01 pm, "Neil Smith [MVP Digital Media]" <n...@xxxxxxxxxx>
wrote:
On 3 May 2007 19:37:07 -0700, janefield2...@xxxxxxxxx wrote:

Hi All,

I am posting this for the second time, and would really appreciate
your help.

And the answer is exactly the same as previously posted by David Wang,
since it seems your scenario hasn't changed since 30th April when you
last asked ? [Hint : You cannot hide the stream effectively]

Cheers - Neil
------------------------------------------------
Digital Media MVP : 2004-2007http://mvp.support.microsoft.com/mvpfaqs

------------------------------------------------
Digital Media MVP : 2004-2007http://mvp.support.microsoft.com/mvpfaqs- Hide quoted text -

- Show quoted text -


.

Relevant Pages

  • Re: Session Fixation Vulnerability in Web-based Applications
    ... session, without modifying the way servers generate session ID's is as ... Think of the http server generated sessions as "UI Sessions" and as ... no impact on authentication. ... "authentication key" for this domain (usually in the form of a new ...
    (NT-Bugtraq)
  • RE: Load balancing with NTLM or Basic authentication.
    ... Microsoft SQL Server Support Professional ... So it is able to maintain the SSL session with the client. ... >So our last piece of the puzzle was the issue of authentication. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Authentication session with urllib2
    ... I control the server, and it was easy for me to make a url that ... password and authenticates the session. ... The server keeps a session correctly when I test with a browser. ... requests where the session information remembers the authentication. ...
    (comp.lang.python)
  • Re: Container based authentication / authorization
    ... If it is tied into the session, ... It's customary to track state informating using the JSESSIONID as you ... Don't depend upon the JSESSIONID of the application server as the ... of users computer used during authentication. ...
    (comp.lang.java.programmer)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
    (microsoft.public.windows.server.security)