Cloudflare Stream - Preventing Signed URLs / Tokens Piracy

Hi,
Signed URLs/Token piracy is a big issue, it happens like this -

A class of students having computers sharing the same public IP address thanks to NAT. A signed url of M3U8 manifest is shared among those students, and they watch the video for free on third-party HLS player and consume a lot of minutes(i.e. bandwidth), while the video owner pays the cost of bandwidth.

We suggest features for mitigating this problem

  1. An option to disable other manifests such as M3U8, so the stream could only play on Cloudflare stream player;
  2. Besides exp, nbf …, etc., allow the API to add Watch Time constraint to the Signed URL/Token, for instance, setting the total watch time not exceeding the length of a video. With this, even when many people share the same Signed URL, the total watch time would not exceed the Watch Time constraint.

Or there might be other better solutions.

I wish Cloudflare Stream developers could provide additional guards to mitigate the piracy issue. Thank you!

Kind regards,
Shih-Chin Yang

1 Like

I’m not the one that will suggest that focusing on anti-piracy is a waste of time, I think its the opposite, however, the solutions that you mentioned are very little patches to the actual issue, I can think of plenty of ways of going around those checks without much effort.
To make pirating harder cloudlfare would need to invest a lot on DRM measurements, which I think is not their main focus right now, I would advise looking for DRM providers if you are having major issues with piracy.

1 Like

Hi, many thanks for your thought on this issue!

I agreed there is not a single solution to prevent a video from pirated. But it matters to us for extra layers of protection here and there.

The feature request that we proposed is an extra layer in reducing piracy cost of consuming our bandwidth, what we really don’t want is that we have to pay the bandwidth cost while bad actors illegally consume the video.

We would continue to investigate other measures of protections such as DRM as well, and welcome your suggestions.

Kind regards,
Shih-Chin

You want some sort of EME (encrypted media extension), I believe there are commercial solutions that offer it in a secured way, this would make the reproduction of your content externally much harder (as long as the vendor that provides with the EME did well).
But there are a lot of other measures that you need to take into account, my advice would be to lease services from a provider that expertise on this matter.

I wish you the best of luck in your journey, finding a good vendor for security products is hard when most of them sell sentiments before their product.

1 Like

@syang94555 watch time limit per token is an interesting idea. I’m curious: is the piracy problem you’re facing a hypothetical one or one you’ve actually faced with Cloudflare Stream? I’d love to investigate what happened internally and understand your problem better.

1 Like

Hi,
Many thanks for your response!

We are studying Cloudflare for our VOD service, and found this is a real issue for Cloudflare stream. It is for sure to happen if we use Cloudflare stream.

What happened is that we as developers could get a signed url for m3u8 manifest, then share it with others to play on free HLS player, and certainly other bad actors could do so as well.

If we use Cloudflare stream in our VOD service, then we could pay a lot of minutes(bandwidth) for unpaid watch time.

We could limit the number of signed URLs a member could get for a video, but without limiting the total Watch Time for a specific signed url, the issue occures.

Currently, on AWS, we use [email protected] to implement our solution, but on Cloudflare, we could not figure out way to prevent it.

That would be really great if Cloudflare could offer this Watch Time constraint, and the option to disable other manifests like M3U8, thus only playable on Cloudflare player.

Kind regards,
Shih-Chin

1 Like

Yes, it is hard to have 100% security measures, many thanks for your recommendation.

At least, we don’t want to pay bandwidth fee for bad actors.

Kind regards,
Shih-Chin