How to defend against the "world's most powerful" download browser?

[momochi]

I have a website that streams HLS video using FFMPEG https://www.npmjs.com/package/fluent-ffmpeg and AES-128 encryption, using `hls_flags periodic_rekey` with 1 key per segment.

Apple devices require the use of the "original link" ending in .m3u8 to play the video, so I check the User-Agent. If the device is an iPhone/iPad, I use the link https://example.com/test/stream.m3u8, while for Android devices or PCs, I can use a BLOB URL like blob:https://example.com/9cdac1b4-9a2a-4f6e-8a94-dda4b3149517.

Here is the content of the m3u8 file:

Code:

#EXTM3U
#EXT-X-VERSION:6
#EXT-X-TARGETDURATION:6
#EXT-X-MEDIA-SEQUENCE:1
#EXT-X-PLAYLIST-TYPE:VOD
#EXT-X-INDEPENDENT-SEGMENTS
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/key1.bin",IV=0x70899936fcf178276e31d4a69b83b5c4
#EXTINF:6.000000,
https://example.com/load/segment-1.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/key2.bin",IV=0xd6eb86f3915b64811a7f20a7d28ffdd5
#EXTINF:6.000000,
https://example.com/load/segment-2.ts
...
#EXT-X-ENDLIST

I want to prevent as much as possible the use of software to download the video.

Currently, IDM reports an error and cannot download,

Then I discovered a demo from THEOplayer: https://www.theoplayer.com/theoplayer-drm-aes-128-encryption, which also uses AES-128 with 1 key per segment (like I do), and they have successfully prevented all download software from working.
I want to ask how to implement video download prevention like THEOplayer, or if I have overlooked something in detection or encryption. I would appreciate any help, thank you.

[2nHxWW6GkN1l916N3ayz8HQoi]

Then I discovered a demo from THEOplayer: https://www.theoplayer.com/theoplayer-drm-aes-128-encryption, which also uses AES-128 with 1 key per segment (like I do), and they have successfully prevented all download software from working. Cốc Cốc was unable to download this video, but they don't have detailed instructions on how to prevent downloading.

You can download from theoplayer using yt-dlp even if they use aes-128

Code:

yt-dlp "https://cdn.theoplayer.com/video/big_buck_bunny_encrypted/stream-800/index.m3u8"

[october262]

I have a website that streams HLS video using FFMPEG https://www.npmjs.com/package/fluent-ffmpeg and AES-128 encryption, using `hls_flags periodic_rekey` with 1 key per segment.

Apple devices require the use of the "original link" ending in .m3u8 to play the video, so I check the User-Agent. If the device is an iPhone/iPad, I use the link https://example.com/test/stream.m3u8, while for Android devices or PCs, I can use a BLOB URL like blob:https://example.com/9cdac1b4-9a2a-4f6e-8a94-dda4b3149517.

Here is the content of the m3u8 file:

Code:

#EXTM3U
#EXT-X-VERSION:6
#EXT-X-TARGETDURATION:6
#EXT-X-MEDIA-SEQUENCE:1
#EXT-X-PLAYLIST-TYPE:VOD
#EXT-X-INDEPENDENT-SEGMENTS
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/key1.bin",IV=0x70899936fcf178276e31d4a69b83b5c4
#EXTINF:6.000000,
https://example.com/load/segment-1.ts
#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/keys/key2.bin",IV=0xd6eb86f3915b64811a7f20a7d28ffdd5
#EXTINF:6.000000,
https://example.com/load/segment-2.ts
...
#EXT-X-ENDLIST

I want to prevent as much as possible the use of software like IDM and especially the Cốc Cốc browser https://coccoc.com/en to download the video.

Currently, IDM reports an error and cannot download, but the Cốc Cốc browser can still download normally, making the encryption above almost useless.

I have tried checking the User-Agent of the Cốc Cốc browser and trying to block it, but without success. It uses the Chrome User-Agent (Cốc Cốc is built from Chromium), so there is no way to detect this difference.

I observed that when using Cốc Cốc and pressing Play, it stutters for about 1 second and then proceeds to download normally. This happens not only to me, but also to many other video websites, even though they have AES-128 encryption.

Then I discovered a demo from THEOplayer: https://www.theoplayer.com/theoplayer-drm-aes-128-encryption, which also uses AES-128 with 1 key per segment (like I do), and they have successfully prevented all download software from working. Cốc Cốc was unable to download this video, but they don't have detailed instructions on how to prevent downloading.
Cốc Cốc is a "crazy" browser that can download almost any website using AES encryption, except for THEOplayer.
I want to ask how to implement video download prevention like THEOplayer, or if I have overlooked something in detection or encryption. I would appreciate any help, thank you.

don't think there's much you can do to prevent downloading, (google screen recording)

[momochi]

Then I discovered a demo from THEOplayer: https://www.theoplayer.com/theoplayer-drm-aes-128-encryption, which also uses AES-128 with 1 key per segment (like I do), and they have successfully prevented all download software from working. Cốc Cốc was unable to download this video, but they don't have detailed instructions on how to prevent downloading.

You can download from theoplayer using yt-dlp even if they use aes-128

Code:

yt-dlp "https://cdn.theoplayer.com/video/big_buck_bunny_encrypted/stream-800/index.m3u8"

It seems Cốc Cốc developers are also here. After this post, they updated their browser to be able to download from THEOplayer as well.
Besides AES, are there any other free methods to best prevent downloading (making it difficult to download, I don't mean completely preventing it)?

[momochi]

Besides AES, are there any other free methods to best prevent downloading (making it difficult to download, I don't mean completely preventing it)?

[El Heggunte]

«Resistance is futile.»

And since real-life is not a Star Trek episode, then no, you will not win in the end.

[Arclight]

If you're just trying to stop unsophisticated users, there are JavaScript browser fingerprinting libraries that go far beyond just checking the User-Agent. You can then show an error or whatever if their browser is Cốc Cốc

That ofc runs client-side, so would be easy to defeat by an adversary with even mild motivation

[2nHxWW6GkN1l916N3ayz8HQoi]

Besides AES, are there any other free methods to best prevent downloading (making it difficult to download, I don't mean completely preventing it)?

You could take a look into DRM. For example
https://reference.dashif.org/dash.js/latest/samples/drm/widevine.html

If you stick to aes-128, you could simply improve it. For example, you could make it as tedious as possible to discourage users from downloading it:
- disable inspecting and js code injection
- add some ping mechanism in the background that will prevent from downloading if some specific requests aren't made every X seconds
- alter the aes key client side, use multiple keys and also key rotation mechanism
- alter the video fragments instead of downloading them in their original form, ex: each "ts" fragment can be stored as reversed and altered client side
- adding one time requests for m3u8 and having the m3u8 content itself encoded

Obviously, you can still download it even with those. But it will definitely stop the average joe.

don't think there's much you can do to prevent downloading, (google screen recording)

Sharing the recorded videos can at least be discouraged* by using dynamic watermark
https://www.vdocipher.com/blog/2014/12/add-text-to-videos-with-watermark/