Sign up here and you can log into the forum!

youtube protection mecanism vs PC browser

The Traditional Anything Goes Section

youtube protection mecanism vs PC browser   

Postby blachanc » Wed Jul 03, 2013 5:30 am

Warning, this is nor related to WDLXTV (hence posted in unrelated).
out of curiosity, when looking into this thread:
original_post

mad_ady wrote:Hey! Thanks for the pointer. I'll look into it :)

Edit:
Yup, there is a new function involved called "decryptSignature".

It looks obfuscated, but I hope it works. :D
I'll see when I have time to write it in PHP and add it to the code (and try it out).
Thanks for the pointer, I wouldn't have come up with that monstrosity on my own :lol:



Sorry for sharing my total absence of knowledge :oops:

I globally understand what the signature decoding code in mad_ady's post does.
I understand that YouTube is simply hiding the source file link.
and that a shortcut like this one "http://www.youtube.com/watch?v=8UVNT4wvIGY"
need to be resolved to access the actual data.

What I do not understand, is:
How does the signature decoding code is working on my PC (signature updated/stored/executed) ?
I tried goggling YouTube security, but cannot find a satisfactory explanation of the mechanism.

If anyone could point me to the right resource so I can educate myself, I would appreciate it

Thanks,


Ben
blachanc
Patron
 
Posts: 237
Joined: Tue Feb 22, 2011 7:10 am
Location: Montreal,QC, Canada (french)

Re: youtube protection mecanism vs PC browser   

Postby mad_ady » Wed Jul 03, 2013 11:50 pm

Well, assume that you are the CEO of youtube/google (congratulations on the promotion, by the way!) and you want to protect your content so that only people with legitimate browsers can view it (and can also view your advertising so can make $$$). You fully control the servers, but you have no control (or limited control) on the user's PC.

How do you know the user is using a browser to get the content vs using wget or some other download tool?

Back in the '90s, when there were few browsers you could reasonably say that if the User-Agent string in the HTTP header was from a known browser, everything was ok. Those days are long gone... What else is available?

Well, since you control the server, you can analyze the requests made by a client and you'll notice that a legitimate browser typically makes a lot of requests (downloads the main page, downloads css files, downloads js files, and downloads images and content), while a downloader will typically download just the desired content. However, since HTTP is stateless and since the user's source IP can change between requests (mobile roaming/NAT), it's difficult to map a specific traffic to a specific user (I'm sure it's not that difficult for google, but I digress). So, this type of traffic analysis is not used (right now).

What else? Well, you can take advantage of the fact that browsers execute javascript code and downloaders such as wget (or even links) don't. This is actually the only way you can differentiate a browser from a scraper - in order to get the URL for the desired resource the browser has to do some calculation/request for additional information by using Ajax that a simple wget script can't do.

I haven't looked over youtube's actual implementation of this "security", but the code seems to take a signature (sent by the server in some parameters) and disect and permute the bits around according to the algorithm in that function until you get a new string. You are supposed to send this new string as a proof that you are a browser.
The reason this works in your browser is that youtube actually provides the necessary javascript code to do the calculation and the browser performs it as instructed when you are on their page. It doesn't work elsewhere because other software doesn't interpret javascript at all. To replicate it you'd need to rewrite it in the language of your choice and replicate the results.

What is the flaw with this approach? Well, standard browsers use markup languages (HTML, CSS, Javascript) which are text-based. This means the browser usually downloads text files and interprets them. This means you can have a look and see what each piece of code does and you can "steal" code and techniques used to build most sites. If you are serious about protecting your content, you can't do much client-side in this fashion because any computation done is visible to anyone who looks deep enough. So, content providers typically do the following:
* dynamic URL creation based on javascript/ajax processing (most sites have this approach)
* code obfuscation - obfuscate and compact the javascript code so that it executes the same way; it's still text, but it's verry difficult to read (e.g. http://www.stunnix.com/prod/jo/sample.shtml)
* running sensitive data through proprietary plugins - e.g. some porn sites encrypt the actual URLs and send the encrypted string to a flash container that runs in your browser. The flash container has the action script (similar to javascript) code that decrypts the string, but this code is not easily seen. This code has to contain the decryption key, so reversing it would allow you to decrypt the URL. There are flash decompilers that can do this, but it's more work for the developer. A different example is Netflix in a browser. It relies on Microsoft's silverlight plugin which hides away the processing that's done client-side.

The war is never-ending, unfortunately. Even processing done in plugins can be reversed, but it will be a lot of guess-work in finding out what that black box does. At the end of the day it depends on the sensitivity of the content and on how many are prone to abuse it if they can bypass your protection.

For now, IMHO, youtube's protection is on the light side. They are doing just enough to satisfy the content creators, but they are not locking down everything... It's interesting to see that only specific videos are protected by this scheme - other user generated content can still be downloaded with older downloaders - so they are trying not to piss off their user base - which is a smart move.

Well, my rant is over. Fell free to discuss this even more. To explore deeper I suggest you install Firebug for Firefox and look at the Script section. Set up breakpoints and trigger them to poke around in the code flow.
User avatar
mad_ady
Developer
 
Posts: 4553
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania

Re: youtube protection mecanism vs PC browser   

Postby recliq » Thu Jul 04, 2013 5:25 am

Very nice explanation mad_ady! Nothing to add here. ;)
­WDLXTV Project Maintainer
-:] If you like my contributions feel free to donate for a beer or a new flash drive. ...and always remember: RTFM! (README, FAQ, WIKI) [:-
User avatar
recliq
WDLXTV Team
 
Posts: 5513
Joined: Thu Apr 15, 2010 8:09 am
Location: Kiel, Germany

Re: youtube protection mecanism vs PC browser   

Postby blachanc » Fri Jul 05, 2013 7:45 pm

wow,
Thanks mad_ady,

extended but easy to follow explanation.
I will try firebug just to see this in real life.

thanks again

Ben
blachanc
Patron
 
Posts: 237
Joined: Tue Feb 22, 2011 7:10 am
Location: Montreal,QC, Canada (french)

Re: youtube protection mecanism vs PC browser   

Postby Mignon8 » Wed Aug 07, 2013 1:18 am

mad_ady wrote:What is the flaw with this approach? Well, standard browsers use markup languages (HTML, CSS, Javascript) which are text-based. This means the browser usually downloads text files and interprets them. This means you can have a look and see what each piece of code does and you can "steal" code and techniques used to build most sites. If you are serious about protecting your content, you can't do much client-side in this fashion dress because any computation done is visible to anyone who looks deep enough.
It's interesting to see that only specific videos are protected by this scheme
Mignon8
n00b
 
Posts: 1
Joined: Wed Aug 07, 2013 1:15 am

Re: youtube protection mecanism vs PC browser   

Postby mad_ady » Wed Aug 07, 2013 4:33 am

Lol, subtle spamming technique sir, you have my admiration :D
I will refrain from using the word "fashion" in a sentence again :lol:
User avatar
mad_ady
Developer
 
Posts: 4553
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania

Re: youtube protection mecanism vs PC browser   

Postby RVD26 » Wed Aug 07, 2013 2:06 pm

Any hope for a fix for this YouTube protection on commercial videos?
I really hope it can be fixed as one of my main uses of this device is watching music videos with the family on the weekend. :(
RVD26
DLX'er
 
Posts: 54
Joined: Thu Nov 17, 2011 6:13 am

Re: youtube protection mecanism vs PC browser   

Postby mad_ady » Wed Aug 07, 2013 9:21 pm

I haven't given up hope, but I haven't looked into it lately. I'm waiting for a fix from upstream (dentex's Android Youtube Downloader), but that will happen when youtube's protection mechanism stabilizes.
User avatar
mad_ady
Developer
 
Posts: 4553
Joined: Fri Nov 05, 2010 9:08 am
Location: Bucharest, Romania


Return to Unrelated

Who is online

Users browsing this forum: No registered users and 1 guest