ApsaraVideo Live provides a comprehensive security mechanism to protect your live streams. This mechanism secures service configuration, content production, stream ingest, and playback. It prevents hotlinking, illegal downloads, and unauthorized distribution of your content. This meets the security requirements of various business scenarios. This topic describes how to protect your live streams.
Introduction to live stream security
The following figure shows the various security features of ApsaraVideo Live.
ApsaraVideo Live provides the following security mechanisms:
Security mechanism | Security feature | Features | Security level | Prerequisites |
RAM user | Grants permissions to RAM users based on authorization policies. | Low | Easy. Requires only cloud-side configuration. | |
HTTPS secure acceleration | The HTTPS protocol is an HTTP channel designed for security. It encapsulates HTTP with the SSL/TLS protocol. | High | Easy. Requires only cloud-side configuration. | |
Referer-based hotlink protection | Tracks the source based on the HTTP Referer header. However, the header is easy to forge. | Low | Easy. Requires only cloud-side configuration. | |
IP blacklists and whitelists | Denies or allows access only from specific IP addresses. Not suitable for distribution to many end users. | Low | Easy. Requires only cloud-side configuration. | |
URL signing for stream ingest and playback | Supports custom authentication keys and expiration times. Dynamically generates signed URLs. | Medium | Relatively easy. Provides scripts to generate signed URLs. | |
Passes through business request information to your custom authentication center to verify legitimacy. | You can add custom business request information. This allows your self-built authentication center to more accurately identify legitimate requests. | High | Difficult. Requires you to deploy an authentication center and ensure its high availability (HA). | |
Alibaba Cloud video encryption | A cloud-to-device video encryption solution. It uses a proprietary encryption algorithm to encrypt video streams and ensure secure transmission. | High | Relatively easy. Requires simple configuration and integration with ApsaraVideo Player. | |
DRM encryption | Provides native support for Apple FairPlay and Google Widevine. This high-level security meets the requirements of major copyright holders. | High | This is a more expensive option, billed per license call. You only need to integrate the ApsaraVideo Player SDK. | |
Automated review | Reviews the video and audio of live streams. Automatically detects whether video and audio content contains violations. | High | Easy. Requires only cloud-side configuration. | |
Disable stream ingest | Lets you disable stream ingest for a live stream. You can set a custom duration for the ban. | High | Easy. Requires only cloud-side configuration. |
Account authorization
Background: An AccessKey pair for an Alibaba Cloud account has full permissions. Therefore, a leaked AccessKey pair poses a critical security threat.
Introduction: ApsaraVideo Live authenticates the identity of the user who initiates each operation request. It uses an AccessKey to verify that the account has the required permissions. ApsaraVideo Live supports account authentication and provides system authorization policies. You can also create custom authorization policies. For more information, see Permission Management.
Secure acceleration
Background: The Hypertext Transfer Protocol (HTTP) sends content in plaintext and does not provide any form of data encryption.
Introduction: Hypertext Transfer Protocol Secure (HTTPS) is a secure version of HTTP. It encapsulates HTTP with the SSL/TLS protocol. The security of HTTPS is based on SSL/TLS. For more information, see Secure acceleration.
Access control
You can configure access policies for ApsaraVideo Live in the cloud to achieve basic protection.
The main methods are as follows:
Referer-based hotlink protection
This feature uses the Referer mechanism of the HTTP protocol to track the source of requests. You can configure a Referer blacklist to deny access or a whitelist to allow access.
IP blacklists and whitelists
You can configure IP blacklists and whitelists to identify and filter visitors. This restricts user access to ApsaraVideo Live resources and improves security.
For more information, see Access control.
URL signing for stream ingest and playback
Background: A static playback URL can be used to illegally and persistently distribute your video content. This type of distribution cannot be effectively stopped.
Introduction: URL signing protects your video resources by generating dynamic, encrypted URLs. These URLs contain information such as permission validation and an expiration time to identify legitimate requests.
After you enable URL signing:
Both stream ingest URLs and streaming URLs are authenticated.
The ApsaraVideo Player SDK and the APIs/SDKs for retrieving playback URLs automatically generate playback URLs with an expiration time. If you want to generate dynamic signed URLs yourself, see the authentication methods in URL signing for stream ingest and playback.
For more information, see URL signing for stream ingest and playback.
Remote authentication
Background: The standard authentication method in the live center is simple and can identify basic illegal requests, such as hotlinking. Remote authentication lets you incorporate your business logic for more precise authentication.
Introduction: With remote authentication, Alibaba Cloud CDN forwards user requests to your authentication center. Your authentication center determines whether the request is legitimate. Alibaba Cloud CDN then allows or denies access based on the response from your center.
Remote authentication requires you to develop and deploy your own authentication center. If the domain name of your authentication center is also accelerated by Alibaba Cloud CDN, you can cache the authentication results based on specific rules. This reduces the load on your authentication center.
By default, Alibaba Cloud CDN forwards the headers and request_uri of user requests to your custom authentication center. It then performs actions based on the response from your center.
You can include user information, such as login cookies or UUIDs, in playback requests. This information is then forwarded to your authentication center to determine whether the user is legitimate.
Remote authentication is complex to implement because it requires you to develop and deploy your own authentication center. To enable and configure this feature, submit a ticket to contact Alibaba Cloud technical support. For information about how to submit a ticket, see Contact us.
Video security
Background: Hotlink protection effectively ensures legitimate user access. However, in paid live streaming scenarios, a user can pay once to obtain a legitimate playback URL with hotlink protection. They can then download the video and redistribute it. Therefore, hotlink protection alone is not sufficient to protect video copyrights. Leaked video files can cause significant financial loss for paid viewing models.
Introduction: Alibaba Cloud video encryption encrypts the video data. Even if a video is downloaded, it remains encrypted and cannot be redistributed. This effectively prevents video leaks and hotlinking.
Alibaba Cloud video encryption
Alibaba Cloud video encryption uses a proprietary encryption algorithm and a secure transmission mechanism to provide a cloud-to-device video security solution. The core components are encrypted transcoding and decrypted playback.
Core advantages:
Each media file has a unique encryption key. This effectively prevents the widespread security issues that can occur when a single, shared key is leaked.
It provides an envelope encryption mechanism with a ciphertext key and a plaintext key. Only the ciphertext key is stored. The plaintext key is never stored on disk. All key-related processes occur in memory, and the key is destroyed after use.
It provides a secure player kernel software development kit (SDK) for multiple platforms, such as iOS, Android, HTML5, and Flash. The SDK automatically decrypts and plays back encrypted content.
The player and the cloud use a proprietary encryption protocol to transmit the ciphertext key. The plaintext key is not transmitted, which effectively prevents key theft.
It provides secure downloads. Videos cached locally are re-encrypted. This allows for offline playback while preventing the video from being copied or stolen.
ImportantAlibaba Cloud video encryption has the following limits:
Only HLS output is supported.
You can only use ApsaraVideo Player.
Playback in web browsers is not currently supported.
For more information, see Alibaba Cloud video encryption.
DRM encryption
High-end live events, such as sports matches and concerts, must meet the security requirements of copyright holders and content providers. The cloud-based DRM solution from ApsaraVideo supports FairPlay and Widevine encryption. It provides a one-stop solution for video encryption, license issuance, and playback.
For more information, see DRM encryption.
Each video encryption solution has its pros and cons. Generally, more standard and universal solutions offer greater flexibility but provide lower security. Choose the solution that best suits your business scenario.
Content Moderation
Background: Live streams are produced by streamers and pushed to viewers through a live streaming platform. If the content is not reviewed, harmful information may be distributed, which poses a content violation threat.
Introduction: ApsaraVideo Live uses powerful video AI capabilities to provide an automated review feature. This feature supports comprehensive media review for video, audio, and images. It also lets you disable the ingest of non-compliant live streams.
Automated review: This feature is based on massive amounts of annotated data and deep learning algorithms. It accurately identifies prohibited content in media, such as videos, thumbnails, and titles, across multiple dimensions, including audio and visuals.
Disable stream ingest: In scenarios where stream ingest content is non-compliant or you need to block a stream, ApsaraVideo Live provides a stream management portal. You can use it to permanently or temporarily disable stream ingest.
For more information, see Content Moderation.