Stealing content was never easier than with HTML5
HTML5 makes adding video and audio content to your site very easy but there is currently no way to protect that content. If we’re all completely honest we know that content protection is still a big deal for record companies, movie studios, and TV channels, yet HTML5 puts their content just up for grabs. Let me give you a few examples.
Unnamed video site
Video site X just rolled out a brand new HTML5 video player. Like I said, HTML5 makes it really easy to add video content to your site but it makes it equally easy to download that content. It only takes a “view source” to find the URL to the video file. Some video sites have also noticed that and are now building custom JavaScript based players in an attempt to make it more difficult to get to the video file. On this one site I counted almost 3000 lines of JavaScript code for a rather basic video player with sharing functionality. 3000 lines of code and it still only took me three clicks to download the video file! I already hear some of you saying that you can also easily get the video file from a Flash based video player. If you use progressive download that is completely true. I’ll get back to that later in this post.
Unnamed new music discovery site
The release of the beta version of this new music discovery site is actually what sparked the idea to write this post. As per usual the tech blogs were buzzing about it as a new music discovery site that didn’t use Flash because Flash is dead. So I checked it out… This particular site gives you unrestricted access to the entire music library. I was able to look up any artist and play back any song in high quality… I can also buy the song on the site for the industry standard $0.99. But with just two clicks I was able to download any song from any artist straight to my desktop without actually buying it. No need for torrents or the risk of downloading viruses. It’s all right there on this official music discovery site in high quality AAC audio (in an M4A file).
Flash
I already mentioned that it’s also pretty easy to download a file used in a Flash based media player if the site uses progressive download. The difference between HTML5 and Flash in this case is that you CAN protect your content when using Flash. As there still is no standard audio/video codec in the HTML5 spec there also is no way to stream video and audio content using HTML5 across different browsers. Companies (including Apple) have been experimenting with streaming technologies but I’m sure you remember that that only worked in a specific version of Safari on a specific version of iOS. The HTML5 spec also has no guidelines for any sort of content protection.
Flash does work cross browser and cross platform (as I’m sure all of you know). With the use of Flash Media Server you can also completely protect that content and get the added benefits of features such as adaptive streaming (to adapt to changing connection speeds), reduced bandwidth usage, DRM, multicasting, peer to peer delivery, and more. Bottom line: Flash is still the best platform to stream (premium) video and audio content.
58 Comments
Feel free to follow me on: 
These blogposts about why Flash is better than HTML5 are getting pretty boring. I think we all know the advantages and disadvantages by now, and posts by an Adobe evangelist about obvious things like this aren’t going to help the fraternization between JS & AS devs.
This blog post is to point out that you need to take these things in to account when you’re working with premium content! It’s not about whether or not one is better than the other.
You forgot to tag this post with FUD, Serge. You also forgot to mention how easy it is to steal Flash encoded content–search any of the browser add on sites, and you’ll find some variant of Youtube downloader extension in the top downloads.
I think you didn’t read the article Mike. I do mention that it’s equally easy with Flash when you use progressive download. I even mention it twice.
You can’t fully protect your content, as soon as it goes by the client’s device, you’re screwed.
“These blogposts about why Flash is better than HTML5 are getting pretty boring” is the perfect sum up of what I think right now. Do you really think these things aren’t already known and taken into account?
Serge, busted. I read the first two paragraphs then skipped to the bottom. >_>
@Palleas: If this was common knowledge then why was I able to download all this premium content just before I started writing this post?
All good points, and it is a shame that the other two posters didn’t read the article through before commenting!
It’s just another decision to take into consideration when deciding to build a site in HTML5 or not.
Because browsers are still fighting about which codec they should use to please everybody?
I agree with Mike and Flash Dev. The article did not need to be written. I’ll be interested to see how many positive responses you receive Serge.
This is all common knowledge (and has been for over a decade) among people who actually know their jobs.
…or, for that matter, have any idea about how the web works. If content is available for watching, it is available for download. Simple as that.
“stealing content was never easier with HTML5″
“it’s always been this easy in Flash”
what was the point of this post again, it eludes me o.O
@Ian: The choice of whether to use Flash or HTML5 media publishing shouldn’t impact your choice to use HTML5 itself.
You can still use Flash, if that’s your preference, while taking advantage of the rest of what HTML5 offers.
If you’re not going to read the post then don’t bother commenting please. A lot of these comments are mentioned in the article! Whether you like it or not, content protection is important today and it will become increasingly important on the web. That’s what this post is about.
@Warren: Absolutely agree! Flash and HTML5 are great companions and complement each other nicely.
I have to say I agree with you Serge. As long as HTML5 can’t provide a way that make it harder for people to download content, the major players won’t use it. Thats is like leaving your frontdoor open and then cry about getting robbed. I don’t think HTML5-video is bad, it’s just not as good as Flash at the moment. I hope it will get as good or even better. Feels like people take this “HTML5 vs Flash” too personally. All we want to do is make high-quality websites. No matter the tech behind it. Right?
Just my two cents. Haters are always gonna hate. The rest of us see that you have a valid point about HTML5-content.
Well seeing as your asking for something positive, I’ll say it was a good post. A lot of you may read every post going but some of us just do a bit of browsing of new posts when you get 5 mins spare to do so.
Should anyone ask for a videoplayer then now I have an extra point which in some cases may make no difference to the outcome but in others it will.
Its all about what the client requires. If they wish as much protection as possible (nothing is 100%), then flash still takes top spot.
@Warren Yes, I sort of meant that if you (plural!) were thinking about using HTML5 in order to take advantage of some of the new features such as video and audio that this might make you think twice and therefore not make the jump to HTML5 worth it.
Of course moving to HTML5 brings other benefits, but for this purposes of this article my above comment was more apt.
Anyway, I’m a huge advocate of HTML5 and have been using it since late 2009.
@Mattias “I don’t think HTML5-video is bad, it’s just not as good as Flash at the moment”
As for progressive downloaded video, both HTML5 and Flash have the same isues if it comes to how easy it is to “grab” the video’s.
As for streaming, Flash still has the upperhand. Sites like Hulu or the BBC iPlayer wouldn’t be possible without it. … yet ;)
Mention the words Flash and HTML5 in the same blog post and the comments come flying in. I might try this one day just to get some advertising cash :).
Videos on the Flash Platform delivered through streaming (No, this is not YouTube, Vimeo, etc) are VERY hard to steal.
PS In case you can’t tell which is streaming and which is not, generally the streaming players don’t display a bar to show how much of the video has been loaded (because the video doesn’t load in advance). Find one of these players and then try to steal that content :)!
Blah Blah Blah Blah.
No one cares. Flash is dying, stop trying to protect it.
You can block this with .htacess.
Clearly this post has rubbed some folks up the wrong way. They are not used having their favourite technology criticised, even when valid points are made. See, Flash folks are long used to this. We have died many deaths, one by SVG, one by LiveMotion (ha, good one that), one by Silverlight. Yet somehow we’re still killing it. Funny that.
I can’t stand DRM encumbered content, but recognise that some markets require it. Plus there are other ways to ensure a delivery that makes casual copying a pain in the ass – and to say that everything available for watching is available for download is showing a total lack of understanding. It is one thing to work around RTMPE streaming and token authentication, yet quite another to right click and ‘save-as’.
Ignore these issues at your own peril, just don’t pretend you understand the subject matter if you’ve never deployed premium content on the web (and no, that YouTube clip of your cat does not count).
Right tool for the job..
IMO: For video thats still Flash and will be for some time yet until HTML can at least match Flash capabilities for sufficient commercial video use.
I agree with Serge. HTML5 makes it easy to download media, Flash makes it $%£§#! difficult. Not impossible, but difficult.
That’s why I try to avoid media sites with so-called “premium” content, and choose for DRM-free Creative Commons whenever this is possible.
I think that some people are having the wrong discussion. It’s not about Flash versus HTML5. They are just delivery technologies. Simply put: a very advanced hammer. I don’t care about the hammer. I care about the house that’s being built and that I want to live in.
If I follow this statement, we should do the same for photos and protect them by embedding all images in Flash ? All the web should be in a proprietary container so that those hackers don’t steal my content. Proprietary content in a proprietary format, that makes sense after all.
Don’t forget one important thing : The world wide web was designed for sharing in an open and easy way. I know it sometimes conflicts with commercial interests but the web was not primarily designed for marketers.
Yes I can imagine that I don’t want that my users download my TV Shows, but hey let’s face it, it’s already the cas. Don’t blame HTML5 for it. There will always be ways to share, that’s what the core of the web is.
Every smart kid already knows a way to download youTube videos through an extension.
The best way to not expose content to hackers is to not upload it on the web. Period.
FWIW, I did file bug at the W3C about this very issue in September of 2010 (http://www.w3.org/Bugs/Public/show_bug.cgi?id=10902)
Ian Hickson’s (the editor) reply: DRM is evil (http://www.w3.org/Bugs/Public/show_bug.cgi?id=10902#c8)
If anyone is actually interested in improving HTML5′s support for native video (as opposed to coming to an Adobe Platform evangelist’s blog site, to piss on his cornflakes and once again intone the Apple Fanboi mantra that Flash is dead) then I encourage you to actually read through all the comments attached to that bug.
Failing to address the commercial concerns of for-profit content creators will ensure that the element remains relegated to the hobbyist and non-profit web sites only. There is a reason why Netflix uses Silverlight, and it *isn’t* because Netflix is anti-HTML5. Serious content sources such as MTVinteractive and BBC have real concerns about the cost and security of streaming media on the web, and will be significantly more conservative than the bleeding edge devs out there that believe that HTML5 will solve all problems and it’s just the old gray-beards who want to prop up the evil media conglomerates that want DRM… I mean, didn’t Pirate Bay prove that stealing isn’t really wrong, just, you know, fun…
If you’re sufficiently afraid of your premium bits being copied, you can get a long way with fairly simple techniques that would work today:
1. Create temporary URLs for each user that only live for x minutes.
2. On each request, verify that the IP address, user cookie and HTTP headers like Refer and User-Agent match what you expect.
3. On each request, verify that it is a Range request and that it isn’t too far away from the point where the user is playing. (This requires signaling between the server and client using the JavaScript API for .)
There, you can now use and people won’t be able to download it even by pasting the URL into the same browser session. The only option they have left is writing a site-specific tool that plays the video at normal rate from beginning to end and then tries to assemble the video from the browsers cache. That’s sufficiently hard and frustrating that one should declare: mission accomplished, our premium bits are safe!
Perhaps there’s real money to be made for the people who write such a custom HTTP server that is easy to deploy… Beyond this, it’s only a matter of making things more frustrating, in the end it will always be possible to copy the bits right before they are fed to the demuxer, and nothing can be done about it, at least not anything that could possibly be standardized and work cross-platform.
Protecting content isn’t about the medium or under-hood tech of a medium…. it’s about preparing the content for delivery in such a way that it assumes the user will take it for their own.
Crippling content (cutting content down to samples or adding watermarks) is the only means of adding anything even close to the obtainable (and minimal) protection of content on the web. Someone once said that if you don’t want people to take something, keep it to yourself!
Looks like HTML is removed instead of escaped, several instances of <video> are missing from my comment.
@Philip Jägenstedt: That’s almost exactly what the video site mentioned in this article is doing
@Philip Jägenstedt: I think WordPress removes these tags. Don’t see them in the actual comment :/
Serge, so we’re talking about YouTube then, who seem to be doing at least the first two of the things I mentioned. Do you think that this is still not enough protection? How much is enough?
@Philip Jägenstedt: It’s a site that does premium content which is what this article is all about. It is not about YouTube clips or Failblog videos. If I can download that premium content in just a few clicks then that is not enough protection.
Note that a while back YouTube blogged why they plan to keep Flash as their primary video player and brought this issue up:
http://apiblog.youtube.com/2010/06/flash-and-html5-tag.html
YouTube mentions it’s not an issue for most of their content, but is important for their YouTube Rentals (aka premium content).
Lack of content protection was one of the reasons that Hulu blogged about why they don’t have a HTML5 video player:
http://blog.hulu.com/2010/05/13/pardon-our-dust/
So the big players are very aware of this issue and anyone working with premium content should be aware of it as well.
Also note that a number of browser allow you to download the source of the video when you right click on an video element. So it’s not a matter of looking into the code, but right-click on the element and then choosing “Save as…” However, you can disable this with JavaScript and make this harder.
Right idea, wrong title. You mention “record companies, movie studios, and TV channels”. I’d be interested to know what percentage of content on YouTube is made by these types of content creator, as opposed to the (obviously) vast majority who would just like to be able to publish their work using an open format that they don’t have to pay to use. Record companies (et al) are very rich, very vocal, and very much in the minority. Bottom line: Flash is irrelevant to the majority of people who want to stream content.
No content can really be protected: video, music, applications. If it can get used or displayed on any sort of desktop computer, it can and probably will be copied by someone. Sure.. HTML source isn’t protected so its easier, but its also easy to use ScreenFlow to capture any DRM protected content from any FMS server and copy it. All it takes is one person to copy and re-distribute it.
I tend to think that if companies, Adobe included, spent less time on trying to come up with a better “locks”, and instead put those resources into better products/services, people would be less likely to pirate/copy/steal them.
With the measures I outlined the bar is way higher than “just a few clicks”. If you really think that it’s still not enough, please let us know what would be enough. It seems to me that you can make it both really easy and really convoluted to rip a video with either Flash or HTML, it’s just that the default is better in HTML.
I read this early in the morning and since that time, Serge has need to put up a disclaimer even though the post in its original form was clear as day. Absurd.
Fact of the matter is: if you are responsible for protecting copyright material in a system, you will take all necessary measures to do so. The best solution for this is Flash Media Server. Period. There are other streaming servers you can use, but these do not have anywhere the ubiquity or extensibility of a Flash based solution.
Nothing against HTML
@Joseph: The disclaimer was already in the original post. I just had to make it pop out because a few people seemed to have missed it. :/
@Serge – Well, I could certainly tell something had changed! BTW: I’m speaking through first-hand experience with my comment. Copyright protection is serious business. No way anyone should take it lightly!
I believe Serge correctly puts this topic in the spotlight. On twitter and in the comments you see a lot of pro HTML5 (or maybe better : anti-flash) guys responding and going defensive or counter-attack on which wasn’t an attack in the first place.
This blog post is more a reality check, to everyone that is into the “HTML5-ism” these days that it’s not the holy grail and all evil of the world (for them that is flash ;) ) wil perrish from it. It’s just an evolution in tech with more features.
And if you want to use it you’ll have to take something like this into account if you wan’t to protect (your) premium/copyrighted content.
In addition to leaving your content open to theft, I also heard HTML5 will eat your babies.
…in all seriousness, I didn’t know people still made attempts at defending a dying technology.
The simple fact is that HTML5 video is crippled, and will never take off. Period.
1. No DRM. This is not the end of the world, but it’s pretty close to it in terms of HTML5 video replacing Flash.
2. No H264 in Firefox or Chrome, or Opera. Sorry, game over. Mobile devices all have H264 hardware encoding built in, the majority of all content is published in H264. Yet, H264 can not reliably be deployed with HTML5, Flash is the only cross-platform solution.
Like it or not, Chrome put the final nail in the coffin. Flash video is here to stay. This whole debate is deader than a doornail…
Thank you for your very constructive comment CHJJ.
I really don’t get your point, flash video via DRM can still be stored in a few clicks, granted, HTML5 might require a click or 2 less, but still… if this is such a huge problem, why are “premium content” sites using it? Blatant ignorance or did some evangelist convince them it was safe? Could have saved them the cost and headache of the DRM crap…
Serge, my comment wasn’t meant to be constructive. Mockery just seems to be the best response to dishonest arguments. However, if you want to hear a different response, and one I’m sure has already been posted: No content on the web is protected – by the very nature of the fact that *you have to download content in order to view it*. Flash countermeasures to this fail. All they do is provide a false sense of security. If someone is so ignorant of this that they spent 3000 lines obfuscating their code for no good reason, thats their problem, not HTML5′s.
“Flash does work cross browser and cross platform (as I’m sure all of you know). With the use of Flash Media Server you can also completely protect that content ”
erm, no you can’t. Please stop spreading myths. DRM is flawed and Flash’s DRM is very easy to bypass
http://lkcl.net/rtmp/
Flash has also a real DRM: Flash Access 2.0 which is till know unviolated
CHJJ, mors etc: Lots of comments here of the “no DRM is unbreakable, therefore all DRM is useless”. That’s a fine argument for slashdot threads, but it doesn’t work with clients. It may be that no DRM is perfect, but that hardly means there’s no difference between RTMP and just putting a video on a server.