Now when you do a “view source” on any page on our site that has a demo video to show the S3MediaVault script in action, you might see something like this:

flowplayer(“player533662499-1291229078″, “http://s3mediavault.com/blog/wp-content/plugins/S3MediaVault/flowplayer-3.1.2.swf”, {
clip: {
url: escape(‘http://s3mediavault.com.s3.amazonaws.com/intro2ll.mp4?AWSAccessKeyId=1HPS101KFMM8SKNK9BG2&Expires=1291230078&Signature=gD31LukvVow3RefZAIU6X%2Bw1MpY%3D‘),
autoPlay: false,
autoBuffering: false
}
});

And you might look at the text in bold above and wonder, “Hey, how come something called the key is showing? That doesn’t appear like it’s secure – it’s showing all of my information!”.

No need to freak out – the S3MediaVault script is very secure – as secure as an Amazon S3 script can possibly get.

Public-key / Private-key Encryption

Note that Amazon S3 uses an encryption called “Public-key / Private-key“. You can read more about it here. When any two parties are exchanging information using the public & private keys, the private key is never exposed. It is always the “Public” key that is exposed to the world (and there’s no issue doing that either) as that’s how it is supposed to work (if you read the above link), and that’s not a security issue. Please note that when setting up the S3MediaVault script, you entered both a “Public key” and a “secret key”. The “secret key” is the private key and it is never exposed to anyone. It is only the “public key” that you see when you do a view source.

How It Works

So here’s how the script works:

1. Visitor arrives at your page that has the S3MediaVault embed code
2. The S3MediaVault script is triggered by WordPress due to the [s3mv] tags in your page/post
3. S3MediaVault then takes the file name from the tag, then opens a connection using the “Public Key” for your Amazon S3 account. Please note that when setting up the S3MediaVault script, you entered both a “Public key” and a “secret key”. The “secret key” is the private key and it is never exposed to anyone. It is only the “public key” that you see when you do a view source.
4. Amazon then responds back to S3MediaVault on your site, with an expiring URL for the protected file.
5. S3MediaVault just uses that secure, expiring link to display the video (or PDF, etc).

Please note that S3MediaVault is not a “true streaming” solution. Which means, it doesn’t stream videos in real time, but rather, plays the video by buffering the file as the viewer is watching the video – just like how web sites like YouTube play videos. And that’s the right way to do it, if you care about your viewers.

This means your viewers will be able to rewind, fast forward, even put the video on pause (especially for large videos), so that it keeps buffering in the background, and then come back and watch it later when it has fully “loaded” , so that they won’t experience any real-time buffering. This is very useful for viewers that don’t have fast internet connections.

What this also means, is that anyone who watches your video, can also use free, browser plugins (like DownloadHelper) that allow you to download a video that you’re watching in your browser. This is not a security breach. They are able to download it to their computer, only because they currently already have been given authorized access to the video/audio itself.

Please remember that anything that is accessible online – like audio, or video – can always be easily downloaded to the viewer’s desktop. There are many different ways in which you can download what you are viewing in your browser. The bottom-line is this: If a video or audio is accessible in a browser, it can easily be downloaded – or “recorded” using screen-capture solutions like Camtasia, or audio capturing solutions like Audacity), and then saved – to the viewer’s computer.

S3MediaVault makes sure no one can directly access your files from your S3 account, and can only get to it from your blog (on which the S3MediaVault script is installed).

Then combine it with the Page/Post protection of DigitalAccessPass (DAP),which can make sure only certain people (like paid members, or free but registered users) can access your blog post or page, where the S3MediaVault embed code is published.

Combine DAP + S3MediaVault, and you would have now completely locked down your content from any and every kind of un-authorized and illegal access.

So once someone has paid for your content (or registered for it), and are authorized users who have a right to view or hear that content, it’s ok that they get to download what they’re eligible for, to their computer, for offline use (like during their morning walk, or on the treadmill, or in their car, or when standing in line at the theme park!)

We don’t think it is a good idea for you to prevent your paying members from downloading your videos. After all, they’ve paid for it, and should be able to download it and watch it offline (like on their mobile device, ipad, iphone, etc).

In fact, the best membership sites that we’ve been a member of, offer the content in multiple ways: Download the videos in flash format (flv), download ipod/ipad version (mp4), download audio version of this video (mp3), download the transcript of the video (PDF), etc.

The more you make it easier for your members to consume your content, the more they will love being a member, and stay with you longer.

If you absolutely must have “streaming” videos that viewers cannot download at all (and also cannot easily buffer ahead and play at their own convenience), then you need a plugin like the Easy Video Player.