Using Amazon S3 Query String Authentication for Music Player

Question

I have a musician client who I created a music player web app/site for primarily in javascript a few years back.

The mp3 audio files are being grabbed via a regular HTTP download.

He has noticed that people are ripping off his music and using his tracks elsewhere.

I want to make it harder for people to be able to do simply grab the mp3 file from their dedicated URL.

I am familiar with Amazon S3's query string authentication and am thinking of using this.

My plan is to set the expiration time for the request ahead about 3 seconds so that the player app has time to start the download but if a user attempts to grab the URL and make the same request later, their attempt will be blocked.

I have 2 concerns:

1) Will the download stop when the expiration time has been reached even if it is mid-download? Or will it continue to download?

2) Is there a better way to do something like this?

Answer 1

No, a URL must be valid at the time the download starts. A started download will finish if the expiration time is reached during download. Here is a document detailing it, although it is related CloudFront signed URLs, it should be the same for S3 query string auth. (link)

Be careful with short expiration times. Amazon servers' clocks (at least I know this for EC2 instances from own experience) tend to have a great inaccuracy (about 10 seconds / day). You should use ntp to keep clocks synchronised.

Answer 2

Using the query string authentication method should work and shouldn't stop the download once the expiration passes. With a little bit of automation though it's still something that can be circumvented.

Ultimately the only way to stop the files from being redistributed would be to use some form of encryption or DRM