hls.js icon indicating copy to clipboard operation
hls.js copied to clipboard
verified publisher icon video-dev

Secure key delivery using asymmetric encryption to hide keys from network tab

Open divyam-07 opened this issue 7 months ago • 3 comments

Is your feature request related to a problem? Please describe.

I'm always concerned about the security of the encryption keys (.key files) in HLS streaming. Currently, these keys are fetched by the client in plaintext and are visible in the browser’s network tab. This exposure makes it easy for anyone to capture the keys and potentially decrypt protected content, which compromises content security.

Describe the solution you'd like

I would like to suggest adding support for asymmetric encryption (e.g., RSA) or other secure key exchange mechanisms in hls.js to protect encryption keys during playback.

Instead of serving the keys directly , the server could encrypt the keys with the client’s public key, and the client would decrypt them locally with its private key. This way, the actual keys never appear in plaintext over the network or in the browser’s developer tools.

This approach would significantly improve content protection by reducing the risk of key interception during playback.

Has there been any thought on this or related implementations? I’d be happy to discuss potential approaches or contribute.

Additional context

No response

divyam-07 avatar May 19 '25 18:05 divyam-07

There is no reason for hls.js to natively implement proprietary key encryption which would normally be handled by your code. Even if you did implement this, it wouldn't really make your client any more secure because it's still running in JS, making reverse engineering really easy. This is the reason DRMs like Widevine and PlayReady exist, where we also use asymmetric encryption to hide content keys from the user but in that case the client libraries are actually hard to reverse (except that that already happended, so the security now lies within the client private key).

DevLARLEY avatar Jun 17 '25 16:06 DevLARLEY

I agree that this is something that the app should handle and not something that should be adopted as a feature.

robwalch avatar Jun 17 '25 18:06 robwalch

Correct reverse engineering is still possible...and without drm its not possible to make it complete secure... Successfully used the patch of the the hls js and used in my code ...i really appreciate the work done by contributors of this repo ..thanks for helping 👏👏

divyam-07 avatar Jun 17 '25 20:06 divyam-07