I see 3 possible solutions

Wowza

I have tried it and I think it’s the best streaming solution so far. It’s less expensive that Adobe Flash Media Streaming http://www.adobe.com/products/flash-media-streaming.html and its architecture is easier to scale. But this is not compatible with your existing CDN solution. Wowza offers a token based security plugin that prevent a flash client to stream the video without being allowed first: http://www.wowza.com/forums/content.php?51 And it is a true streaming environment so you will be less worried about users sniffing their browser connections and downloading the content. Although it’s not completely bullet proof, it is pretty safe, because you’ll use streaming protocols, such as rtsp://

Lighttpd + mod_secdownload

It is also token based and require you to host the videos behind a Lighttpd webserver. http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModSecDownload It will make the video links expire after a certain amount of time, which will make hot linking not impossible, but harder to maintain, since it requires the ‘hot-linkers’ to change the links every time it expires. Depending on the length of your videos, it could expire after 5 minutes, which is quite secure.

CDN Token Auth

I’ve been using EdgeCast as a CDN for images and videos, and they offer the same type of protection as Lighttpd + mod_secdownload. It’s called ‘Token-Based Authentication’ and it’s probably available in other CDN services too. Using the EdgeCast API I can request a token for a specific URL, with an expiration time. Exactly as I would do with mod_secdownload. With a 5 minutes expiration time, hotlinking become useless.

So…

If you can, using a streaming server is the best way to prevent content download and hotlinking. Any attempt to obfuscate URLs in a browser will eventually fail, because it is too easy to sniff browser connections and just repeat the same protocol. For the same reason any obfuscation in the Flash client won’t work, because the browser will reveal a downloadable URL.