I need to make sure a user viewing a video on my site can't get a hard copy of it (unless he captures the screen which I can't prevent).
I'm looking into MPEG-DASH as a solution using Common Encryption (CENC). I understand there is a license server that should verify the client before he gets the keys. I'm not quite sure if it's a server I setup or something public I use.
But how do I make sure an attacker can't get the keys from inside the browser somehow, download all the m4s chunks, decrypt them with the key he got from the browser and merge them?
If the player on the browser is supposed to decrypt each m4s file, it means it uses the key for each file which means it stores the key somewhere in the memory. Can't an attacker use the developer tools to step into the decryption code and take the descryption key?
Is there's some protection mechanism I'm not aware of?
That is the job of the DRM vendor. The key is sent encrypted from the license server and decrypes the video inside the CDM in a protected environment. Look up widevine and play ready. If you do this yourself without a vendor, you must have the user install your CMD.