I have a project that needs to play video but not allow downloading.
I'd love to use Flash, but I've seen applications that let you download files from YouTube -- this makes me wonder if Flash isn't that secure.
Must I use Quicktime or Windows Media?
If you send someone the data, there's no way you can stop them from capturing it for later replay. End of story.
YouTube may use Flash for the player, but the video itself is downloaded as a fairly normal format. If you know the URL - which is in the HTML file - then you can capture it.
Quicktime and Windows Media streams can also be captured. Any stream that users can play can also be captured somehow. No form of protection can ever be unbreakable.
I suppose the most secure method would be to write your own browser plugin, but that's insane. Using a proprietary format makes capturing the video harder, but still not impossible.
I can think of at least one other competitor in that field: RealPlayer. There is no good alternative, because every DRM-system can be broken eventually, it's just a matter of how hard it is.
If you want to use Flash then you can secure your media streams using a combination of the RTMPE protocol (it's the 'E' part that's important) and SWF verification. This isn't unbreakable as the data has to be decrypted to play and isn't protected with DRM, but it provides a reasonable deterrent, and is probably sufficient to stop the majority of people trying to use your data.
More security is available with DRM protected media. Adobe have a version that works with Flex but I don't believe it's available for Flash at the moment. Other than that you've got Apple's or Microsoft's implementations, both of which are pretty secure (note that Microsoft have just released their next-generation PlayReady Server SDK for DRM applications).
Determined crackers will get your data no matter what if it's that valuable to them; all you can do is put up enough roadblocks to make it more hassle than it's worth.
DRM by it's nature is never going to be perfect. The whole idea of DRM is just a fancy way of doing security-by-obscurity, which any security professional worth his salt is going to say is almost always the wrong solution. For proper security, you don't make the lock hard to find: you secure the actual key.
Now, having said that, I can envisage a way to come close to what you want: but it requires a custom plug-in. You could encrypt the video stream with a key that changes frequently - like every few seconds. That means your plugin must continually request the next key in order to decrypt the next piece of video. This approach makes downloaded video useless, even if you use an otherwise normal format.
Thanks, everyone.
I'm not sure why staticsan was downvoted -- I think that response was creative, if difficult to implement.
Of course nothing is 100% secure, hence the question: "What's the most secure streaming video format."
Thank you, Greg Beech -- that answer was well-researched and precisely the type of overview I was looking for.