views:

1843

answers:

6

I have a project that needs to play video but not allow downloading.

I'd love to use Flash, but I've seen applications that let you download files from YouTube -- this makes me wonder if Flash isn't that secure.

Must I use Quicktime or Windows Media?

+16  A: 

If you send someone the data, there's no way you can stop them from capturing it for later replay. End of story.

womble
See also http://en.wikipedia.org/wiki/Analog_hole
Adam Rosenfield
+2  A: 

YouTube may use Flash for the player, but the video itself is downloaded as a fairly normal format. If you know the URL - which is in the HTML file - then you can capture it.

Quicktime and Windows Media streams can also be captured. Any stream that users can play can also be captured somehow. No form of protection can ever be unbreakable.

I suppose the most secure method would be to write your own browser plugin, but that's insane. Using a proprietary format makes capturing the video harder, but still not impossible.

Marcus Downing
+1  A: 

I can think of at least one other competitor in that field: RealPlayer. There is no good alternative, because every DRM-system can be broken eventually, it's just a matter of how hard it is.

Georg
+8  A: 

If you want to use Flash then you can secure your media streams using a combination of the RTMPE protocol (it's the 'E' part that's important) and SWF verification. This isn't unbreakable as the data has to be decrypted to play and isn't protected with DRM, but it provides a reasonable deterrent, and is probably sufficient to stop the majority of people trying to use your data.

More security is available with DRM protected media. Adobe have a version that works with Flex but I don't believe it's available for Flash at the moment. Other than that you've got Apple's or Microsoft's implementations, both of which are pretty secure (note that Microsoft have just released their next-generation PlayReady Server SDK for DRM applications).

Determined crackers will get your data no matter what if it's that valuable to them; all you can do is put up enough roadblocks to make it more hassle than it's worth.

Greg Beech
Note that I'm not saying I'm a fan of DRM; just answering the question. Sometimes there is a legal requirement from the content owners to have this security in place - that's what drives our use of these types of measures at my company.
Greg Beech
A: 

DRM by it's nature is never going to be perfect. The whole idea of DRM is just a fancy way of doing security-by-obscurity, which any security professional worth his salt is going to say is almost always the wrong solution. For proper security, you don't make the lock hard to find: you secure the actual key.

Now, having said that, I can envisage a way to come close to what you want: but it requires a custom plug-in. You could encrypt the video stream with a key that changes frequently - like every few seconds. That means your plugin must continually request the next key in order to decrypt the next piece of video. This approach makes downloaded video useless, even if you use an otherwise normal format.

staticsan
1) This is a massive hit on a server, 2) Rolling keys work just as well, and 3) Once the content is decrypted, it doesn't matter how good your protection is. You're better off going with a well designed DRM scheme than rolling your own, and none at all is generally the Right Way (TM) to go.
Cody Brocious
I never said it had didn't have drawbacks, but also intended it as a starting point. However, I did try to answer the question, even if the popular opinion on SO seems to be that an encrypted video stream is A Bad Thing.
staticsan
A: 

Thanks, everyone.

I'm not sure why staticsan was downvoted -- I think that response was creative, if difficult to implement.

Of course nothing is 100% secure, hence the question: "What's the most secure streaming video format."

Thank you, Greg Beech -- that answer was well-researched and precisely the type of overview I was looking for.

kaneuniversal