What's the most secure streaming video format?

Question

I have a project that needs to play video but not allow downloading.

I'd love to use Flash, but I've seen applications that let you download files from YouTube -- this makes me wonder if Flash isn't that secure.

Must I use Quicktime or Windows Media?

Mentioning DRM around geeks isn't a good idea. It is like mentioned republican on Reddit. — mmcdole, Jan 30 '09 at 00:08
I'm not sure why this is being down-voted; if he's working on a media application then it's a perfectly legitimate and sensible question. Have a +1 from me to offset some of the negative rep. — Greg Beech, Jan 30 '09 at 00:09
+1 to up the first answer - "If you send someone the data, there's no way you can stop them from capturing it for later replay. End of story." — nailitdown, Jan 30 '09 at 02:06

score 20 · Answer 1 · answered Jan 29 '09 at 23:59

20

If you send someone the data, there's no way you can stop them from capturing it for later replay. End of story.

answered Jan 29 '09 at 23:59

womble

12,033
5
52
66

No it is not. We can make it harder or almost impossible to do without a hacker. There are ways. That what our research said us. – Dongle Nov 28 '13 at 05:54
@Dongle: The key point there is "without a hacker". There are no shortage of hackers in the world. If you'd like to do a little more research, try "analog hole". – womble Nov 28 '13 at 22:29
OK sure. That would be a cool thing to research. Thanks for the info – Dongle Dec 03 '13 at 06:25
@womble So how do websites like [digital concert hall](https://www.digitalconcerthall.com) claim that it is technically impossible to download concert videos on their website? - See this [link](https://help.berliner-philharmoniker.de/hc/en-us/articles/202775408-Can-I-record-or-download-concerts-). By the way, I couldn't download their videos of concerts using a software like [IDM](https://www.internetdownloadmanager.com/). I'm curious to know more about this topic. – today Aug 29 '16 at 18:46
It's called "lying". – womble Aug 30 '16 at 02:01

score 11 · Accepted Answer · answered Jan 30 '09 at 00:07

If you want to use Flash then you can secure your media streams using a combination of the RTMPE protocol (it's the 'E' part that's important) and SWF verification. This isn't unbreakable as the data has to be decrypted to play and isn't protected with DRM, but it provides a reasonable deterrent, and is probably sufficient to stop the majority of people trying to use your data.

More security is available with DRM protected media. Adobe have a version that works with Flex but I don't believe it's available for Flash at the moment. Other than that you've got Apple's or Microsoft's implementations, both of which are pretty secure (note that Microsoft have just released their next-generation PlayReady Server SDK for DRM applications).

Determined crackers will get your data no matter what if it's that valuable to them; all you can do is put up enough roadblocks to make it more hassle than it's worth.

Note that I'm not saying I'm a fan of DRM; just answering the question. Sometimes there is a legal requirement from the content owners to have this security in place - that's what drives our use of these types of measures at my company. — Greg Beech, Jan 30 '09 at 00:11

score 2 · Answer 3 · answered Jan 30 '09 at 00:00

YouTube may use Flash for the player, but the video itself is downloaded as a fairly normal format. If you know the URL - which is in the HTML file - then you can capture it.

Quicktime and Windows Media streams can also be captured. Any stream that users can play can also be captured somehow. No form of protection can ever be unbreakable.

I suppose the most secure method would be to write your own browser plugin, but that's insane. Using a proprietary format makes capturing the video harder, but still not impossible.

score 1 · Answer 4 · edited May 20 '15 at 17:05

As someone said earlier "Analog hole".

To quote wikipedia:

"Once digital information is converted to a human-perceptible (analog) form, it is a relatively simple matter to digitally recapture that analog reproduction in an unrestricted form"

So, if you can see it - you can record it. You can't download the original copy, but who cares when the copy is imperceivable worse?

Just download fraps - hit record.

score 1 · Answer 5 · answered Jan 30 '09 at 00:02

1

I can think of at least one other competitor in that field: RealPlayer. There is no good alternative, because every DRM-system can be broken eventually, it's just a matter of how hard it is.

answered Jan 30 '09 at 00:02

Georg Schölly

124,188
49
220
267

score 1 · Answer 6 · answered Jan 30 '09 at 00:09

1

DRM by it's nature is never going to be perfect. The whole idea of DRM is just a fancy way of doing security-by-obscurity, which any security professional worth his salt is going to say is almost always the wrong solution. For proper security, you don't make the lock hard to find: you secure the actual key.

Now, having said that, I can envisage a way to come close to what you want: but it requires a custom plug-in. You could encrypt the video stream with a key that changes frequently - like every few seconds. That means your plugin must continually request the next key in order to decrypt the next piece of video. This approach makes downloaded video useless, even if you use an otherwise normal format.

answered Jan 30 '09 at 00:09

staticsan

29,935
4
60
73

1) This is a massive hit on a server, 2) Rolling keys work just as well, and 3) Once the content is decrypted, it doesn't matter how good your protection is. You're better off going with a well designed DRM scheme than rolling your own, and none at all is generally the Right Way (TM) to go. – Serafina Brocious Jan 30 '09 at 00:13
1

I never said it had didn't have drawbacks, but also intended it as a starting point. However, I did try to answer the question, even if the popular opinion on SO seems to be that an encrypted video stream is A Bad Thing. – staticsan Jan 30 '09 at 04:46

What's the most secure streaming video format?

6 Answers6