[geitiegg]

The media companies would have no issues whatsoever with continuing to use outdated, insecure and otherwise broken technologies to ensure that their content is delivered with some form of DRM. Those technologies already exist, and already ensure the media companies have a future of distribution over the web.

Creating some form of standard around the use of DRM is the lesser of two evils when compared to the use of a multitude of proprietary decoders.

[the_ancient]

I find this funny...

Today there are 2 decoders, Flash and Silverlight

with EME we are moving to a minimum of 4, and possibly a crap load more decoders... Adobe DRM, MS PlayReady, Apple FairPlay and Google Widevine.

How is that better?

Ohh and calling them extensions does not magically make them better than plugins.. they are still binary blobs running closed source code interfacing with the browser using an api. a plugin by another name is still a plugin

[geitiegg]

Today, there are two main browser plugins required for watching DRM Video on the web. These plugins are not decoders, they are merely platforms on which the decoders themselves can run, alongside any other code that the site may supply. The problem with this approach, as I see it, is that these platforms create an inherent security risk for the user alongside the current issues regarding free software and ethics. The use of Flash/Silverlight also slows the adoption of other, more open, web standards.

By switching to EME, you're switching out the Flash & Silverlight platforms for a set of closed binary blobs which take an encrypted stream from the browser and produce unencrypted video/audio for the browser to display instead of executing arbitrary code. Now, I'll admit I'm not terribly well versed on the issue, but to me that seems to increase user security, promotes the use of other open web standards over Flash/Silverlight and keeps the media companies happy. The only people losing out in this situation are those that find DRM conceptually abhorrent.

[the_ancient]

Functionally, as far as displaying video goes, there is very little difference between a Flash Video player, and a Adobe CDM Video Player.

Sure it might have a slightly smaller attack surface because it does not have all the other flash "features" that are not really used any more, but do not fool yourself, it is still executing arbitrary code that is beyond your control, and any attempt to control what this code does could be considered a violation of DMCA.

It however in no way promotes the open web, I do not know where you get that from. This is the exact opposite of promoting the open web

As to who loses out, it is not just people that find DRM objectionable. Will Adobe DRM work on ARM for the various SBC system like the Raspberry pi? Doubtful.. Will there be a CMD for midori? Ice Weasel? or any of the other less popular browsers? Doubtful. With the Adobe CDM work well, and bug free with out killing system resources under Linux x86? Doubtful (it will probably work, just not well)

So we are back to a world where only "approved" platforms are allowed to use the web fully, this is direct opposition to W3C's stated mission.

[cpeterso]

I imagine that playing videos is the Flash Player's primary use case. With EME supporting only video decoding, we can sooner phase out support for Flash Player and everything else it drags along.

If Adobe's CDM can run while completely sandboxed from network and file access, then what if it was implemented in asm.js? Then "CDM.js" could be portable across all browser platforms and architectures. I'm not sure how well Firefox's JIT would optimize obfuscated asm.js code generated from obfuscated C++ code. :)

Disclosure: I used to work on Adobe's Flash Player team and I now work at Mozilla, so I have many conflicting personal and professional biases. :)

[stinkytaco]

>If Adobe's CDM can run while completely sandboxed from network and file access

I'll admit this isn't my area of expertise, but how would this be possible?

[chx]

The CDM and the server runs some sort of secure key exchange with the browser doing the actual network traffic. The browser is eavesdropping on the communication but that's what Diffie-Hellman, STS etc are solving. Then the browser gets the encrypted stream, hands it to the CDM which has some ties to the OS to be able to draw on the screen. Only tie to the OS is required, no files, no network. The browser can handle those.

[bzbarsky]

The EME spec is designed to make this feasible at least in principle: the browser hands the encrypted video bits to the CDM.

In the case of Adobe's CDM and Mozilla, this is one of the points that was explicitly negotiated: the CDM will be running in a sandbox.

[nitrogen]

produce unencrypted video/audio for the browser to display

That's the silly example used in all of the pro-EME propaganda, but the standard also allows content providers to demand an encrypted path all the way to the video card, IIRC, thus bypassing the browser's ability to save content, and exposing a potentially insecure video driver to the CDM blob.

[DerpDerpDerp]

This is my real objection to DRM: it fundamentally either is just a show (turning over the unencrypted message to the browser, anyway) or requires that I be locked away from the computation happening (has direct access to hardware and security features to keep me out).

So either it doesn't work by design, or it's a rootkit's wetdream since all hardware is designed to be able to lock me out.

[nullc]

Is a bank vault "just a show" simply because no one has ever invented one that can't be penetrated with a sufficient application of high explosives or a plasma torch?

The goal of making Joe-Average choose between the official channels or some malware laden underground site is a perfectly pragmatic one on the parts of the licensors. They don't need to block the ilicit copying completely to see a benefit...

Especially when the costs of their 'protection' are predominately externalized onto the users (in the form of restricted freedoms, closed software, spyware, etc).

[DerpDerpDerp]

In my terms, a bank vault would protect my valuables by fundamentally denying me access to them, except on terms dictated by some external trusted party. This is the case of DRM using entirely encrypted paths (which can be broken with the big guns, like in your analogy), not the case of it being "just for show".

> The goal of making Joe-Average choose between the official channels or some malware laden underground site is a perfectly pragmatic one on the parts of the licensors.

Uh... what? The problem with DRM from a practical standpoint is that the effective technical means serve as an impediment to Mr Joe Average using his computer for perfectly allowed purposes - including at times playing the game. (Look at any major game launch recently for thousands of upset players because the DRM servers are overloaded.)

Secondly, you presented a strawman, since there are lots of non-malware-laden copies available online.

I'm not really against DRM per se, if there were some magic solution. Nor am I arguing that partially effective security measures are meaningless. I'm arguing that having encryption protected computing channels which deny the user override (or inspection) access are dangerous (duh! they go on malware laden websites, as you point out), and that any DRM which doesn't use such hardware level (or even low-level software) is no more effective than just setting a metadata flag saying it's copyrighted.

I get why companies want DRM, but that doesn't mean that I think giving in to their wishes is a good idea, when it both creates worse computer security problems and fails to solve the problem at a technical level.

A lot of people pirate things precisely because DRM is such a hassle.

[lttlrck]

Incomplete or inaccurate, but "silly"?

[camus2]

sh... brainless devs just want to bash flash... that's why.Most of them didnt live the time when you had to install 60 plugins to read videos.

[higherpurpose]

There is no "standard" around DRM. Google, Microsoft and Apple each will have their own different DRM platform. If you're outside of those 3 platforms, tough luck. Their only hope is to have a popular enough 3rd party DRM platform, like from Adobe, to be able to play those videos if their OS isn't from Google, Microsoft or Apple.

How will Jolla Sailfish play these DRM'ed videos? They cannot. Unless they implement the Adobe DRM, too, which can only be implemented as a plugin, into these non-Google/Apple/MS solutions.

So now instead of just Adobe's flash , and a Silverlight that was dying anyway since Microsoft deprecated it, we'll have at least four different DRM platforms. Yay for the "HTML5 DRM"!

[chriswarbo]

> Creating some form of standard around the use of DRM is the lesser of two evils when compared to the use of a multitude of proprietary decoders.

I have nothing against the media and proprietary software companies getting together to make a DRM standard. It would have precisely zero impact on my life, since I already avoid all forms of DRM.

I don't see what that has to do with Web standards though, since their goals are completely incompatible. EME shouldn't exist.

[ermintrude]

For now. If this spreads to being able to DRM images and text, or they use it on YouTube/whatever other video site, you will be affected. That's the real danger to my eyes.

[jeswin]

Open standards (and free software as well) do not directly fight closed distributors (both media and software) or ask them to change their ways. But what they do is give a more open upstart a significant advantage; an advantage that helps them offset some of the other shortcomings they have.

So if my company had average content that could reach 2 billion people against Mediaflix's 50m with closed silverlight, I'd still survive. Once I start making better content, Mediaflix is forced to do something or they'll slowly die.

[twoodfin]

So if my company had average content that could reach 2 billion people against Mediaflix's 50m with closed silverlight, I'd still survive.

Your company is called YouTube, and it's doing just fine.

[loup-vaillant]

Where are the latest Hollyood hotness on YouTube? I only found teasers, third party fair use, and deleted videos and accounts.

[twoodfin]

Hence "average content". The studios are the reason Netflix has to serve their content with DRM, and they're fairly unanimous about it.

[guelo]

The real fight here is about mobile and all the other platforms like Apple TV, Chromecast, Roku, Sony, wearables, cars, etc. Netflix and co. don't want to have to develop for all these platforms, they want to hijack the web to do the cross-platform dirty work for them. Especially since Adobe already gave up on running Flash on all the platforms after Apple blocked them on iOS.

[aragot]

We're rather talking about Youtube going under DRM than Netflix.

Youtube without DRM was an advantage for a couple of hackers: They could download vids for offline viewing (iPod/iPad and p2p-sharing after takedown).

Youtube with DRM could change the game. The impact of a movie being pirated on Youtube is much more contained if users can't download it.

[icebraining]

But they will. If the video player can decrypt the content, so can any youtube downloader transparently for the user.

[jiggy2011]

Adding DRM to youtube simply doesn't make sense to me. The majority of content is added to youtube because the publisher wants people to view it and share it as much as possible. They aren't monetising the content directly.

It's really only big media companies that are in the weird position of wanting many people to view their content but only under specific constraints.

[icebraining]

Some videos on Youtube are already using DRM, in the form of RTMPE.

[blueskin_]

Sadly, I think you're right. Silverlight is effectively dead now, but still in use for a lot of streaming video. Netflix et al will probably only ditch it when it can't even be installed on many computers any more, and will probably go for some other third party framework when they do.