[jarrettc]

> Or does it truly rely on blackbox obfuscation?

The client ultimately has to decrypt the data somehow. So the key is there on the client. I take it obfuscation is the only thing standing between the user and that key. Am I correct about that?

Which makes me wonder: How much security does HTML5 DRM really provide? Security through obscurity is a very weak defense, and one that is almost invariable defeated sooner or later. Will this really prove a hindrance to piracy in the long run?

[serge2k]

This isn't security through obscurity, unless the DRM implementation being a secret actually does provide security. I doubt it does, beyond the fact that an audit of the source could probably find a load of security issues.

Of course an audit of OpenSSL would do the same.

[dec0dedab0de]

* unless the DRM implementation being a secret actually does provide security.*

It Does, because it is illegal(at least in the US) to reverse engineer it.

[jarrettc]

> This isn't security through obscurity

I don't necessarily disagree. But how, other than through obscurity, does HTML5 DRM inhibit copying, given that the client possesses the decryption key? (Let's assume the would-be attackers aren't dissuaded by any laws that might apply.)