Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Chrome DRM Encryption Google Privacy Security Software The Internet

Google Quietly Makes 'Optional' Web DRM Mandatory In Chrome (boingboing.net) 95

JustAnotherOldGuy quotes a report from Boing Boing: The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more. Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance. Because of laws like section 1201 of the U.S. Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products. Further reading: Boing Boing and Hacker News.
This discussion has been archived. No new comments can be posted.

Google Quietly Makes 'Optional' Web DRM Mandatory In Chrome

Comments Filter:
  • Chrome (Score:5, Informative)

    by oldgraybeard ( 2939809 ) on Monday January 30, 2017 @08:09PM (#53770117)
    Don't care about netflix so bye bye chrome.
    • A lot of people do care about Netflix and Netflix on Chrome is only 720p (probably because of previous policies). Now that they're hardening the DRM we'll probably see Edge's exclusive 1080p/Dolby Digital capability go away.

  • by aquabat ( 724032 ) on Monday January 30, 2017 @08:11PM (#53770125) Journal
    It's still optional; just stop using Chrome.
    • by Anonymous Coward

      probably a unique browser ID is also generated during installation which it then hands out to any server that asks. your VPN tricks will no longer work

    • It's still optional; just stop using Chrome.

      Or delete the DLL from the plugins directory, or change the permissions on the plugins directory or use Chromium (which is essentially Chrome without the DRM bit anyway).

      • Or just use one of the forks, not like there isn't plenty of choices. There is just off the top of my head Chromodo and Comodo Dragon by Comodo (I use Dragon its quite nice while Chromodo is their bleeding edge build), SWIron, Torch, Vivaldi and Opera.
        • Re: (Score:1, Interesting)

          by Anonymous Coward

          It's unclear what will happen to the forks. I think the forks are all using the Chromium source code which is from now on also going to be contaminated with this change thanks to Google.

          • It's unclear what will happen to the forks.

            If they didn't have code changes they would be pointless, any fork that maintains the chrome://plugins functionality is probably a fine choice.

            I think the forks are all using the Chromium source code

            Well yes, otherwise they wouldn't be forks of it now would they.

      • Re:Still optional (Score:5, Interesting)

        by Anonymous Coward on Tuesday January 31, 2017 @02:31AM (#53772127)

        Or delete the DLL from the plugins directory, or change the permissions on the plugins directory or use Chromium (which is essentially Chrome without the DRM bit anyway).

        Nope. Stop right there citizen.

        Changing ANYTHING about the DRM stuff is a no-no under the DMCA. You have no right to block it. You have no right to turn it off, and coming soon, you will have no right to a computer or software without it.

        In all seriousness though, I do wonder if changing the permissions on or deleting a DLL that provides DRM would be considered "tampering or circumventing a technological protection measure" under the DMCA and it's variants. Of course the browser is entitled not to play the content if that's the case, but my money is on the "You bet your ass it is." side considering that "helps" to increase corporate profits.

        • by Sloppy ( 14984 )

          No. DMCA has been common fodder on Slashdot for .. oh shit, it's decades plural now, huh? Learn what it says, and also how courts have interpreted it. It's actually not that big of a topic.

          I'm leaving out a lot of synonyms or near-synonyms, but basically: you're prohibited from bypassing a technological measure that limits access to a copyrighted work. Removing your computer's ability to descramble DRMed stuff is not a violation, because doing this does not provide you with access. It is perfectly legal, pe

        • In all seriousness though, I do wonder if changing the permissions on or deleting a DLL that provides DRM would be considered "tampering or circumventing a technological protection measure" under the DMCA and it's variants.

          Of course not, if the DLL isn't there it's the same as not having HDCP in your display or the wrong region DVD player. The content simply won't play because you don't have the capability to play it.

  • by Anonymous Coward

    Something something Evil....

  • Sounds wrong (Score:2, Interesting)

    by Carewolf ( 581105 )

    Widevine like all EME are plugins, they are not part of the browser binary, but separate libraries. Chromium couldn't be open source if it wasn't designed that way. So remove the plugin? In any case the part about researching Chrome... WTF? Chromium is open source...

    • Re: (Score:2, Informative)

      by Anonymous Coward

      See related story here [slashdot.org]. You can no longer remove that plugin. As for chromium you could always compile your own version to allow you to remove the plugin in question but it's probably easier (and better in principle) just to dump chrome and it's offshoots altogether.

      • See related story here [slashdot.org]. You can no longer remove that plugin. As for chromium you could always compile your own version to allow you to remove the plugin in question but it's probably easier (and better in principle) just to dump chrome and it's offshoots altogether.

        Chromium doesn't even support widevine since it uses proprietary codecs, and those are only enabled in official Chrome builds.

  • Is it just me (Score:5, Insightful)

    by buss_error ( 142273 ) on Monday January 30, 2017 @08:43PM (#53770311) Homepage Journal

    Or is anyone else getting tired of basic internet tools being turned in to monsters? By that I am talking about FireFox deciding to not trust a certificate, you can't select "Yes, I know, give it to me anyway". EG: StartCom's certs - you can't click past, you have to use another browser.

    Another example: Java 8 - I maintain servers. Many thousands of them, all over the globe. No, I can't put valid certificates on them. That would violate compliance in the first place, in the second place, we are talking $many^3 servers. But in Java 8, you have to add the IP to an exception list. Yeah, that's a lot to maintain. So we don't use Java 8.

    Please guys that write this stuff - you cannot make unilateral decisions on security and not impact workloads. Yes, the average Internet user is an idiot and needs to be protected, but those non-idiots don't have the hours of time needed to get around your unilateral coding decisions.

    • by zlives ( 2009072 )

      for java you can use a deployment file with trusted ip's and a custom certstore file to bypass cert issues. at least most of them.
      not a simple process but if you are managing a large deployment then chances are its no big deal for you.
      firefox is more manual but also doable...

      • by zlives ( 2009072 )

        actually not sure about the StartCom's certs, i am unfamiliar with them... but even self signed certs can be added as trusted CA's

    • Re:Is it just me (Score:4, Interesting)

      by exomondo ( 1725132 ) on Monday January 30, 2017 @09:13PM (#53770535)

      No, I can't put valid certificates on them. That would violate compliance in the first place

      Compliance with what?

      • It depends on where they are (legal jurisdiction wise). All of them would fall at the very least within the business change management. Add in various legal jurisdictions, and various laws within that jurisdiction, with various requirements of the server clients ....

        • That sounds like a *very* narrow problem case on your end, and it doesn't really explain how a valid certificate would violate compliance with your procedures.
          • That sounds like a *very* narrow problem case on your end

            But one with a huge cost of manpower to overcome. It is true that others, with fewer points on the surface, will experience less disruption. It is disruption none the less.

            and it doesn't really explain how a valid certificate would violate compliance with your procedures.
            Without being overly specific It is quite simply easier to leave an expired certificate in place than it is to put in a current one. The expired certificate is documented, the ne

            • But one with a huge cost of manpower to overcome. It is true that others, with fewer points on the surface, will experience less disruption. It is disruption none the less.

              So expend the effort (or pay somebody) to fork the Firefox code and implement a toggle, that's the point of Open Source, it it really is a huge cost of manpower to overcome then it will easily be worth the effort for the savings.

              Without being overly specific It is quite simply easier to leave an expired certificate in place than it is to put in a current one. The expired certificate is documented, the new one would have to run that gamut.

              Yes I imagined it was a case of it's just easier to not do it properly, but again the problem is on your end with your business process causing a bottleneck on doing the job correctly.

    • Please guys that write this stuff - you cannot make unilateral decisions on security and not impact workloads. Yes, the average Internet user is an idiot and needs to be protected, but those non-idiots don't have the hours of time needed to get around your unilateral coding decisions.

      Apparently they can and they do just that, hence your plea for help. But discussing this in terms of your workload is really discussing a distraction. Computer owners benefit from software freedom because software freedom grant

      • by buss_error ( 142273 ) on Tuesday January 31, 2017 @01:40AM (#53771995) Homepage Journal

        I'm speaking to at scale work, not simply a few thousand servers. Add more orders of magnitude.

        What you discuss is absolutely possible. If you have time, or manpower to dedicate to watching every single part of every single tool used. Management is simply not going to pay that salary. And since not every single tool is under constant, close scrutiny, the opportunity for sudden work stoppages is much greater. I simply cited the tools everyone knows.

        What you suggest about selecting software - not so much when you work at scale. Think many thousands of people, always with that percentage that simply don't get the news. (There's always someone).

        IT was suggested that we start using containers or VMs for maintenance. This is what we've come to. You can no longer depend on tools you own and supervise, you have to lock them up and proactively defend them - from their own makers.

        I find that astonishing.

    • by swb ( 14022 )

      Who hasn't been burned by hardware that requires Java but then finds that either the browser or the JVM won't run the interface due to HTTPS compliance problems. And sometimes its not even Java -- we recently ran into some wireless controllers with a default public certificate that was revoked, breaking the management GUI and the captive portal functionality.

      In an ideal world, an organization would have their own internal PKI or buy public trusted certificates for all of it, at least solving the HTTPS cer

  • There I said it.

    Why, because media companies are too stupid to come up with a better model so they bog down the net with streams of moronic shows.

    While I am venting my spleen over stupid stuff, another thing pissing me off is slashdot starting to display ads over the posts even when signed in - please stop doing that shit slashdot.

    • ... slashdot starting to display ads over the posts even when signed in ...

      I haven't seen this ... yet.

      I'm running FF 51.0.1 (32-bit) with Adblock Plus and NoScript.

    • Why, because media companies are too stupid to come up with a better model so they bog down the net with streams of moronic shows.

      Not so sure spewing all the video streams over the 'net is a bad thing. It creates demand for capacity, which is naturally increased. More capacity is pretty much always a good thing IMHO.

      • by MrKaos ( 858439 )

        Why, because media companies are too stupid to come up with a better model so they bog down the net with streams of moronic shows.

        Not so sure spewing all the video streams over the 'net is a bad thing. It creates demand for capacity, which is naturally increased. More capacity is pretty much always a good thing IMHO.

        You're probably right and the additional capacity is a good thing, however that doesn't change that it is a stupid model. Advancement and adaptation is a good thing for business and these are businesses highly resistant to change. Their requirements for laws and constructs like the DMCA to sustain their business model instead of evolving to 21st century business conditions just shows that their business model is obsolete.

        They are a 20th century construct trying to stay relevant.

        • You're probably right and the additional capacity is a good thing, however that doesn't change that it is a stupid model. Advancement and adaptation is a good thing for business and these are businesses highly resistant to change. Their requirements for laws and constructs like the DMCA to sustain their business model instead of evolving to 21st century business conditions just shows that their business model is obsolete.

          Can't say I agree with this either. I personally believe the streaming model is very good, it achieves a balance the MPAA wants, without hindering the customers needlessly. We can all agree DRM is usually an annoying obstacle to doing what we want to do, but the stream model's DRM is pretty much invisible to the customer. The content creators get their stuff 'protected', we get to watch what we want, when we want. So yeah, I don't see a problem with this arrangement.

          Sorry you feel otherwise, but in all

  • And now they just never ever say anything like that anymore?
    • by Dog-Cow ( 21281 )

      Do you remember when DRM was classified as evil? Yeah... me neither.

      • Are you for real? Were you around that time a major corporation installed malware on all of their customers computers in the name of DRM?

        https://it.slashdot.org/story/... [slashdot.org]

        • Evil? Also for breaking things. I have had games I paid for not work. I have had (way back now) a DVD movie I bought not play (media player claimed DRM issue, stopped using Win Media player after that (I did say way back now!)). I had a game tell me about software I was not allowed to have on my computer (WTF!?!) or the game would not run. First of all, WTF!?! That is my decision. Secondly, I did not have that software on my computer, never had, and at that point had not even heard of it (Daemon Tools, if I

    • $$$ changes a LOT of rules, doesn't it?? :(
    • Remember when googles motto was do no evil? And now they just never ever say anything like that anymore?

      Yeah, awhile back they decided to shorten the "Do No Evil" motto by dropping the "Do No" part. Suited them better.

  • Why should I give a shit about that DMCA? I love it, if it means the US competition has to resign before they may even start!

    --signed, European security researcher.

    • You're right. We can't even so much stand on wobbly legs to any competition! (our legs have been cut off by this monster.)

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...