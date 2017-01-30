Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Google Quietly Makes 'Optional' Web DRM Mandatory In Chrome (boingboing.net) 28

Posted by BeauHD from the flip-of-a-switch dept.
JustAnotherOldGuy quotes a report from Boing Boing: The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more. Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance. Because of laws like section 1201 of the U.S. Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products. Further reading: Boing Boing and Hacker News.

  • Don't care about netflix so bye bye chrome.

  • Still optional (Score:3)

    by aquabat ( 724032 ) on Monday January 30, 2017 @07:11PM (#53770125) Journal
    It's still optional; just stop using Chrome.

    • It's still optional; just stop using Chrome.

      Or delete the DLL from the plugins directory, or change the permissions on the plugins directory or use Chromium (which is essentially Chrome without the DRM bit anyway).

  • Sounds wrong (Score:3)

    by Carewolf ( 581105 ) on Monday January 30, 2017 @07:43PM (#53770301) Homepage

    Widevine like all EME are plugins, they are not part of the browser binary, but separate libraries. Chromium couldn't be open source if it wasn't designed that way. So remove the plugin? In any case the part about researching Chrome... WTF? Chromium is open source...

  • Is it just me (Score:4, Insightful)

    by buss_error ( 142273 ) on Monday January 30, 2017 @07:43PM (#53770311) Homepage Journal

    Or is anyone else getting tired of basic internet tools being turned in to monsters? By that I am talking about FireFox deciding to not trust a certificate, you can't select "Yes, I know, give it to me anyway". EG: StartCom's certs - you can't click past, you have to use another browser.

    Another example: Java 8 - I maintain servers. Many thousands of them, all over the globe. No, I can't put valid certificates on them. That would violate compliance in the first place, in the second place, we are talking $many^3 servers. But in Java 8, you have to add the IP to an exception list. Yeah, that's a lot to maintain. So we don't use Java 8.

    Please guys that write this stuff - you cannot make unilateral decisions on security and not impact workloads. Yes, the average Internet user is an idiot and needs to be protected, but those non-idiots don't have the hours of time needed to get around your unilateral coding decisions.

    • Re: (Score:2)

      by zlives ( 2009072 )

      for java you can use a deployment file with trusted ip's and a custom certstore file to bypass cert issues. at least most of them.
      not a simple process but if you are managing a large deployment then chances are its no big deal for you.
      firefox is more manual but also doable...

      • Re: (Score:2)

        by zlives ( 2009072 )

        actually not sure about the StartCom's certs, i am unfamiliar with them... but even self signed certs can be added as trusted CA's

    • No, I can't put valid certificates on them. That would violate compliance in the first place

      Compliance with what?

  • The streaming model is fucking stupid (Score:3)

    by MrKaos ( 858439 ) on Monday January 30, 2017 @07:57PM (#53770427) Journal

    There I said it.

    Why, because media companies are too stupid to come up with a better model so they bog down the net with streams of moronic shows.

    While I am venting my spleen over stupid stuff, another thing pissing me off is slashdot starting to display ads over the posts even when signed in - please stop doing that shit slashdot.

    • ... slashdot starting to display ads over the posts even when signed in ...

      I haven't seen this ... yet.

      I'm running FF 51.0.1 (32-bit) with Adblock Plus and NoScript.

