
Save Firefox - DiabloD3
https://www.eff.org/deeplinks/2016/04/save-firefox
======
azakai
> [The W3C] needs to hear from you now. Please share this post, and spread the
> word. Help the W3C be the organization it is meant to be.

This isn't about the W3C.

This is about EME, and about the companies that created it and promoted it:
Google, Microsoft and Netflix (as you can see on the spec, for example
[https://www.w3.org/TR/encrypted-media/](https://www.w3.org/TR/encrypted-
media/) ).

Telling the W3C not to do DRM is not going to be effective. The only thing
that can work is to put direct pressure on the parties behind EME, and their
products: Google and Chrome, Microsoft and IE/Edge, and Netflix.

Not only is it not effective to focus on the W3C, it's counterproductive - it
shifts the blame away from the real culprits just mentioned. If you lobby the
W3C against EME but still use products from the companies that created EME,
you're sending mixed messages at best.

Furthermore, even if somehow we got the W3C to not do EME, it wouldn't matter.
Google, Microsoft and Netflix would still be implementing it. They would just
find another standards body.

~~~
dasil003
Your last sentence is exactly right.

Sure DRM is bad, but you can't tell people not to build things a priori like
that, and DRM will be built because the content studios demand it, and the
studios hold the content which everyone wants. The EFF greatly overestimates
the amount of influence browser makers have. No amount of technical pressure
will make an ounce of difference, because browser makers have literally no
leverage on rights holders. If the streaming technology isn't available, then
the studios will simply choose not to stream it, and whoever builds it first
will have a huge market advantage.

Fighting EME not only is ineffectual, it harms open web standards by giving
legs to completely proprietary solutions like Flash and Silverlight. The
bottom line is that EME is a cleaner solution which compromises in a way that
will make open standards more relevant going forward rather than taking an
ideological position that will undermine the utility of open standards in the
marketplace.

Instead of attempting to fight a self-harming losing battle, I wish the EFF
would focus on the real problem which is the DMCA's overreach. Studios should
feel free to build whatever DRM schemes they want, just like the people should
be free to circumvent those measures for content they have legally purchased.
Copyright law is sufficient to balance individual and studios' rights across a
diversity of scenarios with getting a technical quagmire that benefits no one.

~~~
throwaway2048
EME is not even a complete standard, its basically just a shim to bridge in a
closed source DRM module that can do arbitrary things on the host platform,
and needs specific DRM module support from providers. You cant just target EME
as Netflix, or some other streaming site, you have to target Google Widevine,
or Apple Fairplay etc.

Implementing EME in no way enables you to use these DRM technologies, so its a
100% worthless "standard".

The DRM/CDM modules are not browser agnostic either, and the browser <-> CDM
api is entirely unspecified.

~~~
icebraining
_closed source DRM module that can do arbitrary things on the host platform_

I don't know about other browsers, but at least Firefox is sandboxing EME
modules so that they can only do a few approved things (security bugs aside,
of course).

~~~
incompatible
Perhaps the new browsers can implement the Firfox interfaces and install the
same proprietary modules if they are so inclined.

~~~
slrz
Back then, Mozilla's plan was for the CDM to inspect the running Firefox and
deny playback if it detects tampering of the relevant browser parts.

How the hell that is supposed to work if the CDM is oh-so-sandboxed is left as
an exercise for the reader.

Did anyone actually check that own builds of vanilla Firefox sources are able
to use the Adobe CDM? Wouldn't surprise me at all if it only worked with the
official Mozilla-signed Windows binaries (yep, at least the Mozilla flavour of
the "portable" and "interoperable" EME is provided for Windows and Windows
only).

------
fpgaminer
Media DRM is not and never was primarily designed to prevent piracy. Rather,
DRM is used by content producers (Fox, Disney, Warner, etc) to assert control
over the rest of vertical market. This article is a prime example of this.
Thanks to DRM the movie studios force browser vendors to sign agreements to
get access to the CDM, and from that agreement they can assert control. They
can subtly suggest, for example, "Hey, Mozilla, could you revamp your plugin
API to make blocking ads harder? It's fine if you don't, but, oh, by the way,
your CDM agreement expires next month. Looking forward to seeing you at the
re-negotiation meeting."

The same thing goes for encryption on Blu-ray discs, which forces Blu-ray
player manufacturers to sign agreements with them. HDCP on HDMI and
DisplayPort asserts control over TV manufacturers and infests video cards.

This is the same industry that pushed the DMCA on us, extends copyright in
perpetuity, sues families because their kid downloaded an MP3, would like
nothing more than SOPA to pass, etc, etc.

I know that the comments here like to demonize Google, Microsoft, Netflix,
etc. Honestly, I don't believe it's their fault; Netflix in particular.
Netflix is in no position to fight this. If they say no, the media empire will
pull all their licenses and the company will collapse. And Netflix is already
fighting for its life against these same companies for net neutrality (the
major ISPs are owned by the media empire...). Google is leashed by its need
for advertising revenue. Microsoft is beholden to its customers, who want
access to DRM'd content.

In other words, we shouldn't be taking our fight to the W3C, Google,
Microsoft, Netflix, etc. The media empire is the real enemy here. And there's
hope. The rise of cheap, digital cameras and distribution platforms like
YouTube and Twitch have enabled a wide array of independent artists to create
AAA content mostly unbeholden to the incumbent media giants. Some of the best
and most entertaining content I've watched has come from Patreon funded
YouTubers. If that was the only content that the world watched, the media
empire would starve and whither away, and DRM along with them.

~~~
rtpg
Is there real evidence for this? Does Paramount care about ad blocking?

I feel like the simple explanation (DRM is about piracy + a certain worldview
about effectiveness about DRM) is a bit easier to believe than a conspiracy.

DRM is being used as a red herring so that movie studios can control web
browsers? What?

~~~
TheCowboy
Paramount is a subsidiary of Viacom, which does care about ad blocking.

Here's an interview where the CEO fields a question about the topic:
[http://www.businessinsider.com/viacom-bob-bakish-
interview-2...](http://www.businessinsider.com/viacom-bob-bakish-
interview-2016-2)

"Some of the traditional — dare I say — mediums like television remain very
healthy and very attractive for advertisers because they're not subject to the
whims of adblocking."

------
jflatow
> This system, "Encrypted Media Extensions" (EME) uses standards-defined code
> to funnel video into a proprietary container called a "Content Decryption
> Module." For a new browser to support this new video streaming standard --
> which major studios and cable operators are pushing for -- it would have to
> convince those entertainment companies or one of their partners to let them
> have a CDM, or this part of the "open" Web would not display in their new
> browser.

This is the crux of the issue. The W3C is creating a standard which gives
control to the publishers over which browsers can display their content.

Whether that's "right" or "wrong" is worth debating, but sometimes the real
issue at stake gets obscured in these discussions.

~~~
mynameislegion
I've read many articles critical of EME and this is the first time I've heard
this information. If true, as you said, it is THE issue.

It was always my assumption that EME represented a standard way for CDM's to
interact with the browser. EME is to CDMs as NPAPI is to plugins. That is to
say, a CDM can theoretically work in any browser implementing the EME
standard. Is this assumption completely false?

~~~
mynameislegion
That assumption may indeed be false.

See here[0] in the FAQ "What does this mean for downstream users of the
Firefox code base?"

 _> >> The solution consists of three parts: the browser, the CDM host and the
CDM.

>>> However, the CDM will refuse to work if it finds itself in a host that
isn’t identical to the Mozilla-shipped CDM host executable._

At first, I interpreted this to mean Mozilla, not Adobe, had implemented the
restriction due to some particulars about the deal with Adobe. But I was
wrong...

 _> >> This leaves downstream users of the Firefox code base with the
following options:

>>> 4\. Making arrangements directly with Adobe to get a non-Mozilla CDM host
executable recognized by the CDM._

In other words, the CDM can discriminate on the CDM host.

My only hope is that this is non-standard temporary behaviour while Mozilla
finishes EME. Otherwise, this is extremely terrible.

[0] [https://hacks.mozilla.org/2014/05/reconciling-mozillas-
missi...](https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-
and-w3c-eme/)

~~~
caf
...and this - I guess - is where the DMCA issue that the EFF raises comes in.

Because sure, you could build a browser that loads Adobe's CRM and fools it
into thinking it's been loaded into Firefox - but if you did that, you could
well be construed as defeating a technological copyright protection method.

~~~
mynameislegion
So then, the only way CDMs are acceptable IMO is if they're never given enough
information to know where they're running.

This should be a critical part of the standard and I'm surprised I haven't
heard the EFF pushing for this, specifically. If the CDM has enough
information to discriminate, your choice of browser for watching DRMed video
is entirely in the publisher's hands.

The fact that you may get in trouble for fooling the CDM to run on another
browser is almost beside the point. Why should we trust a black box with ANY
information outside of the DRM-specific?

A website can refuse to load based on my user-agent, for example. However, I
have full control over what the website knows about my browser including my
user-agent. Because of this fact, I am always free from browser-discrimination
on the Web.

But I have zero control over what the CDM knows about my browser. Therefore,
the CDM has _complete and unavoidable_ ability to prevent me from accessing
parts of the public Web based solely on my choice of browser. AFAIK this is
unprecedented. It means that users are no longer free from browser-
discrimination, perhaps for the first time in the history of the Web.

~~~
bzbarsky
> This should be a critical part of the standard

The standard is not at all concerned with the browser-CDM interaction, sadly.
And yes, that's a major issue with the standard. We (Mozilla) brought it up
repeatedly when the standard was being developed, because it causes precisely
the issues you describe, and basically got ignored. Microsoft, Google, and
Netflix (the editors for the standard) simply didn't see this as a problem.

Now in practice, Mozilla aims to give the CDM as little information as
possible, because we think it's the right thing to do. But nothing in the EME
standard requires us to do that, and I can't tell you what other browsers do
with their CDMs.

> It means that users are no longer free from browser-discrimination

That's correct. You never _really_ were, by the way: sites can and do use
Modernizr-like testing instead of UA string sniffing to detect what browser
you're running, so the only way to avoid being discriminated against by a site
that really wants to discriminate is to have a browser which responds the same
way an "approved" browser does to all API calls... Doable, but in practice
requires using an "approved" browser with some tweaks that are invisible to
the site.

------
k-mcgrady
Honestly, I'm not against online/streaming content being protected with DRM. I
don't think it's very effective but it doesn't effect me as I don't own the
content so I don't really care.

This seems to be a step to far though. The browser should be a standards based
'viewer' that anyone with the will and the time can create. Let's say Netflix
implements this DRM. They account for more than a third of internet traffic.
If your browser can't support Netflix it's dead in the water.

This is open to so much abuse. The gatekeepers (it seems to be the
entertainment companies in this case) get to choose which browsers live and
die. As we've seen over the last 20 years competition in the browser space is
very important - without Mozilla stepping up and competing with IE I can't
imagine the sorry state the internet would be in today.

Edit: Once again, the DMCA rears it's ugly head. Time and again it seems to be
the thing that is abused to screw over consumers. Maybe that's what we should
actually be fighting against.

~~~
kevincox
I don't have any problems with the concept of DRM (controlling how a movie is
used) but I have major issues with what is required to implement it.
Essentially by definition you need to run some code that the user doesn't
control on their computer. How Firefox does it isn't that bad because it is
fairly well sandboxed but over time the urge will be to push it further up the
stack so that gaining access to the content becomes more and more difficult.

I suspect give enough time they will push until they close the Analog
Loophole.

~~~
astrobe_
It seems to me that the implementation issue is just a symptom of a deeper
problem: copyright and DRM by definition grants a monopoly. This monopoly can
be abused. For instance, if you want to watch movie X and it is distributed in
such a way that you have to give private data, your options are not to watch
it or get a "non official" version.

Could the copyright law be extend in order to prevent its abuse and protect
the consumers, for instance by using the concept of "abusive clause" [0]?

[0]
[http://en.wikimediation.org/index.php?title=Abusive_clause](http://en.wikimediation.org/index.php?title=Abusive_clause)

------
hsod
> This system, "Encrypted Media Extensions" (EME) uses standards-defined code
> to funnel video into a proprietary container called a "Content Decryption
> Module." For a new browser to support this new video streaming standard --
> which major studios and cable operators are pushing for -- it would have to
> convince those entertainment companies or one of their partners to let them
> have a CDM, or this part of the "open" Web would not display in their new
> browser.

Isn't this just a standardization of the status quo, with Flash/Silverlight?
Why is it that I always feel like I'm being sold a bill of goods when I read
EFF pieces?

~~~
gshulegaard
I am a little confused by this comment. What status quo?

Silverlight is deprecated. Flash is (at least seems to me) taking its final
breaths.

HTML5 pushed many web native standards for open media:
[https://developer.mozilla.org/en-
US/docs/Web/Guide/HTML/Usin...](https://developer.mozilla.org/en-
US/docs/Web/Guide/HTML/Using_HTML5_audio_and_video). In fact, the HTML5
video/audio was so open that YouTube had to kill a Chrome extension that
allowed users to use YouTube as a music source without advertisements or
video: [http://thenextweb.com/insider/2015/07/21/how-youtube-
killed-...](http://thenextweb.com/insider/2015/07/21/how-youtube-killed-an-
extension-with-300000-users/#gref). (Side note: the history of what went on
with Streamus is woefully simplified in this article...but let's just say the
Streamus dev was open from Day 1 with Google but only after his extensions
started getting traction they shut it down.)

Anyway, moral of the story is this would be a standardization that steps
_back_ (in many ways) to the days of Flash/Silverlight dominance...not
standardization of the status quo (at least IMO).

~~~
hsod
The status quo is this:

If I build a browser right now from scratch, it can't play Netflix videos.

~~~
serge2k
Can't you just implement NPAPI to get silverlight support and then fake a user
agent to get Netflix to give you the right content?

~~~
charlesdm
I have tried implementing NPAPI loading in a standalone C++ app to load
Silverlight, but failed horribly. NPAPI is badly documented. Anyone here with
any tips? :-)

------
maker1138
The biggest problem is intellectual property. Copyright lasts life + 70 years
and patents last 20 years. That's a long time to have a legal monopoly on
something, and is partly why companies are so big and can behave so badly.

Innovation comes through competition, not monopoly. Ideally, we'd eliminate
patents and copyrights altogether, but as a compromise, I think having terms
of 3 years, with no renewals, is fair. That way a business can capitalize on
what it creates and get a 3 year head start on competition, but you still get
competition fairly soon which benefits consumers.

~~~
hyperdunc
I doubt reducing the monopoly period would stop companies from pushing DRM,
but the length of IP protection is ridiculous and has to change.

3 years will never happen, though. 10-15 years for copyright and 5 years for
patents is more reasonable.

~~~
majewsky
I saw a study some years ago that compared the interests of copyright holders
of that of consumers, and concluded that 14 years after initial publication
(non-renewable of course) is the optimal duration for copyright.

------
Ileca
You can test your convictions by disabling DRM content in Firefox. Uncheck
"Play DRM content".

Unfortunately, convictions won't have consequences on future decisions because
the standard is here and the more you wait the more it becomes embedded. W3C
allowed it to come to light when various plugins wouldn't make DRM viable or
at least more difficult to implement and reach general agreement. Now, even if
you can opt out with Firefox, Netflix really don't care about that because you
decided to disable it so you are a bad client anyway. I understand why the
article is talking about pop-ups because the moment Firefox decided to
implement it, we lost the fight. I use Firefox but lately, I am saddened by
their lack of strong convictions and how they tend to follow google a little
too much. (At least, FF sandboxed the CDM, while not perfect, the other
browsers didn't do it, isn't it?)

~~~
yborg
>Uncheck "Play DRM content".

You need to turn this on <_<

about:config browser.eme.ui.enabled true to allow the checkbox to be
displayed.

FF 46.0.1 OS X.

~~~
Ileca
I didn't have to turn this on. It's in Content section by default...

[https://support.mozilla.org/en-US/kb/enable-
drm](https://support.mozilla.org/en-US/kb/enable-drm)

media.eme.enabled to false to disable EME if you want to tweak the config.

~~~
majewsky
I had to turn it on: FF 45.x-esr on OS X (cannot specify ".x" because
apparently the "About Firefox" dialog is broken).

------
usernamebias
Can someone explain why we're stoking the fire this late in the game, not that
it shouldn't be?

Firefox implemented this since May 12, 2015 --
[https://blog.mozilla.org/blog/2015/05/12/update-on-
digital-r...](https://blog.mozilla.org/blog/2015/05/12/update-on-digital-
rights-management-and-firefox/)

Chrome's had it since v 42

[https://www.chromestatus.com/feature/6578378068983808](https://www.chromestatus.com/feature/6578378068983808)

~~~
Endy
Because, with the recent decisions re Thunderbird & Firefox, the only browsers
that were designed with the intelligent and free user in mind aren't getting
better - they're actually getting worse. Also, EFF has been running articles
about DRM lately. It's not that we're only stoking the fire now... It's that
they are writing about it again.

~~~
twblalock
> Thunderbird & Firefox, the only browsers that were designed with the
> intelligent and free user in mind

That's not remotely close to being true.

~~~
HalcyonicStorm
some examples, por favor?

~~~
BoysenberryPi
Vivaldi?

~~~
scholia
Vivaldi is (a) new; (b) based on Chromium; and (c) not actually open source.
(I use both Vivaldi and Firefox, but not Chrome.)

Historically, Firefox has been the main user-entered browser, but not the only
one. Especially if you include forks.

~~~
Endy
Vivaldi also shares a design lineage with Opera 12 and previous, in terms of
who the designers are/were. When we lost Opera, I think we lost the open web
in a lot of ways. As much as Opera was a closed-source proprietary engine etc.
browser, it stood out against the background of the larger Web giants. When
they folded and gave in to Google, I was horrified.

Still, the loss of a Community Firefox is a bad thing.

------
developer2
Are clickbait titles permitted on HN? The link has absolutely nothing to do
with Firefox, let alone "saving it". It's an opinion piece / call to action
regarding the W3C and the state of Encrypted Media Extensions. "Firefox" does
not belong in the title, as it's irrelevant to the topic. Luring us with the
name of a popular open source application, to then present a piece with a
barely-related agenda behind it should not be acceptable.

As a side note, I'm sad to see that the EFF has adopted a PETA-like strategy
to the way they tackle issues.

------
brianpgordon
> users want to sit in the driver's seat.

> We need more Firefoxes.

> We need more browsers that treat their users, rather than publishers, as
> their customers.

Until they started talking about DRM I was hoping that we were "saving
Firefox" from mandatory extension signing.

As of Firefox 47, you will not be able to install any extension which hasn't
been digitally signed by Mozilla. There will be no about:config setting to
override this. They claim that this will prevent adware from disabling the
digital signature requirement. But it's also taking power out of the hands of
users, with the justification that supposedly Mozilla knows better than their
users do what code they want to run.

This is the death-knell of Firefox for me. I'll be switching to an unbranded
fork and hoping that the security updates keep coming.

[https://wiki.mozilla.org/Add-
ons/Extension_Signing](https://wiki.mozilla.org/Add-ons/Extension_Signing)

------
xori
I'm interested to see how effective the EME is to prevent illicit copying of
media. YouTube and Netflix both use DRM _now_ but it doesn't stop youtube-dl
or pirate WEB-DL rips from netflix from existing.

------
xvilka
There is a way to protect the content by adding per-user (subscriber)
watermarks in the video/audio streams. Thus, no one will need these shady CDMs
and Co. Of course, you say, you can try to find those watermarks/etc. But in
the same way you can try to circumvent CDM code as well. Still, it will allow
to eliminate proprietary extensions from the web standards.

------
AtticusRex
Question: He says EME will allow publishers to dictate which browsers can
implement CDMs that can interoperate with their content, and therefore control
the browser market, and that this will quell innovation. I have questions
about this, however. In the old but waning status quo, Adobe and Microsoft got
to decide which browsers would work with Silverlight and Flash (right?) so it
still wasn't possible for a developer to make a new browser that could play
DRMed video without getting their permission. What is the meaningful
difference from the new status quo?

Is the difference that now, publishers control content and compatibility,
whereas before publishers controlled content and DRM companies controlled
compatibility? Is that actually a meaningful change for users or for browser
developers? It doesn't seem like it is.

Am I missing something?

~~~
makomk
> In the old but waning status quo, Adobe and Microsoft got to decide which
> browsers would work with Silverlight and Flash (right?)

Nope. The status quo was that any browser which implemented NPAPI (officially
the Mozilla plugin API, but historically used by everyone but IE) could use
Silverlight and Flash. That's how Google Chrome got Flash support initially
and the reason why obscure browsers that neither Adobe and Microsoft cared
about could still support both.

------
majewsky
Honest question: How relevant is DRM in preventing piracy in non-interactive
media?

Consider a theoretical world in which DRM would reliably prevent unauthorized
copying or decryption of DRM-secured content 100% of the time. The obvious
attack vector for pirates would be to play the video and audio and just
capture it with a camera directly in front of the monitor, and a microphone
attached to every speaker.

Are pirates doing this today, or is it just not worth it because DRM schemes
are easily circumvented? I'm quite confident that copying of the physical
signals should produce good results. There are consumer cameras capturing 4K
video, and a video that's distorted by a non-orthogonal view on the screen can
trivially be fixed in software. (It loses some fidelity, but you should still
be able to get near-full-HD output out.)

------
wahsd
I just found out that Firefox removed the 3D Inspector with v.47. It's a shame
because that was an excellent tool for auditing and inspecting. If you haven't
had the chance, give it a whirl.

~~~
epmatsw
It was a neat tool for sure, but apparently did not work in multi-process
Firefox. Guess it wasn't used enough to merit a rewrite.

------
pmoriarty
Better solution: repeal the DMCA.

------
jakobdabo
Isn't it trivial to reverse engineer the DRM module to create its clean room
open source implementation thus effectively deprecating it?

~~~
wmf
And then it's trivial for the DRM creator to sue you under the DMCA. I also
suspect that CDMs can update (this is called "renewability" in DRM newspeak).

~~~
besselheim
If the reversing and reimplementation happens outside of the US you can avoid
the DMCA issue entirely. Or take steps to publish anonymously.

~~~
slrz
You probably should also give up on going to any conferences on US soil in the
future.

~~~
besselheim
That's true, they treated Sklyarov most unfairly, given that it was entirely
legal in his home country.

------
SmellyGeekBoy
> Literally none of the dominant browsers from a decade ago are in widespread
> use today.

Sorry to nitpick and detract from the real point here, but unless my memory
deceives me IE was the dominant browser in 2006 and by a lot of measures still
is. What a bizarre statement to make.

~~~
Freak_NL
Chrome, for better or for worse, has the largest market share, by a fair
margin. IE11+/Edge, Safari, and Firefox each have a good share, but none are
dominant.

IE10 and lower are down to 1-2% (!).¹

[1]: [http://caniuse.com](http://caniuse.com)

------
phn
Well, the issue is that popups were a nuisance, while being able to watch all
those publishers content is not.

I totally understand the concerns, but making users choose something out of
ideology is much harder than simply providing a better experience.

------
Karunamon
Let's get something straight here. This EME debacle was never a choice between
DRM and no DRM, it was a choice between _DRM in a consistent standard_ vs _DRM
with a thousand ad-hoc plugins_.

The browser without EME will be pilloried by its users for not supporting the
content they want to access. Users use a browser to access content, not to
support philosophical positions on what software should and shouldn't do.

The lesser of two evils was chosen. You don't have to like it, but that's the
reality of this situation. It is _not realistic_ to suggest that the largest
browser vendors not support user demanded content.

Speaking of philosophical positions, most DRMed content accessed by a user in
a browser is going to be of the streaming variety, i.e. something that DRM
isn't preventing you from doing something you're otherwise not supposed to be
doing anyways.

~~~
drewcrawford
The unsupported assertion that a DRM-free universe "is not realistic" is not
an argument, even when it is repeated for emphasis in italics.

In the music industry, DRM seemed inevitable until one morning Steve Jobs woke
up on the wrong side of the bed. Then the whole thing crumbled overnight.

iTunes was _not_ "pilloried by its users for not supporting the content they
want to access". Users _did_ prefer to buy DRM-free music, bolstering iTunes
marketshare in the process. The historical record demonstrates the opposite of
your hypothetical.

If Chrome or Safari drew a line in the sand and said "No DRM", that would be
the end of DRM on the web. It seems they are not willing to do that. But that
is a reflection on the lack of leadership at the technology companies, not on
the inevitability of DRM.

~~~
Karunamon
No it wouldn't have - we'd just continue on the existing path of multiple
different plugins with their own incompatibilities and security holes, which
is strictly worse for the user.

Furthermore, you imply a level of informal cooperation between the browser
vendors that doesn't exist. It turns into a game of prisoners dilemma, where
the first person to defect gets to claim a massive feature that none of the
others do, and the others are left in worse shape.

I'm no fan of DRM, but again, it's the world we live in.

~~~
CaptSpify
> we'd just continue on the existing path of multiple different plugins with
> their own incompatibilities and security holes, which is strictly worse for
> the user.

And this is how it should be. I want users to get tired of installing more
plugins. I want them to roll their eyes when a site says "you need to do add
$x to be able to use this site." We had the same problems with mp3's, and we
won out. I see no reason we can't win out with any other media.

~~~
Karunamon
_And this is how it should be_

Only if you ignore:

* Users "rolling their eyes" means nothing when they'll gladly click OK to dismiss all the security warnings and installations of n plugins so they can watch Netflix. They'll complain, but the plugin will still be installed at the end of the day. I'd rather that plugin be sandboxed.

* That the practical implications of lessened security are more real, hence important than the theoretical concerns by a sandboxed plugin who's entire mission in life is stopping you from recording a fscking video stream.

The user you're talking about, the one who signs up for Netflix, gets prompted
to download a plugin, shakes their head sadly and cancels their subscription
because DRM is evil, doesn't exist outside of FSF patrons.

------
baby
I'm actually more concerned by the "save itunes" (
[https://news.ycombinator.com/item?id=11670232](https://news.ycombinator.com/item?id=11670232)
)

------
dredmorbius
The problem here is capture. W3C has been captured by the digital restrictions
management cabal. Mozilla, Google, Apple, and Amazon are playing along. In
three cases, they _are_ the cabal.

------
0x0
If firefox really cared about its users maybe it should stop force-feeding
"value-adds" like Hello and Pocket down everyone's throat by default.

~~~
zeveb
If Firefox really cared about its users maybe it shouldn't have broken the
security of Firefox Accounts and Sync. It used to be secure; it no longer is.

~~~
0x0
Source?

~~~
samuellb
[I edited my answer, because now I read that new system is claimed to be end-
to-end secure as well]

[https://support.mozilla.org/en-US/kb/sync-your-firefox-
bookm...](https://support.mozilla.org/en-US/kb/sync-your-firefox-bookmarks-
history-passwords-and-)

In the old system your data was encrypted with a key that was only stored on
your devices. Adding a new device meant that you had to do a kind of key
exchange process (which was perceived as complicated[1]).

When Mozilla introduced the new system there was very little information on
how the data was encrypted. I think the documentation only said that they used
TLS (or something like that). But when reading their current documentation I
see that it's not the case; they are apparently encrypting your data with a
key derived from your password. So if you use a (cryptographically) strong
password it should be secure[2]. Assuming that it works as documented of
course.

[1] [http://www.cnet.com/news/mozilla-adopts-plain-vanilla-
passwo...](http://www.cnet.com/news/mozilla-adopts-plain-vanilla-password-
sign-in-for-firefox-sync/)

[2] [https://support.mozilla.org/en-US/kb/firefox-sync-upgrade-
fr...](https://support.mozilla.org/en-US/kb/firefox-sync-upgrade-frequently-
asked-questions)

~~~
zeveb
The new system encrypts one's secrets with a function of one's Firefox account
password and stores it on Mozilla's servers. That has two effects: one, an
insecure Firefox account password (i.e., a password it is possible to
remember) can compromise one's entire synced data; two, anywhere one enters
one's Firefox account password is a potential danger.

As it turns out, Mozilla serves JavaScript files which are used to handle
Firefox account passwords. Any government Mozilla is beholden to could compel
them to serve malicious versions of those files and steal one's Firefox
account password (and then decrypt all of one's synced data, including
passwords). Likewise, a malicious Mozilla employee could do the same.

As a result Mozilla Sync may no longer be used by anyone who cares about the
privacy of his browsing history and/or passwords.

------
reacweb
Currently, watching a DRM protected video requires flash and gives an inferior
experience than watching a non DRM protected video. Most of the non protected
video can be easily downloaded using youtube-dl. Recently, I wanted to watch a
movie on M6 live (french TV). Firefox (on wine to have the latest upgrade of
flash) crashed twice. As a result, I downloaded it from a torrent and removed
it after watching it.

I think the current situation gives a lot of motivation to avoid DRM. If EME
becomes a standard, we would lose much.

~~~
reacweb
To make my opinion clear: current situation is a mess, a future with EME would
be a hell.

------
746F7475
I thought from the title that this was a plea for Mozilla to rewrite Firefox
from scratch since it such a bloated mess

~~~
majewsky
Actually they're rewriting the better part, see Servo.

------
LoSboccacc
firefox invested more time in the omnibar nobody wanted than in fixing
compatibility issues.

we are actively discouraging people using firefox because whenever we try to
use anything modern, firefox will fail it.

the wonky outline implementation has been borked for more than a luster, has
multiple bug opened and ignored etc.
[https://bugzilla.mozilla.org/show_bug.cgi?id=687311](https://bugzilla.mozilla.org/show_bug.cgi?id=687311)

and I found people complaining as early as this
[http://www.webdesignerdepot.com/2010/03/css-bugs-and-
inconsi...](http://www.webdesignerdepot.com/2010/03/css-bugs-and-
inconsistencies-in-firefox-3-x/) and now I wonder how many of those are still
there.

firefox cornered itself out of relevance, and this

"We need more Firefoxes.

We need more browsers that treat their users, rather than publishers, as their
customers."

doesn't match with firefox priorities as observed so far at all. firefox needs
to save firefox.

------
literallynone
Just don't pay for DRM'd content. Use torrents, libgen, etc.

------
_nato_
Can someone clarify what is meant by `publisher' in this piece?

~~~
jflatow
The parties which provide the content, often the one's who create it but not
always. As opposed to the browser vendor, or the consumer (browser user).

------
jbmorgado
What Firefox needs to be saved from, it's from Mozilla.

------
neurobuddha
Doesn't Mozilla have a lucrative deal with Yahoo? I mean Yahoo!

~~~
RubyPinch
yeah but so? from my read-through, its not literally "save the one and only
firefox", its "we need an environment that allows for other browsers to enter
the field" which DRM prevents

~~~
adrusi
Does EME prevent new browsers from implementing it freely. I admit I haven't
read the spec but from what I've read second-hand, it seems like it enables
the _vendor_ to ship the DRM code as a binary blob that runs natively in a
sandbox.

As I understand, EME doesn't lockout new _browsers_ , it locks out new
architectures and kernels. But any new architecture that comes along that
anyone would want to use to view DRM-encumbered media would be mainstream
enough that content providors would support it, and people running an
experimental OS kernel already have to use a more traditional system for a lot
of things, and probably aren't a demographic too keen on DRM in the first
place.

~~~
bzbarsky
EME doesn't prevent browsers from implementing EME. But since EME doesn't
describe how the browser should talk to the CDM (just how scripts on a page
talk to the browser), implementing EME is not useful in terms of working with
actual CDMs that exist in the real world...

------
shams93
Servo might save it the c++ codebase for firefox is a nightmare but servo
could wind up taking back the crown from chrome.

------
binaryanomaly
As much I would love to... Just recently switched from FF to Chrome since the
latter just works technically a lot better :-(

Hope the new servo engine can make FF shine again otherwise I fear the worst.

~~~
Eupolemos
You really should have read the article before posting.

~~~
binaryanomaly
True ;)

