
Firefox Users Can Now Watch Netflix HTML5 Video on Windows - ehPReth
https://blog.mozilla.org/blog/2015/12/17/firefox-users-can-now-watch-netflix-html5-video-on-windows/
======
mmastrac
Given that the CDM is sandboxed, does this mean that it should be
significantly easier to recover encryption keys from it given that you could
effectively run the CDM inside of a tracing emulator?

~~~
pdkl95
Today? It should be fairly easy to recover anything you want with a debugger,
given sufficient time and effort.

In future versions once SGX is available (>= Intel Skylake)? Good luck
extracting data from an encrypted enclave. This is, after all, the intended
purpose[1] for SGX - to create the "trusted computing" (DRM) that Microsoft
has wanted for the last decade[2]. It's not like these new instructions are
for the end-user; Intel has to authorize[3] you binary before it can be loaded
into an enclave.

Anybody using the CDM - even sandboxed - is helping to create that future. If
this isn't fought and rejected _now_ , yet another battle in the War On
General Purpose Computers will be lost.

[1] [https://software.intel.com/en-
us/blogs/2013/09/26/protecting...](https://software.intel.com/en-
us/blogs/2013/09/26/protecting-application-secrets-with-intel-sgx)

[2] "Palladium" / "Next-Generation Secure Computing Base" in the early 2000s

[3] [https://jbeekman.nl/blog/2015/10/intel-has-full-control-
over...](https://jbeekman.nl/blog/2015/10/intel-has-full-control-over-sgx/)

~~~
walterbell
_> Intel has to authorize[3] you binary before it can be loaded into an
enclave._

Wouldn't that make Intel liable for the actions of the binary? They would have
to manage an application review process for any binary on any operating
system, which sounds like an app store nightmare writ large. Not to mention
revocation and repeating the entire process for security updates to software
in the enclave. Could different governments require Intel to impose different
blacklists on enclave software authors?

It's hard to see why they Intel would open themselves to such complex
scenarios, unless it's a trial balloon that precedes a federated model or some
other method of distributing key authority to multiple app stores and/or the
hardware owner.

------
omarforgotpwd
Translated headline: content owners can now deliver DRM'd video without using
browser plugins.

~~~
wmf
There's definitely a plugin here; it's just auto-downloaded.

~~~
mtgx
Great, so they told us to "embrace DRM on the web if you want plugin-free
Netflix!", and then we got both the DRM _and_ a Netflix plugin.

Such a deal.

~~~
Someone1234
But why did you want plugin free Netflix to begin with?

Because Flash (and Java) are massive ongoing security concerns. Flash is too
complex and has too much surface area, this new plugin even aside from being
sandboxed, is simpler and with less surface area.

I am not saying that exploits won't be found here. I am just saying it may not
be as bad as the continuously dripping tap that is Flash.

~~~
admax88q
They could easily have implemented a better more secure plugin without having
to corrupt W3C standards with DRM.

~~~
cpeterso
The EME DRM specification was authored by Microsoft, Google, and Netflix. Now
that the other major browsers like Chrome, Edge, IE, and Safari implement EME
and it is used by major content providers like Netflix, Amazon, HBO, and
Canal+, Mozilla is backed into a corner.

Not that long ago, Mozilla tried to challenge H.264 on the Web. The Chrome
team agreed to drop H.264 too, but they didn't keep their word and, without a
public explanation, kept supporting H.264. When cat videos encoded in H.264
don't work in Firefox but work in Chrome, users switch to Chrome and may never
come back. And now when video services people pay money for work in Chrome but
not Firefox, users switch to Chrome and, again, may never come back.

[http://blog.chromium.org/2011/01/html-video-codec-support-
in...](http://blog.chromium.org/2011/01/html-video-codec-support-in-
chrome.html)

[https://news.ycombinator.com/item?id=2093219](https://news.ycombinator.com/item?id=2093219)

~~~
pdkl95
> Not that long ago, Mozilla tried to challenge H.264 on the Web.

Ahh, hubris. They thought they could force the industry's hand with their
market share... which was already starting to decline. By focusing on H.264
(and promoting _Theora_!), they succeeded in keeping Flash around as websites
decided letting Firefox users stay with flash was easier and cheaper than
listening to Mozilla's demands regarding <video>. Sometimes I hate bring
right[1]...

What they should have done is _dodge_ the problem by leaving the question of
codec to the OS. Instead, Mozilla decided to drive users away. Which was also
the obvious end result[2].

I understand (and support) making ideological decisions, but it's also
important to pick you battles.

[1]
[http://yro.slashdot.org/comments.pl?sid=1597850&cid=31643970](http://yro.slashdot.org/comments.pl?sid=1597850&cid=31643970)
("Endymion"/UID=12815 on /. is me)

[2]
[http://yro.slashdot.org/comments.pl?sid=1597850&cid=31644218](http://yro.slashdot.org/comments.pl?sid=1597850&cid=31644218)

~~~
cpeterso
I agree that H.264 was not a fight that could be won, considering existing
H.264 content and mobile devices' hardware support. But I'm sure the situation
seemed more hopeful when 40% of the browser market (30% Firefox plus 10%
Chrome, at the time) would drop H.264, especially when Google also owned
YouTube and On2 Technologies (VP8).

Dodging the problem by leaving the codec support to the OS would fragment
cross-platform compatibility if websites stuck with a Windows-only codec.
Today, Firefox does use H.264, AAC, and MP3 decoders from the OS, but AFAIU
doesn't expose any other OS codecs to web content.

Do you think the current situation with EME DRM is "H.264 all over again"? At
least now, we can sandbox the DRM bits and dump NPAPI plugins. EME and CENC
commoditize DRM, separating content encoding and DRM. Content providers don't
need to reencode their video library to add support for new DRM systems.

~~~
pdkl95
> fragment cross-platform compatibility

No, it wouldn't have, in the long run. H.264 was chosen by the _hardware_
manufacturers (phones, video cameras, etc), and the software world would have
fallen in line. As they did.

Besides, any temporary problems could have been handled by a _fix_ provided by
not-Mozilla, just like how DVD support was enabled in many distros (by
downloading libdvdcss from France).

> drop H.264

Believed the _hardware industry_ would reverse years of designs based around
H.264 is magical thinking. Software follows what the hardware supports (you
are _not_ going to get everybody to re-encode their cat videos). Anybody that
believed that the _browser_ market could trump the _mobile phone_ market is
showing they don't understand how _de facto_ standards work. When Mozilla was
arguing against H.264 5 years ago, they were already several years _too late_.

Screaming at the tide to turn back doesn't actually work, even if your
intentions are good.

> VP8

...was future technology. Once it was _actually released_ by Google with the
WebM container it became a relevant option (which was a good idea to support
_in addition_ to H.264 that was already very commonly used.

The nonsense _before_ Google released VP8 was merely wishful thinking. Much
like how solar power advocates like to include "future improvments" in their
claims, claims that H.264 was not needed usually suggested using VP8 _while it
was still vaporware_.

> Today, Firefox does use H.264, AAC, and MP3 decoders from the OS

Which proves it is possible, and could have been done 5 years earlier to kill
off Flash.

> but AFAIU doesn't expose any other OS codecs to web content.

They shouldn't, in general. Adding another list that can be probed for browser
identification wold be a terrible idea.

> Do you think the current situation with EME DRM is "H.264 all over again"?

I think Mozilla is responsible for EME being completely accepted. Before
announcing EME support, it was still possible to argue that EME was not
supported by all browsers, an admittedly small reason for websites to not use
EME. With Mozilla abandoning their mission (specifically principles #2, #6,
and #7) to chase market share and become a Chrome clone, a major battle in the
War On General Purpose Computing has been lost.

If Mozilla cared about the future of an open internet in the slightest, they
wouldn't support any form of DRM, with no exceptions. THAT is the place a
principled stand should have been taken, not video codecs. Instead, Mozilla
has chosen to let others pick the battlefield. The claim was that this was
necessary to safe their market share. Well, that didn't work[1].

Now that Mozilla has given up the fight against DRM, the problem will spread.
The ebook industry already wants EME-like support.

[1]
[https://upload.wikimedia.org/wikipedia/commons/8/86/Usage_sh...](https://upload.wikimedia.org/wikipedia/commons/8/86/Usage_share_of_web_browsers_%28Source_StatCounter%29.svg)

~~~
cpeterso
Thanks for the information. I cede to most of your points, especially on
codecs. :) A few more questions:

> Which proves it is possible, and could have been done 5 years earlier to
> kill off Flash.

How would HTML5 video, using OS codecs, kill Flash unless it also had DRM
support? Flash has had DRM since 2007 (Flash Player 9).

> I think Mozilla is responsible for EME being completely accepted. Before
> announcing EME support, it was still possible to argue that EME was not
> supported by all browsers, an admittedly small reason for websites to not
> use EME.

Chrome shipped EME in 2013. Safari and IE shipped EME in 2014. EME content was
already live and supported by ~60% of browsers when Mozilla began implementing
EME in mid-2014. Perhaps Firefox could continue to lean on Flash and
Silverlight to play DRM'd video.. until content providers decide they don't
want to continue supporting NPAPI for Firefox's small market share. Flash is
insecure and Silverlight is on the path to EOL.

> The claim was that this was necessary to safe their market share. Well, that
> didn't work

Whether EME has any effect on Firefox market share is yet to be seen. It just
went live this week. Chrome or Edge users are unlikely to switch to Firefox
_because_ they want DRM video to stop working.

~~~
pdkl95
This is the problem with letting the opponent pick the battlefield. If you've
decided that "playing DRM video" is a necessary feature, you are choosing to
perpetually play catch-up.

"The only winning move is not to play."

The media industries are very used to being the middlemen that dictate how
their industry works. As middlemen, they have the power to control both sides
(publishers and consumers). As monopolists, they get to abuse the market by
_tying /bundling_ the things people want to the things they want to push ("if
you want to watch $POPULAR_SHOW, you need to submit to using our DRM"). They
also get to play various financial games, though that is less important re:
video.

These problems are not _technical_ in nature, and cannot be solved by writing
software. Chrome and Edge are colluding to require some type of DRM (that they
or their friends control)? They should face the Sherman and Clayton Antitrust
Acts. Unfortunately, we have let institutional corruption take over the parts
of government that should be enforcing those laws.

Choosing _freedom_ instead of submitting to the copyright cartels requires
sacrifice. Mozilla could help this with stuff like an educational campaign,
but there will always be casualties when fighting entrenched powers.

Many people chose _convenience_ instead of investing in their future, so now
we are in an uphill battle. It's difficult to convince people that they should
choose a _healthy_ browser instead of the copyright cartel's junk-food, and I
don't know of any great solutions.

What I do know is that giving up the fight and granting those middlemen even
more power is only going to make future battles for free software and an open
internet even harder. Do you want to tackle is problem now? Or do you want let
power accumulate even more and fight a harder problem in the future?

------
kozukumi
It has been working since Firefox 42 for me. Maybe even before then I am not
sure. I guess this is just Netflix making it official now that both 32 and
64-bit versions of Firefox are officially supported on Windows?

~~~
cpeterso
Good eye! :) Netflix has been A/B testing the Adobe CDM in the Firefox 42
release channel for a couple weeks (and in the Firefox pre-release channels
for months). This is just the official launch announcement.

~~~
kozukumi
Yeah I figured it was such. Thanks for all the great work on Firefox, a lot of
people love to hate on it these days but it is still my favourite browser.
Have a great Christmas :)

------
z3t4
This is amusing ... HTML5 video have been available for years! Even in
royalty-free formats.

As for DRM, if you can play it on a monitor, even hardware decoded, you can
still capture it!

Doesn't Netflix allow you to watch the same movie over and over again without
paying extra!? So there is no incentive to copy it in the first place!

~~~
izacus
It's not Netflix (and other providers) that want the DRM, it's the actual
movie studios. The deal is "either you use DRM from our approved whitelist or
you will not be allowed to offer our shows for streaming".

------
distantsounds
Unless this is open enough to the point where I can natively browse and watch
Netflix on XBMC / Kodi, this really isn't making any strides towards anything
really usable. They're just shifting the tech around from one format to
another without much benefit to the end user.

------
shmerl
No, thanks. Not using Windows and not using DRM either.

~~~
i80and
PSA for those stuck on Windows: Mozilla makes an EME-free build for Firefox
available here:

[http://download.cdn.mozilla.net/pub/firefox/releases/43.0/wi...](http://download.cdn.mozilla.net/pub/firefox/releases/43.0/win64-EME-
free/)

~~~
skrebbel
I really wonder what kind of filter bubble one must live in to write "those
stuck on Windows" on a place like HN.

~~~
scrollaway
GP didn't imply that "those stuck on Windows" make up 90% of the population or
anything. But seeing how inconvenient Windows, compared to alternatives, is
for the tech crowd which makes up a large portion of HN... then yes, it's fair
to say "for those stuck on Windows".

~~~
skrebbel
Wow, you simply can't imagine people might have other preferences than you!

~~~
scrollaway
I can. I'm very sorry you can't.

------
daguava
The part I find scary is it uses Adobe's new Content Decryption Module.

So you mean to tell me the alternative to the buggy insanely insecure Adobe
Flash is... more software by Adobe?

~~~
JustSomeNobody
But is it guaranteed to be buggy and insecure just because it is by Adobe?

~~~
pasbesoin
Having spent 7.5 hours on multiple customer support calls to Adobe just to get
a feature enabled (compatibility with a 32 bit system) that was stated ON THE
PRODUCT BOX as being present and working... YES!

(Yes, this is a bit OT, but still, "Adobe".)

I also fear the CDM support being used to "lock down" ever more aspects of web
content.

And I fear attempts on the part of Adobe as well as others (perhaps in concert
with a State or corporate power) to escape sandboxing and do "whatever" on
client systems for their own purposes. In other words, here is another binary
blob from Adobe (et al.?) that we are supposed to trust.

Sorry, Adobe, but -- through dint of extended experience -- I simply don't
trust you.

------
jokoon
Oh, nice, I recently tried netflix something like 1 month ago, and changed my
mind instantly when I saw this weird message about some silverlight key DRM
agreement.

------
lolyololol
Free computing dies one circus show at a time.

