Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If a program had its own implementation of widevine, why wouldn't you also be "effectively a web browser" ?


Sure, it would be "effectively a web browser". But it would also require a secret key. If the program is not licensed to hold the key, that could be considered circumvention.


Other browsers have the key, why would this one be different ?


Because they have a license.


So if a program used a licensed browser as an intermediary to obtain Widevine-protected content, would that be circumvention?


I even sidestepped the obvious of loading widevine.so, running it, symbolic execution, etc. It's mostly a thought experiment to show how everything is stupid in the end.

I'm afraid in a few months/years, we'll see the hardware security level to become mandatory for Netflix, etc. And then YouTube.


In the old days, someone who wanted to send you this kind of content would build and sell hardware for you to receive and play it (like a DVD player).

Online streaming services have, in part, scaled so quickly because they run on the general-purpose computers that people already own. So they don't need to bear that hardware cost. These general purpose computers have been fertile soil to grow and nurture the seeds that software companies scatter to the winds.

How interesting it would be if it comes full circle with specialized hardware being required on each PC to receive the content stream.


That kind of "pull the ladder up behind you" strategy would be a natural thing for today dominants players to try. They benefited from an open playing field, but now they no longer need it. If they succeed, they have established a massive moat to stave off competition. If they manage to get it into standards and legislation, then undoing it would require a tectonic shift. Google is especially well positioned for this - Chrome, Google Search, Android and Youtube being potentially very effective places to do DRM media gatekeeping. "don't be evil" had to go from their mission statement. Maybe "universally accessible" will be next...


The way they do it is to bake DRM mechanisms into platforms. Intel ME, AMD PSP, Apple T2 chip/SE, those secondary computers bear the DRM hardware features, so end product manufacturers don’t have to handle it.


It's still going to be hardware everyone already owns, just with specific features. It's not a separate purchase of a dvd player, you're buying a phone that has the licensing chip built in


And HDCP is already a thing for authenticating screens.


Loading widevine.so (extracted from a ChromeOS image) and running it is exactly how Kodi reproduces DRM-protected videos.


Isn't the Widevine password essentially public as it is distributed to the client where it was extracted? Or was the Widevine key somehow stolen from Google's private repository?


There are multiple widevine keys, some are in CPU memory (shipped with the client software), some are in trusted enclaves on devices. Some of the trusted enclave keys have been dumped from hardware (nexus 6 for one, iirc) and eventually those keys were revoked or downgraded


IMHO, if it is on the client, it is public.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: