tags : Web Security, Security
I wasted about 5 hours trying to pirate drm content. I think i’ll not come back to this space in a while. I learned a lot tho.
Intro
- Publisher POV: A means for a media/game publisher to protect its products or prevent piracy.
- Buyer POV: You are entitled to watch the video
- DRM approach for digital software can, and maybe inevitably will, be defeated.
Why Bad?
- DRM itself isn’t bad, it’s implementations of DRM which get people riled up.
- It’s a decision that publishers take, things that are purchased do not have to be DRMed.
- The best DRM is to make a fantastic game that people will want to pay for even if they pirate it and be a good guy game dev.
DRM FAQ
Why Youtube doesn’t DRM
- Youtube videos are public, and DRM is there to protect publisher. In Youtube, publishers are the Youtubers, and YT has make some pact w YT’rs about it, it’ll be a whole legal mess imo.
- It’s also costly to implement a DRM system and once done, people might also be able to break it
- Also, DRM protected vids are not playable on all devices. That means using DRM on YT will break browser support.
Games
- There was a moment when it was just easier to buy a game on steam instead of pirating it. Then game companies came out with DRM that required an always on internet connection to connect to their servers… THEN these servers go down can’t handle the number of connections globally, and you’re simply fucked and not able to use the game you paid good money for. - Some reddit comment
Browsers and Video
Netflix serves up encrypted content that is decrypted by the client, and web browsers are equipped to perform that.
EME
- EME (Encrypted Media Extensions) is the standard that allows DRM in HTML5 video.
- It specifies
- How webpages talk to the browser about doing DRM Things
- It does not specify anything about
- The interface between CDM and Browser
- How the media file is encrypted
- How it is decrypted
- How it will be displayed on the client’s device.
Details on EME
- EME is a JavaScript API for the HTML <video> and <audio> for dealing with media files that contain encrypted tracks.
CDM (Content Decryption Module)
- Proprietary part of EME
- Usually implement a key system
- It specifies
- How the media file is encrypted
- How it is decrypted
- How it will be displayed on the client’s device
Browsers
Chrome
- The browser doesn’t implement the DRM itself, but delegates it to a native CDM library
Others
- Different browsers support different key systems.
- Chrome has Widevine, which Google acquired from another company.
- IE/Edge use Windows’ built-in DRM.
- Firefox on Windows is currently using something from Adobe.
Websites
- Websites(eg. Netflix) also need to individually support each of these key systems
DRM Implementation
Now there are lot of DRM implementations. It can be custom, whatever makes sense for the usecase, it’s not a specific thing.
Product key
- Simple product key scheme, People to authenticate their product key when connecting
- Client side DRM is mostly useless unless it’s somehow network based
Auth servers
- Minecraft etc. use some kind of Auth server
Bigger implementations
- Wardvine
Wardvine
- DRM implementation for Video
- Only officially supported way to use Widevine on Linux is using Chrome on an x86_64
Levels
Both of these DRM has been broken but the release group keep it secret or something.
L1
- L1 requires a TEE exploit to obtain keys
L3/L3+
- Platform may/maynot decide to use L3 for Full HD
Linux x86_64
Chrome
CDMtakes the form of a dynamic library calledlibwidevinecdm.so- Opaque proprietary blob
Firefox
Chromiumprovides the C++ headers forlibwidevinecdm.so- The headers allows other projects like Firefox to implement support for Widevine, via the EME API,