Email or username:

Password:

Forgot your password?
Top-level
Professor Emeritus Blake Y Rat

@rcombs Websites have had DRM for decades. That's how Netflix determines whether you're allowed to see 4k video or not.

13 comments
ಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)

@blakeyrat @rcombs Sure? But we sure as hell shouldn't allow it to get even worse than it already is.

Professor Emeritus Blake Y Rat

@chiraag @rcombs I skimmed the proposal and I'm not sure why I'm supposed to feel it's so horrible.

Andrew Scott

@blakeyrat @chiraag @rcombs
In plain English, it reallocates control from the many (i.e. users) to the few (Google) which is a direct threat to the open web. You're correct that it isn't DRM in the same way as widevine, it's more like the Play Store - if your device/client doesn't play by Google's rules it's not going to work right.

Professor Emeritus Blake Y Rat

@ascott @chiraag @rcombs What thing I currently control would I no longer control if this were implemented?

Professor Emeritus Blake Y Rat

@ascott @chiraag @rcombs Like... I'm not trying to be condescending, but that was monumentally vague. I'm an extremely practically-minded person.

Andrew Scott

@blakeyrat @chiraag @rcombs
You would cede control of your browser and the hardware that runs it. Under this scheme clients would be verified similar to how smartphones are - apps (or websites, in this case) will just refuse to work without device certification by Google. It's why banking apps, Netflix, Snapchat, and others often can't be used with 3rd party android ROMs. Google is talking about extending the authority they exert over android users to the internet more broadly.

Andrew Scott

@blakeyrat @chiraag @rcombs
And I agree it's vague, but there's no specific implementation I can point to at this time and say "look at this, this is the code they want to force us to run on our own damn machines." We can make comparisons to traditional DRM or frameworks like the Play Store which interfere with our hardware, but I can only speak to the contents of that repo which are also highly speculative about how such a scheme would be achieved.

Professor Emeritus Blake Y Rat

@ascott @chiraag @rcombs If computer security folks are really concerned about this thing, a good first step would be to figure out how the fuck to explain it to people using brief, concrete examples that don't rely on guesswork or conspiracy theories. I'll hold off on panicking over it now. I just wanted to point out it's dumb to say "Google is adding DRM to the web!" when it's had DRM for decades, that was the main thing I had to say, haha.

Andrew Scott

@blakeyrat @chiraag @rcombs
That's fair, I had typed my other reply about the reference spec before I saw this. I think it would be more accurate to say that this would massively extend existing bullshit, it's not necessarily new bullshit. And I wouldn't advise panic at this point, but I'm sure it's obvious that I'm not in favor either.

Andrew Scott

@blakeyrat @chiraag @rcombs
There is a prototype implementation for chromium (rupertbenwiser.github.io/Web-E), but it is largely incomplete with a lot of info marked as TODO. However it does at least confirm much of what I've said - client side code communicates with a centralized attester that verifies the validity of the client. If the attester (Google) doesn't like the client or it's settings you must change them, thus Google now decides what you can and cannot do with your hardware.

@blakeyrat @chiraag @rcombs
There is a prototype implementation for chromium (rupertbenwiser.github.io/Web-E), but it is largely incomplete with a lot of info marked as TODO. However it does at least confirm much of what I've said - client side code communicates with a centralized attester that verifies the validity of the client. If the attester (Google) doesn't like the client or it's settings you must change them, thus Google now decides what you can and cannot do...

LisPi

@ascott @blakeyrat @chiraag @rcombs It's instead a way more direct anti-competitive setup and I expect it to result in litigation for exactly those reasons.

That doesn't prevent it from causing damages in the meantime.

DELETED

@blakeyrat @rcombs Yes, but that applies to only media elements. This applies to entire websites, and, if I read the explainer correctly, also requires a rootkit on your device so the attester can be sure it's running what it says it is. (The example rootkit being Google Play Services on Android.)

Professor Emeritus Blake Y Rat

@carcosa @rcombs I'm sorry, a TPM chip is a "rootkit" now? Are you serious?

Go Up