On Monday, May 19, 2014 2:43:19 PM UTC+3, Mike Perry wrote: > I just saw > https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c-eme/ > and I'm a bit concerned.
Note that a FAQ has now been appended to that post. > Obviously, it will be simple enough for Tor Browser and other Free/Libre > Firefox derivatives to disable this DRM mechanism, Many derivatives don't disable the NPAPI, though. Does Tor Browser? If not, why not? Considering that the CDM will be sandboxed but NPAPI plug-ins aren't, it would be more rational for Tor Browser to support downloading the CDM than to support NPAPI plug-ins. After, all if the sandbox doesn't have bugs and the networking goes over Tor, the CDM should be no worse for privacy than cookies or IndexedDB (see below). > but I'm worried about > the long term effects of giving the web a persistent device identifier > (which that blog post mentions, The post mentions it specifically to explain what we are doing about it. To make we are doing clearer, we are: 1) Making Mozilla code gather the device-identifying raw data instead of letting the CDM have that level of system access. 2) Hashing the Mozilla-code-gathered device-identifying information together with a per-origin browser-generated secret and letting the CDM see the hash. 3) Allowing the user to clear the per-origin browser-generated secret to have the browser generate a new one. (Doing this will introduce latency to your next use of the CDM with the origin for which you cleared the browser-generated per-origin secret.) > but I can't find direct reference to in > the EME draft spec). EME doesn't specify DRM. It specifies an API for talking to a DRM component (that it calls a CDM). It just happens that node locking (making the user unable to migrate DRM keys from one device to another on their own as opposed to re-requesting keys from the DRM server) is a feature that Hollywood-approved DRMs tend to have. > It seems to me that a device identifier will quickly be abused by more > than just streaming media sites. What will prevent banking sites, > government sites, and even sites that are simply hostile to privacy from > requiring the receipt of a device id before allowing access to their > content? The CDM will be sandboxed and the ID the sandboxing host exposes to the CDM will be 1) not reversible to permanent device-identifying info (see "hash" above) 2) compartmentalized per-site and resettable, so no worse as a tracking identifier than the site setting a cookie or storing some data in IndexedDB or localStorage. > Have these issues been considered? They have. In fact, we considered this such an important point that addressing it was part of the initial announcement. Search for "By contrast, in Firefox the sandbox prohibits the CDM from fingerprinting the user’s device." in the very post you linked to! -- Henri Sivonen [email protected] https://hsivonen.fi/ _______________________________________________ dev-privacy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-privacy
