Chrome 57 Will Permanently Enable DRM

The next stable version of Chrome (Chrome 57) will not allow users to disable the Widevine DRM plugin anymore, therefore making it an always-on, permanent feature of Chrome. The new version of Chrome will also eliminate the “chrome://plugins” internal URL, which means if you want to disable Flash, you’ll have to do it from the Settings page.

How EME Brought Mandatory DRM On The Web

EME (Encrypted Media Extensions) is an HTML specification which allows DRM plugins to encrypt web content. The specification was proposed by Netflix, as well as by Google and Microsoft.

The main positive feature of EME was supposed to be that internet users will be able to see more Hollywood content without any plugins, such as Silverlight or Flash, on the web. At the time, Netflix was using a Silverlight player to stream its shows and movies in browsers.

The idea sounded appealing, especially considering Silverlight was getting deprecated by Microsoft, and Flash was known even then for its security issues. In time, most browsers also announced that they would deprecate Flash in favor of HTML alternatives.

However, this was mainly an issue for Netflix, which had to rewrite its web player with HTML. The company also ended up creating native applications anyway, making the web version almost unnecessary. (Although there is a convenience factor to the web version as well, especially for people who are used to be doing everything in the browser these days.)

Perhaps EME’s biggest flaw is ultimately that it didn’t fulfill its main promise to get rid of plugins. Not only does EME require a DRM plugin for protected content, but it requires one for each browser, for whichever platform you may be using. Microsoft’s Edge browser uses the company’s own Windows 10 native DRM, while Chrome and Firefox use Google’s Widevine DRM. Firefox also uses Adobe’s “Primetime” DRM plugin.

Therefore, even a single browser may now require two different DRM plugins to play all DRM content. These plugins have their own security issues, but unlike with the Flash vulnerabilities, security researchers are banned from looking for them, due to Section 1201 of the Digital Millennium Copyright Act (DMCA). That means malicious hackers, who already engage in other criminal activities, may freely take advantage of all the vulnerabilities they find in these DRM plugins before companies discover them on their own.

Beyond the plugin issue, there may also be an oligopoly issue, because the content market will depend on four, and perhaps soon only three, major DRM services players: Google, Microsoft, and Apple. All of these companies have their own operating systems, so there is also less incentive for them to support other platforms in their DRM solutions.

What that means in practice is that if you choose to use a certain Linux distribution or some completely new operating system, you may not be able to play protected content, unless Google, Microsoft, or Apple decide to make their DRM work on that platform, too.

Chrome DRM, Now Always-On

According to a Chromium issue, the next version of Chrome will not allow users to disable DRM in their browsers anymore. Right now, if users don’t want to ever play Widevine-protected content, they can go to the chrome://plugins address and disable the DRM plugin there.

That doesn’t mean they can play the same videos without DRM protection, but according to some on the Chromium issue page, it saves them from having to deal with a bunch of Widevine DRM bugs that causes their Chrome browser to crash often.

It also allows the users to send content distributors a message that DRM is not accepted. If enough people do it, then it may stop or at least slow down the spread of DRM-locked content on the web. Alternatively, if DRM is enabled and can’t be switched-off in all browsers, more and more developers may start to “take advantage” of it, just like they would any new other HTML specification, and lock-down increasingly more content.

PDF Reader, Native Client Can’t Be Disabled Either

So far only the Flash plugin can be disabled in the Chrome Settings page, but there is no setting to disable the Widevine DRM plugin, nor the PDF viewer and the Native Client plugins. PDF readers, including the ones that are built into browsers, are major targets for malicious hackers. PDF is a “powerful” file format that’s used by many, and it allows hackers to do all sorts of things given the right vulnerability.

People who prefer to open their PDF files in a better sandboxed environment or with a more secure PDF reader, rather than in Chrome, will not be able to do that anymore. All PDF files will always open in Chrome’s PDF viewer, starting with Chrome 57.

Chrome’s New Restrictions Firefox’s Opportunity?

Firefox has its own series of security issues. However, as the team behind it works to significantly improve its security and performance this year, and as Chrome keeps using its large market share to enable user restrictions, Firefox may start to be used more by technology enthusiasts and their friends.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
24 comments
    Your comment
    Top Comments
  • Elysian890
    If people asks me why I use Firefox, i'll show them this.
    14
  • razor512
    Anonymous said:
    Can someone sum this up for me? me being one of the "average users"? I don't really know what to take from this.


    The takeaway is that the DRM plugin will be permanently enabled, thus you now have a larger attack surface, consisting of code that security researchers can not legally attempt to exploit, thus instead of this code being proactively attacked and responsibly disclosed to the company, we will now have to wait until a malicious person exploits it before work can be done to patch the issue.

    It is overall bad for the user as for the sake of DRM, you are being made objectively less safe if using that browser.
    There is no perfect code, thus one of the best ways to remain secure, is to reduce your attack surface.

    Think how often flash, shockwave, silverlight, and java gets exploited. Normally when these plugins get exploited, if you do not have them installed, then you are safe. If you do not install java, then you are secured against all current and future java exploits.

    Now imagine if you were forced to keep java installed even though you are not using it, and you could not even disable it. then all of a sudden, you are now open to exploits that can take advantage of code running that you personally have no use for.

    This applies to the DRM plugin. It is extra code running whether you need it or not, and it can likely be exploited by malicious people since no perfect code exists.
    11
  • Other Comments
  • Elysian890
    If people asks me why I use Firefox, i'll show them this.
    14
  • aquielisunari
    Anonymous said:
    And these content providers/owners wonder why people torrent instead of using these services,,,, this one of the main reasons besides money.


    And this user shows why content is so expensive. Justifying theft(digital or otherwise) isn't possible.

    oligopoly is your word of the day.
    -8
  • bo cephas
    Time to switch browsers.
    6