Chrome 57 Will Permanently Enable DRM

The next stable version of Chrome (Chrome 57) will not allow users to disable the Widevine DRM plugin anymore, therefore making it an always-on, permanent feature of Chrome. The new version of Chrome will also eliminate the “chrome://plugins” internal URL, which means if you want to disable Flash, you’ll have to do it from the Settings page.

How EME Brought Mandatory DRM On The Web

EME (Encrypted Media Extensions) is an HTML specification which allows DRM plugins to encrypt web content. The specification was proposed by Netflix, as well as by Google and Microsoft.

The main positive feature of EME was supposed to be that internet users will be able to see more Hollywood content without any plugins, such as Silverlight or Flash, on the web. At the time, Netflix was using a Silverlight player to stream its shows and movies in browsers.

The idea sounded appealing, especially considering Silverlight was getting deprecated by Microsoft, and Flash was known even then for its security issues. In time, most browsers also announced that they would deprecate Flash in favor of HTML alternatives.

However, this was mainly an issue for Netflix, which had to rewrite its web player with HTML. The company also ended up creating native applications anyway, making the web version almost unnecessary. (Although there is a convenience factor to the web version as well, especially for people who are used to be doing everything in the browser these days.)

Perhaps EME’s biggest flaw is ultimately that it didn’t fulfill its main promise to get rid of plugins. Not only does EME require a DRM plugin for protected content, but it requires one for each browser, for whichever platform you may be using. Microsoft’s Edge browser uses the company’s own Windows 10 native DRM, while Chrome and Firefox use Google’s Widevine DRM. Firefox also uses Adobe’s “Primetime” DRM plugin.

Therefore, even a single browser may now require two different DRM plugins to play all DRM content. These plugins have their own security issues, but unlike with the Flash vulnerabilities, security researchers are banned from looking for them, due to Section 1201 of the Digital Millennium Copyright Act (DMCA). That means malicious hackers, who already engage in other criminal activities, may freely take advantage of all the vulnerabilities they find in these DRM plugins before companies discover them on their own.

Beyond the plugin issue, there may also be an oligopoly issue, because the content market will depend on four, and perhaps soon only three, major DRM services players: Google, Microsoft, and Apple. All of these companies have their own operating systems, so there is also less incentive for them to support other platforms in their DRM solutions.

What that means in practice is that if you choose to use a certain Linux distribution or some completely new operating system, you may not be able to play protected content, unless Google, Microsoft, or Apple decide to make their DRM work on that platform, too.

Chrome DRM, Now Always-On

According to a Chromium issue, the next version of Chrome will not allow users to disable DRM in their browsers anymore. Right now, if users don’t want to ever play Widevine-protected content, they can go to the chrome://plugins address and disable the DRM plugin there.

That doesn’t mean they can play the same videos without DRM protection, but according to some on the Chromium issue page, it saves them from having to deal with a bunch of Widevine DRM bugs that causes their Chrome browser to crash often.

It also allows the users to send content distributors a message that DRM is not accepted. If enough people do it, then it may stop or at least slow down the spread of DRM-locked content on the web. Alternatively, if DRM is enabled and can’t be switched-off in all browsers, more and more developers may start to “take advantage” of it, just like they would any new other HTML specification, and lock-down increasingly more content.

PDF Reader, Native Client Can’t Be Disabled Either

So far only the Flash plugin can be disabled in the Chrome Settings page, but there is no setting to disable the Widevine DRM plugin, nor the PDF viewer and the Native Client plugins. PDF readers, including the ones that are built into browsers, are major targets for malicious hackers. PDF is a “powerful” file format that’s used by many, and it allows hackers to do all sorts of things given the right vulnerability.

People who prefer to open their PDF files in a better sandboxed environment or with a more secure PDF reader, rather than in Chrome, will not be able to do that anymore. All PDF files will always open in Chrome’s PDF viewer, starting with Chrome 57.

Chrome’s New Restrictions Firefox’s Opportunity?

Firefox has its own series of security issues. However, as the team behind it works to significantly improve its security and performance this year, and as Chrome keeps using its large market share to enable user restrictions, Firefox may start to be used more by technology enthusiasts and their friends.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Elysian890
    If people asks me why I use Firefox, i'll show them this.
    Reply
  • aquielisunari
    19230749 said:
    And these content providers/owners wonder why people torrent instead of using these services,,,, this one of the main reasons besides money.

    And this user shows why content is so expensive. Justifying theft(digital or otherwise) isn't possible.

    oligopoly is your word of the day.
    Reply
  • bo cephas
    Time to switch browsers.
    Reply
  • cat1092
    I don't have a problem with the change, nor to I intend to switch back to Firefox full time again. Was a loyal user for nearly 4 years after IE8 crippled my XP Pro notebook that had only 2GB of DDR2 RAM, yet after a couple of Full buggy versions (to include several sub-versions), hopped on the Google Train & have never looked back.

    Google Chrome, if not burdened down with extensions (what many terms 'add-ons') is a very fast browser, much more so than Firefox, and if one needs resources while performing non-Chrome activities, there's a setting to fix that. Go to Settings, to the bottom of the page click 'Show Advanced Settings', close to the bottom that a pre-checked box that says 'Continue running background apps while Google Chrome is closed' and uncheck that option, then restart the browser. This is the same for all Chromium based browsers, to include Opera, the up & rising Vivaldi, Flash Peak Slimjet (a fast ad-free browser) & others.

    Once that's done, then Chrome will no longer hog the RAM on systems that has 4GB or less, or 8GB if one is performing other intensive work, because it won't auto start with the computer. With 16 to 32GB RAM installed, this is a non-issue & nothing to fret over.

    As far as being on the legit side of the table, it's those who are stealing digital media who are driving up pricing for honest, paying customers like myself. Viewing pirated media is no different than running a non-genuine OS, as far as personal morals goes, both are wrong. There's plenty of free & legit sites to watch movies, as well as 'trailers', which some believes are better than viewing the final product.

    So if enforcing DRM helps consumers to have fewer price increases due to theft, I'm all for it.:-)

    As far as it being as opportunity for Firefox, I don't believe so. For starters, Mozilla is in a transition period, and over time, Firefox will become more & more Chrome-like. Some of the extensions have already been removed, and word has it that perhaps the most powerful security extension of any browser in NoScript, as well as their powerful download manager in Down Them All (the latter developer has been very vocal about this) are going away, and the lead developer for DTA stated that he wouldn't make an effort to rework the extension for the upcoming changes. Of which more will be on the way in the next few release cycles.

    So I see this in a positive light, that major browsers will have no choice at some point other than follow Google's lead.

    Cat
    Reply
  • KaiserPhantasma
    Can someone sum this up for me? me being one of the "average users"? I don't really know what to take from this.
    Reply
  • alextheblue
    19230749 said:
    And these content providers/owners wonder why people torrent instead of using these services,,,, this one of the main reasons besides money.
    Fearmongering AND ignorance, impressive! Explain how this DRM extension hinders you? It's used for paid content access... like Netflix, Hulu, etc. If you don't have a subscription, you can't watch their content. If you do and you have a compatible browser (or DRM-enabled app), you can watch their content. There are many reasons people torrent... some are legit reasons. But DRM protected pay services are not a legit gripe since you have access to apps and browsers that can play the content with ease.

    19231402 said:
    Can someone sum this up for me? me being one of the "average users"? I don't really know what to take from this.
    It's really about encryption. They're getting away from proprietary solutions like Silverlight and Flash to secure their subscription content. So the browsers will have a built-in DRM plug-in that is used when required by a secured (encrypted) stream (like Netflix). Despite what some pants-soiling fanatics would have you believe, it won't affect regular users at all, unless they insist on doing something silly like using an outdated browser. Even irregular users will be fine in most cases. ;)
    Reply
  • JackBurton
    @KAISERPHANTASMA

    This is much ado about nothing. They've locked out third party PDF viewers to likely prevent security issues (do NOT install extensions unless you know what you're doing), and the DRM setting is irrelevant as if you disabled it, you wouldn't of been able to Netflix.

    To the average user this means nothing. To internet kleptos, they'll whine but won't switch.
    Reply
  • Raymond_92
    Shame, I suppose Vivaldi (Being based on google's chromium) will also be affected.

    I will be swapping to firefox as my default browser.
    Reply
  • matmat9v
    19231536 said:
    19230749 said:
    And these content providers/owners wonder why people torrent instead of using these services,,,, this one of the main reasons besides money.
    Fearmongering AND ignorance, impressive! Explain how this DRM extension hinders you? It's used for paid content access... like Netflix, Hulu, etc. If you don't have a subscription, you can't watch their content. If you do and you have a compatible browser (or DRM-enabled app), you can watch their content. There are many reasons people torrent... some are legit reasons. But DRM protected pay services are not a legit gripe since you have access to apps and browsers that can play the content with ease.

    19231402 said:
    Can someone sum this up for me? me being one of the "average users"? I don't really know what to take from this.
    It's really about encryption. They're getting away from proprietary solutions like Silverlight and Flash to secure their subscription content. So the browsers will have a built-in DRM plug-in that is used when required by a secured (encrypted) stream (like Netflix). Despite what some pants-soiling fanatics would have you believe, it won't affect regular users at all, unless they insist on doing something silly like using an outdated browser. Even irregular users will be fine in most cases. ;)

    1. Except that DRM plugin is a surface attack that is by law blocked from any testing by anyone except developer. So much easier attack target.
    2. The more sites use DRM (which is not free in terms of performance by the way), the less chance other browsers and/or operating systems have of providing full user experience because content will not be displayed in this new browser/system - it's of course because there is no standard, open source and free DRM alternative that content providers are likely to use.

    DRM is not created to protect from users stealing content but to wage war between content providers, to lock users to their services.

    Contrary to what the article states users can disable opening PDF documents in inbuilt plugin, they can (in settings) choose to use external program to do so.
    Reply
  • razor512
    19231402 said:
    Can someone sum this up for me? me being one of the "average users"? I don't really know what to take from this.

    The takeaway is that the DRM plugin will be permanently enabled, thus you now have a larger attack surface, consisting of code that security researchers can not legally attempt to exploit, thus instead of this code being proactively attacked and responsibly disclosed to the company, we will now have to wait until a malicious person exploits it before work can be done to patch the issue.

    It is overall bad for the user as for the sake of DRM, you are being made objectively less safe if using that browser.
    There is no perfect code, thus one of the best ways to remain secure, is to reduce your attack surface.

    Think how often flash, shockwave, silverlight, and java gets exploited. Normally when these plugins get exploited, if you do not have them installed, then you are safe. If you do not install java, then you are secured against all current and future java exploits.

    Now imagine if you were forced to keep java installed even though you are not using it, and you could not even disable it. then all of a sudden, you are now open to exploits that can take advantage of code running that you personally have no use for.

    This applies to the DRM plugin. It is extra code running whether you need it or not, and it can likely be exploited by malicious people since no perfect code exists.
    Reply