4

EME is a technology to allow proprietary code to be run in browser to frustrate piracy.

What are the security implications of this? Will it have full access to my computer (like the good-ol' ActiveX plugins?), and will it have any security benefits over Flash?

Anders
  • 64,406
  • 24
  • 178
  • 215
Charles Shiller
  • 443
  • 1
  • 4
  • 6

1 Answers1

7

EME doesn't "allow" proprietary code, that's a misinformation of Wikipedia based on this four years old post , a post which does not provide real information, just the assumption that at some point a full DRM solution will be integrated into the browser.

The EME is just an API to interact with the license server and the Content Decryption Module. This CDM is the one responsible for decrypting the video. It runs in a sandboxed environment, so no access to your computer is needed.

The whole purpose of EME is to not need a plugin to use a DRM system, so you don't need to rely on third party plugins (Flash, Silverlight...). Therefore, you are removing an often vulnerable point.

In summary, the EME doesn't add any security at all from the server side, but it provides security in the client side removing the need of installing a third-party plugin.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • Well the CDM is sandboxed, but how strong is a sandbox exactly? – André Borie May 12 '16 at 17:22
  • @AndréBorie I don't know the answer to that question, but I'm curious, how do you want to *exactly* measure that? IMO, the sandbox doesn't depend on EME but on the browser itself, so it may be better in Chrome than in Firefox for instance. – The Illusive Man May 12 '16 at 17:28
  • Fine, what's the security advantage of the CDM over Flash/Silverlight/Java – Charles Shiller May 13 '16 at 17:59
  • @CharlesShiller I told you already. It is sandboxed into the browser (that is, it doesn't have access to the system). Third party plugins run at the system level. – The Illusive Man May 14 '16 at 12:03
  • Regarding piracy, how safe is video/audio secured this way? If I encrypted and served video, with, say, Azure Media Services, how hard would it be for you to download and distribute? – nmit026 Oct 18 '17 at 04:01
  • 1
    @nmit026 it would be as hard as breaking the DRM system. EME is not the one providing you with security capabilities, the DRM is. – The Illusive Man Oct 18 '17 at 08:24