Linked by Thom Holwerda on Wed 14th May 2014 21:10 UTC
Mozilla & Gecko clones

Despite our dislike of DRM, we have come to believe Firefox needs to provide a mechanism for people to watch DRM-controlled content. We will do so in a way that protects the interests of individual users as much as possible, given what the rest of the industry has already put into place. We have selected Adobe to provide the key functionality. Adobe has been doing this in Flash for some time, and Adobe has been building the necessary relationships with the content owners. We believe that Adobe is uniquely able to bring new value to the setting.

Talk about being between a rock and a hard place. Don't include DRM, and see your userbase erode further. Do include DRM, and you go against your organisation's core values. If you go for the former, and your userbase erodes, you run the risk of not being able to express your core values at all.

Thread beginning with comment 588982
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: ...
by silviucc on Thu 15th May 2014 06:59 UTC in reply to "RE: ..."
silviucc
Member since:
2009-12-05

Oh yeah, just as secure huh? take a look at the recent bruhaha about and the way chromium check whether certs are revoked or not:

https://code.google.com/p/chromium/issues/detail?id=361820

Version 34 still has the option to turn on the half-broken behaviour but later version will just hide the crap under the rug.

Good luck with it!

Edited 2014-05-15 07:00 UTC

Reply Parent Score: 4

RE[3]: ...
by Morgan on Thu 15th May 2014 11:05 in reply to "RE[2]: ..."
Morgan Member since:
2005-06-29

Version 34 still has the option to turn on the half-broken behaviour but later version will just hide the crap under the rug.


And that's the version I run, I'm not an idiot. Since I compile it from source, it's not automatically updated by itself or my OS, I'm the one who decides when and how to update it.

Reply Parent Score: 3

RE[4]: ...
by silviucc on Thu 15th May 2014 12:51 in reply to "RE[3]: ..."
silviucc Member since:
2009-12-05

It's still broken man, instead of a hard-fail if OCSP servers don't reply or time-out they will just let you connect to the site...

What are you going to do when they stop maintaining the 34 version? Will you backport security patches on your own?

Reply Parent Score: 4

RE[3]: ...
by Alfman on Thu 15th May 2014 14:23 in reply to "RE[2]: ..."
Alfman Member since:
2011-01-28

silviucc,

Oh yeah, just as secure huh? take a look at the recent bruhaha about and the way chromium check whether certs are revoked or not:


Yea, I posted my thoughts on it earlier:
http://www.osnews.com/thread?586767

I cannot strictly fault the browsers here because OCSP reliability/performance is not where it needs to be. Even if we were to enforce OCSP 100% of the time, SSL certs would necessarily become untrusted by default until they were authorized by the certificate authority. This effectively nullifies all of the technical benefits of using PKI.

Now that we have the requirement that the CA must be polled periodically for HTTPS websites to function (either directly or via stapling), we might as well replace all these OCSP hacks with a more flexible and more secure system that signs & returns short lived certificates. No changes would be required in web browsers and minimal changes would be required to web servers (just a job to fetch new certs periodically). In order to exploit these certs maliciously, a hacker would have to regularly break into the system to copy the cert, increasing the odds of getting detected. Even if they never get caught, the hacker could loose access once a vulnerable system gets updated.

With OCSP, certificate revocation is reactive, we need to detect/suspect unauthorized copies and report that to the CA before the leaked HTTPS certificate can be revoked. This means that for the most part an unauthorized copy of the certificate can be used fraudulently (ie man in the middle interception) over the long term with fairly little risk since neither the users nor the website owners will suspect anything.

Edited 2014-05-15 14:36 UTC

Reply Parent Score: 4