reminder: revisit DRM

[Thorin-Oakenpants]

refresher link on DRM threat

just some thoughts for discussion

• my initial thought is that videos do not autoplay, so therefore there is nothing to worry about. If a user wants to watch a video, then let them: rather than throw up more breakage
  • not 100% sure about the autoplay or autoplaying after a user gesture
• i have no idea how many sites this would affect, but I'm guessing major sites like Netflix, Disney+, Hulu, Amazon etc require it and you're already logged in (so some sort of UUID is there for starters)
• i guess the real issue is that users cannot tell on other sites, if DRM is being used?
• the threat model isn't exactly suited here IMO: I think this is more of a hardened thing or users should use Tor Browser

current

/* 1825: disable widevine CDM (Content Decryption Module)
 * [SETUP-WEB] if you *need* CDM, e.g. Netflix, Amazon Prime, Hulu, whatever ***/
user_pref("media.gmp-widevinecdm.visible", false);
user_pref("media.gmp-widevinecdm.enabled", false);
/* 1830: disable all DRM content (EME: Encryption Media Extension)
 * [SETUP-WEB] if you *need* EME, e.g. Netflix, Amazon Prime, Hulu, whatever
 * [SETTING] General>DRM Content>Play DRM-controlled content
 * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
user_pref("media.eme.enabled", false);

I'm not 100% sure if this is all that is needed, but

• essentially make these inactive and flip from [SETUP-WEB] to [SETUP-HARDEN]
• I also think the visability pref is overkill (it shows/hides the plugin in plugins)

Class, discuss!!

[Thorin-Oakenpants]

pants overrides

/* testing: allow DRM */
/* how long til I get the plugin
 - about:addons>Plugins shows Widevine with message that it will be installed shortly
 - watching the "profile/gmp-widevinecdm" folder .. nothing happens
 - got bored after a five minutes
 - in the end, I went "check for updates" next to "manage your plugins"
   and it automagically updated widevine from nothing, so I guess it'll just happen on schedule
*/
user_pref("media.gmp-widevinecdm.visible", true);
user_pref("media.gmp-widevinecdm.enabled", true);
user_pref("media.eme.enabled", true);

note: disabling update checks are inactive

/* 0301b: disable auto-CHECKING for extension and theme updates ***/
   // user_pref("extensions.update.enabled", false);

maybe another way it grabs the download is when you go to play DRM, but I can't be fucked testing that. Was just looking at what might block users getting the files

next: test widevine and other DRM crap

[Thorin-Oakenpants]

https://www.widevine.com/

• Netflix, HBO, Disney, Amazon Prime, Showtime, Hulu, DirectTV, Starz <-- that's a lot of streaming services
• also WB (what streaming service do they have?), Jio (nevcer heard of them), Sling (heard of them)

[KOLANICH]

Netflix, HBO, Disney, Amazon Prime, Showtime, Hulu, DirectTV, Starz <-- that's a lot of streaming services also WB (what streaming service do they have?), Jio (nevcer heard of them), Sling (heard of them)

All are absolutely unneeded websites (for sane persons).

the threat model isn't exactly suited here IMO: I think this is more of a hardened thing or users should use Tor Browser

Under this logic one can always say "arkenfox is unneeded, just use TBB wnd don't change any prefs there (except security level) - they make you more fingerprintable".

[Thorin-Oakenpants]

Who are you to say they are "unneeded" - everyone's mileage/usage will vary. The user.js is a template aimed at as many people as possible. By causing too much breakage (at default settings), it just turns too many users away, which defeats the purpose of the repo

I will refer to the stats I posted in ##1104 which is over 200 flipped prefs - who are you to deny users the ability to change those with some modicum or balance of ease of application

I fail to see what a harden tag doesn't achieve here

[KOLANICH]

Who are you to say they are "unneeded" - everyone's mileage/usage will vary.

The most important detail in that sentence is

(for sane persons)

.

The user.js is a template aimed at as many people as possible.

Vanilla Firefox already is. This template isn't. Ordinary people (who are mostly insane) surely won't enable RFP - at least because some government websites they have no option not to use have a custom-developed fingerprinting script that just denies access to persons with RFP on.

I don't think that any Turing-complete language can be reliably sandboxed in a way other than not executing it at all. I don't think that proprietary DRM shit should be allowed by default to be executed on user's machines. I don't think that people should vote with money for the corporations acting not in peoples' best interests, such as forcing them to install and execute proprietary software designed to work not in computer operator best interest (such kind of software is often called malware), such as forcing them to buy devices designed to deprive the device owner the ownership of it (I mean TEE) and pay for that device because there is no other option.

So, insane people can just flip the pref themselves, if they really want this shit.

[Thorin-Oakenpants]

for sane persons

OK. Let me put this another way. Who are you to decide what is sane and unsane? You're welcome to your personal opinions, but that does not negate the state of the web, or that the user.js is a template

Vanilla Firefox already is

I beg to differ: see aforementioned 200+ flipped prefs

in a way other than not executing it at all

OK. Got it. Lets disable absolutely everything and/or turn off the internet: then you end up with stupid extremely broken solutions like LibreFox (and LibreWolf although they slowly made a few changes due to breakage: still batshit crazy settings though, especially pref locking)

So, insane people can just flip the pref themselves, if they really want this shit.

What is more likely? non-technically inclined users working out how to enable DRM or technically minded users who want more protection from digging in and disabling DRM. Which group is bigger?

[KOLANICH]

Lets disable absolutely everything

I haven't said "everything". But inherently malicious technologies (technologies developed and pushed to achieve inherently malicious goals) should surely be disabled. Other technologies should be used with caution. I.e. not used where they bring risk for no benefit (to a user, not site owner, site owners have a great benefit of using JS instead of server side rendering - "user's CPU time is free for us" as someone claimed).

Who are you to decide what is sane and unsane?

Sane people are rational. Rational people act in best interests of oneselves. People willfully contributing to DRM ecosystem from the consumer side are not sane because such contribution in long term will bring them only harm.

non-technically inclined users working out how to enable DRM or technically minded users who want more protection from digging in and disabling DRM. Which group is bigger?

"Non-technically-inclined" people use Google Chrome in majority of cases, in ~5% cases they use vanilla firefox. In great majority of cases of using Firefox they use it without any addons because "ad blockers break websites" (the ones detecting blocking ads). And only minority of users using ad blocking software also uses RFP, because it also breaks websites, especially the ones which want to deter its usage. And very little people use potentially breaking presets like this one.

Everything suitable for ordinary users must be by default in vanilla Firefox, not here. It is in Mozilla best interests to put such prefs (except telemetry-disabling and other prefs from which Mozilla gets profit) there (except the such likely scenarios that either Mozilla bosses got insane, or bribed, or Mozilla got an ultimatum from we all know which corporation to be destroyed unless of doing anti-user actions, but in these cases all is lost and everything is futile except making an another Mozilla).

[Thorin-Oakenpants]

Let me try again, with just one example: "In the set of all Firefox users, which group is bigger?" - don't bother answering that, I'm just showing that your logic makes no sense. This is clearly not a chrome tweaking repo.

You've stated that you think DRM shouldn't be made inactive. You've yet to provide any actual reasons as to why. This is not a discussion about whether or not DRM is problematic.

[KOLANICH]

You've yet to provide any actual reasons as to why. This is not a discussion about whether or not DRM is problematic.

Because this preset is not for the kind of people who approve the shit like EME. This preset is for people expecting it bring hardening very close to maximal (we allow JS only because it is disabled by the stuff like noscript, though very unreliable IMHO, I feel like I should craft a patch somewhen fixing that in NoScript, though to properly fix it one has to fix Firefox). As you have already said

live by sword, die by sword

. Enabling EME is just violating the expectations about this preset.

[Thorin-Oakenpants]

don't quote me out of context: the full sentence there is

As I've always said, if you mess with RFP then you lose "immunity" - read this: of course document fonts should be inactive if you're using RFP - live by the sword, die by the sword

This has absolutely nothing to do with RFP.

Either provide a compelling logical reasonable reason for why DRM/Widevine should stay disabled by default other than some widespread generalized denunciation that "DRM is evil". That is not a valid argument.

---

edit: free advertising thanks to Iron Heart linking here: this is what prompted me to revisit DRM, especially since it has come up in issues a few times, and I mentioned it in the overrides recipes issue: so it's been on my mind

I installed arkenfox’s user.js and it’s amazing. Websites load so much faster, things are clean and it seems like a reasonable amount of privacy and security.

Netflix and Disney+ websites load up fast and work great but their video playback does not. ...

[Thorin-Oakenpants]

Another thing to consider (which I forgot about): Firefox should prompt you to enable DRM, but I'd want to test that based on different configs of the two prefs (eme/widevine). If that's the case (in our config: I will need to check if the eme pref overrides the widevine one) then that's a point for keeping them active false. If you always get prompted, enable it (knowing the risks), and next session the user.js resets it. After the initial widevine download, it should work instantaneously (or a page reload)? Needs some testing

---

• When you disable DRM: media.eme.enabled = false - the widewine plugin is not visible: so we can definitely ditch the widevine vis pref
• it makes sense that the only pref we should control is the master switch

test: https://bitmovin.com/demos/drm

with just DRM disabled (i.e media.eme.enabled = false)

click enable

within about 30 seconds the page or DRM bit reloaded, or the script detected a change: not sure which as I was flipping tabs checking the plugins page and grabbing a acreenshot

---

With both DRM and widevine disabled

• load test, get enable prompt
• click prompt, it still says "Nightly is installing components needed to play..." (same as the previous test)
• within 30 secs it then shows success, detected widevine
• widevine was changed to always activate

---

With DRM enabled, widvine set to always ask

• load test, you get the prompt .. etc .. same result .. widevine was changed to always activate

---

Based on this: it seems as if the widevine pref is totally redundant. As long as we disable the DRM master switch, when a user enables it, it also flips the widevine pref, so no problems there. We can also leave that disabled as well if we really wanted to: seems as if it isn't an extra hurdle

If a user gets totally annoyed by always being asked to enable DRM, well then they can search for DRM (or you know, the setup tags), so I don't think there is a end-user issue here: simple to turn on, simple to find/flip

---

So after reviewing this, I think we can do the following

• remove the visibility pref: it does nothing: flipping DRM on/off in the ui controls visibility (not the vis pref itself though)
  • tested: setting the master switch via user.js still controls visibility, so it's not just runtime
• comment out the widevine pref since it is controlled by the enable DRM prompt
  • one less override for those who want it permanently
  • one less item to troubleshoot
• leave DRM disabled, so users get a prompt
  • this allows them to flip DRM on when needed for a session, but it gets reset in a new session
  • ^ although this was already the case with the current setup
  • cleanup the [SETUP-WEB] that they will get a prompt: suggest heavy DRM users use a separate profile, otherwise use the prompt per session and let the user.js reset it on restarts