[html5] Video Security

Dmitry Kharlamov animusdius at gmail.com
Sat Feb 12 05:23:10 PST 2011

Thanks for the in-depth answer. I am quite aware of the issues involved, I
am an IT Director, so I am also well acquainted with the technology behind.

Let's forget about DRM for a moment not mentioning the fact that there are
open source encrypting algorithms and that I cannot understand how using an
open source standard obliges me to drop copyright on my videos or to abandon
any efforts to protect it from unauthorised access.

Suppose I have a member's only subscription service. People pay membership
fees and get access to premium content. When I deploy, say, an iPhone app —
I can control whether the video is downloadable or only available while you
are online. When I deploy to a closed area on the website I don't have this
kind of control. I can still obfuscate links, issue security tokens and use
nonces but the ability to right click the video and choose save as defeats
the purpose. Sure there will be people who are able to bypass the protection
— give me any flash based streaming service and I will crack its protection
in a day. But there are not that many people who will go to this extent
since our membership fees are indeed not so high, so it's just easier to
pay. But if anyone can download the video there might be people who are not
aware of the copyright or just don't respect it, who will upload this video
to YouTube or torrent sites. So, the situation becomes less manageable. One
solution is to manually disable ability to right click and save the video
with JavaScript. But when WHATWG responded to needs and allowed autoplay
without any hacks I just don't see why the same kind of solution can't be
created for the video interface. In other words, it would be nice to
disallow video download without any hacks, so people can view it but can't
download it if the publisher doesn't want to. I mean, you can use Google
search, or you could buy their search servers for your enterprise but they
weren't obliged to let you have a look at the source code and download it. I
am aware of the Open Source hype but you can't forget the fact that it's the
companies who don't release their sources that sponsor many Open Source
projects. So why should all video publishers allow their videos to be
downloaded? Not giving publishers this kind of control is completely
close-minded and authoritarian. Video on the web is a very valuable
commodity and not respecting the authors and not meeting their needs is just
silly as it will defeat the purpose of open standard video since many
publishers on the web are authors wishing to protect themselves from
unmanageable copyright breach and they will still have to resort to
proprietary technologies. And when I can't use flash on iOS I am pretty much
screwed unless I create an app, which luckily is possible. Calling our
business a dinosaur doomed to die because we can't make all our content
freely available is just rude and completely arrogant. Someone could instead
listen to what I am saying here as I am sure I am bringing up quite a
general concern for many authors and copyright owners and help us gain this
kind of control. I mean, users accept the terms and conditions, they are
completely comfortable with not being able to download some of the premium

Second related point is lack of an open streaming standard. I would like to
be able to stream my HTML5 videos, which will a) give extra protection from
downloading, b) will allow visitors to save bandwidth.


On 12 February 2011 15:44, Matthias-Christian Ott <ott at mirix.org> wrote:

> On Sat, Feb 12, 2011 at 03:00:08PM +0300, Dmitry Kharlamov wrote:
> > It all sounds good and swell. But unfortunately your message does not
> > qualify as an answer. So what if the technology is open source? Our
> premium
> > content is not, we spend tens of thousands of dollars on it and want
> > something in return. Sure, it's possible to break any protection but at
> As I tried to explain that even a Free Software/Open Source DRM can't be
> is impossible. I understand your problem and see that you have a running
> business which you believe is only profitable with DRM, but there won't
> be an open standard based solution for your problem. If you want to go
> with an open standard and acknowledge that DRM is impossible, I suggest
> to develop anonther business model in the long term or hope that Flash
> or similar technologies will save your business — HTML5 probably won't.
> If you can't find another business model that works, I guess the
> internet destroyed or will destroy your business in the future as it
> did with so many things (take move rental stores as a current example).
> > least disabling download ability for some video files would be a start.
> It's
> > just not right to make the videos so easily downloadable, this way the
> The problem is, you still break the DRM even if you don't understand it.
> Given sufficiently attractive content or protection technology sooner or
> later somebody will develop a software which allows everybody to copy
> the content with a blick of a button.
> And even it this doesn't happen, there is still the analogue gap. I
> remember that maybe 10 years ago people used to go the movie theatre and
> filmed the screen with a camera. You can't stop this.
> DRM is a cat and mice game. You have change technology often and have to
> have the new technology ready before the old one is broken. Over time
> these technology cycle becomer shorter and the technology becomes more
> expensive, because the attackers become more experienced. The only
> person who can survive this in the long run is the attacker.
> From a pragmatic standpoint you can only hope that your technology is
> unattractive as a challenge for crackers and your prices are so low that
> nobody would waste the time to circumvent your DRM it for this reason.
> > video will never replace Flash because Flash has a streaming platform and
> > even without DRM protection it's still quite problematic for an ordinary
> > user to download the video. What I am saying that if HTML5 video is
> really
> > set to takeover the video on the web it must allow streaming, give
> > publishers control over the availability of the content and ways to view
> it.
> The problem is that once data leaves your computer, you lost control
> of it. HTML5 isn't developed to solve impossibilites.
> You will probably have to stick to Flash or similar technologies. If you
> want to use HTML5, you will have to implement your DRM in JavaScript and
> your implementation will be really slow.
> > Frankly, YouTube are thinking the same. So, please, could anyone give any
> > hope to this? Or are we stuck with Flash for the rest of the days?
> For this matter I believe so.
> Regards,
> Matthias-Christian
> > On 12 February 2011 14:25, Matthias-Christian Ott <ott at mirix.org> wrote:
> >
> > > On Sat, Feb 12, 2011 at 08:25:42AM +0300, Dmitry Kharlamov wrote:
> > > > We have a premium video content available via subscription. We are
> > > already
> > > > using HTML5 video to deliver free videos and are very keen to start
> using
> > > it
> > > > for premium content. However, the main consideration is how copy
> > > protected
> > > > we can be using the HTML5 video formats. At the moment we are using
> the
> > > RTMP
> > > > Streaming solution along with Flash DRM protection. Is there likely
> to be
> > > or
> > > > maybe already is something similar for the HTML5 video standard?
> > >
> > > DRM is a logical contradiction and is impossible. You can't build a DRM
> > > system which is based on an open standard without hardware support (see
> > > Sun Microsystem's DReaM DRM) and even then it's breakable (PlayStation
> 3
> > > is a recent example). DRM depends on secrecy, obfuscation and security
> > > by obscurity which are in contradiction with an open standard.
> > >
> > > Information wants to be free. You can't make it impossible to copy
> data.
> > > It's simply a matter of accepting this. You should adapt your business
> > > model if this is a problem for you.
> > >
> > > Gruß,
> > > Matthias-Christian
> > >
> _______________________________________________
> Help mailing list
> Help at lists.whatwg.org
> http://lists.whatwg.org/listinfo.cgi/help-whatwg.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/help-whatwg.org/attachments/20110212/2b7173b3/attachment-0003.htm>

More information about the Help mailing list