W3C home > Mailing lists > Public > public-html@w3.org > March 2012

Re: Encrypted Media proposal: Summary of the discussion so far

From: Kornel Lesiński <kornel@geekhood.net>
Date: Fri, 09 Mar 2012 18:56:05 -0000
To: public-html@w3.org
Message-ID: <op.waw2vrfcte2ec8@aimac.local>
On Fri, 09 Mar 2012 18:09:10 -0000, Charles Pritchard <chuck@jumis.com>  
wrote:

> It fulfills the requirements that content vendors place on distribution  
> by obfuscating the file stream. A user can not simply download the file  
> and then view it in a media player. It obfuscates the stream over  
> wireless so apps like Firesheep can not simply snoop the video  
> automatically.

Firesheep-like tools could do that. Masking key is sent in the clear in  
the frames themselves. Even if the masking key was somehow hidden, it's  
just a 32-bit value XORed with the data, so a few bytes of known plaintext  
or relatively small amount of brute-force can be used to recover the key.

So I think websocket framing format is not appropriate for securing files  
stored with untrusted CDNs.

-- 
regards, Kornel Lesiński
Received on Friday, 9 March 2012 18:56:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:46 GMT