- From: <bugzilla@jessica.w3.org>
- Date: Thu, 21 Aug 2014 19:21:25 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332 --- Comment #50 from Mark Watson <watsonm@netflix.com> --- (In reply to Henri Sivonen from comment #48) > > Restricting EME secure origins only would address attacks #5 and #6 and, if > mixed-content XHR and Web Sockets are blocked, attacks #3 and #4 as well. > Note that, except in the case that the attacker is an authorized user of the keysystem, #5 and #6 are addressed if - as discussed in the privacy section - the keymessages are encrypted to the server, which itself is authenticated by means of a server certificate. Also, attacks equivalent to #5 and #6 are already generally possible without EME using fingerprinting, information stored on the client by the attacked site etc. Adding EME makes no difference provided the other mitigations for #1-#4 are in place. > As far as I can tell, the main reason against restricting EME to secure > origins only would be that it would make it harder for sites that don't > already use secure origins to migrate from NPAPI-based DRM to EME-based DRM. > How serious is this issue? Commercial CDNs charge significantly more for HTTPS services than HTTP. Migrating a large amount of traffic from HTTP to HTTPS has significant capacity / re-engineering implications. There are also operational issues that negatively impact user experience. So it's a significant issue. -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Thursday, 21 August 2014 19:21:28 UTC