What's the difference between PlayReady/Widevine and ClearKey? - javascript

Like the title states, what is the difference between PlayReady/Widevine and ClearKey? Is PlayReady/Widevine better than ClearKey?

ClearKey is a free alternative to commercial DRM solutions for MPEG-DASH content (MPEG-CENC compliant), but as it is only an encryption solution it does not offer the same level of protection as PlayReady, Widevine or Fairplay.
[Opinion:] If you need a complete DRM solution then working with a provider who supports an integrated DRM solution for origin and playback (eg BuyDRM or Ooyala) is going to provide more protection
Widevine: Widevine is a Hollywood grade DRM technology initially developed by Widevine Technologies and acquired by Google in 2010. Widevine is natively supported on a broad range of devices and browsers such as Google Chrome Browser, Android, Chromecast, etc.
PlayReady: PlayReady was developed by Microsoft and is one of major DRM systems available, with broad device support, sophisticated features, and has been used for very large scale events such as the Olympics in Sochi, Russia.
Fairplay: Fairplay is designed for Apple HTTP Live Streaming (HLS) supporting playback on devices such as iPhone, iPad, Apple TV and Mac OS X. Fairplay is also used as Content Decryption Module (CDM) of the Safari browser. This enables HTML5 native playback of (non-standard) DRM encrypted Fairplay streams without plugins in that browser.

The main differences between clear key and the 'normal' DRM's (which Offbeatmammal has nicely summarised) are:
clear key does not encrypt the key itself. It is simply plain text, 'in the clear'
No special client side content protection is required to play back the content
To explain the first point, most DRM systems are essentially mechanisms to get a key from a key server to the player device, without anyone being able to intercept or read the key. If someone was able to read the key then they could unencrypt the content. To achieve this DRM systems encrypt the key itself before sending it. For clear key, the key is not encrypted like this.
The second point relates to a secure or protected media path through the client device. This means hardware and/or software in the client device or browser which accepts the encrypted content and the encrypted key and then plays back the content directly to the output device without any input or possibility to copy by any other parts of the system or any other software. Again, clear key does not have this.

Related

How can I match/learn which device is used by which user on a website?

I have a website and I need to know which device is used by my users.
Is there a way to know which device is used by a user on a website?
I know some website like webkay.robinlinus can demonstrate all a browser knows about a user.
The best will be to have the device (iPhone/Android) and the type of iPhone (8/XR,etc..) would be perfect.
Thank you for your advices
Is there a way to know which device is used by a user on a website?
No, there is not - this is by-design and is to protect the privacy of web users.
What you can do is use long-life'd cookies or use localStorage to track users on your own sites (origins) - though you'll need to ensure you comply with relevant privacy laws in your jurisdiction.
For web-applications accessed from a desktop browser, you can ask your users to manually download and install software that would run a broker-process or other helper utility that runs a webserver on localhost which your web-application could communicate with to identify the client - but be very careful as this may introduce security and privacy risks and vulnerabilities. This approach is used by Dell to allow their website to read your computer's Service-Tag through the web-browser, and by some of Microsoft's support websites as well. But I stress the importance of exercising extreme caution when implementing this because you don't want other websites or applications using your client-side program.
var x = "User-agent header sent: " + navigator.userAgent;
Send navigator.userAgent in the head tag
This saves the device and browser of the user
For More Reference Check W3schools
https://www.w3schools.com/jsref/prop_nav_useragent.asp

Signal Strength of Bluetooth devices using Web-Bluetooth

I am looking to obtain the bluetooth strength (RSSI or similar) of a signal using a web-based application (in this case attempting with the Web-Bluetooth API). From what I've seen this feature is not supported in a browser (yet at least).
The result was intended to be used on a mobile device rather than a desktop but if there is a solution for either I am unaware at the current minute. Since I cannot see much on the matter of it other than it working within downloaded/compiled mobile apps (which I guess I will have to resort to if this is completely unachievable).
This would also apply to if HTML5 p2p connection strength if that was an obtainable value as well.
Maybe I have completely missed something out and my googling skills are terrible, otherwise any relevant links / information is appreciated :)
I recently implemented the watchAdvertisements() API that will enable the page to listen for advertisement packets from the device. When a packet is received, an advertisementreceived Event is fired on the device, and the Event contains the RSSI and TX Power of the device. You can give this API a try by enabling chrome://flags/#enable-experimental-web-platform-features in Chrome 85.0.4165 or higher.

Digital signature with Javascript

So I'm stuck with this problem:
IE Edge no longer allow applets, activeX, etc. ,
and I have this applet that is used for digital signature,
the idea is to extract the private key from the KEY file in the client side, in that way the private key never leaves the client's computer, that is a requirement for security, it can't be avoid :(
I'm looking for APIs or frameworks, but I can't found a way to solve this,
with jsrsasign the examples uses a PEM file but my users have .CER + .KEY + password, in java I can do it, but I need to do it in javascript or in something on the client side.
and, reading the Web Cryptography API and some examples I found, they generate NEW private and public keys to sign BUT they never READ an existing CERTIFICATE
does anybody have this problem or know a framework I could use?
please heeeelp!
So the answer was to use JSRSASIGN (http://kjur.github.io/jsrsasign/) in the examples posted in github it uses PEM files, I build an example to use CER+ KEY + PASSWORD >> https://github.com/alfredomova/firmaJs-with-jsrsasign-example,
for that specific example i used sparkMD5(https://github.com/satazor/SparkMD5) to calculate the file's hash.
Modern browsers no more supports ActiveX, applets. WebCrypto API generates and uses keys dynamically but does not have capability to access Certificates from Certificate Store.
The accepted answer provided by Alfredo M, who has also asked question, points to JavaScript to handle cryptography in browser which does not talk about accessing local Certificate Store. Recently Certificates are not being generated/issued as pfx (or PEM) files but on Cryptographic device like USB Token or smart card.
Thus we need to use Browser Extensions for modern browsers where application running behind the Browser can access Certificate Store and sign the hash. One such browser extension is provided free by my Company. You just need couple of lines of JavaScript code to call methods provided by any Browser Extension to achieve Digital Signing from modern Browser. If you just want to sign files or eReturns, you don't need any server side component. If you want to sign pdf, you may need pdf component on server side.
You don't necessarily need to force your web app to work in Edge since it no longer support the legacy technologies that your web app is using.
"Use Enterprise Mode with Microsoft Edge to open Internet Explorer 11
for your business’s sites that require IE’s proprietary technologies."
Include your site on the Enterprise Mode Site List so it will open in IE11 automatically:
Once Edge detects that your web app is using propietary technologies, it will tell you to open your site in IE11.
The steps and the details can be found in this blog post by the Microsoft Edge team and check the user experience section of the blog so you'll get the idea of the UX it will bring to your users once implemented:
http://blogs.windows.com/msedgedev/2015/08/26/how-microsoft-edge-and-internet-explorer-11-on-windows-10-work-better-together-in-the-enterprise/

How do I block/prevent video downloader addins or programmes?

I have a video site using a HTML5 video player. Users pay money to join the site. But the download manager (in mozilla) or real player download manager can download our videos from the server.
I want to prevent or block these applications. How can I prevent the programs from running?
There is no DRM (Digital Rights Management) in the HTML5 spec, so you cannot do it with HTML5 video.
There are attempts to add DRM to HTML 5 (Encrypted Media Extensions)
With tech companies abandoning the proprietary Flash and Silverlight
media players for HTML5, it was inevitable somebody would try to
inject DRM into the virgin spec.
Microsoft, Google and Netflix are that “somebody”, having submitted a
proposed modification to HTML5 to the World Wide Web Consortium (W3C)
for “encrypted media extensions”.
http://www.theregister.co.uk/2012/02/23/microsoft_google_netflix_html5_drm_infection/
However, such extensions are not available today and will not be for some time, if indeed the proposal is even adopted.
If you need DRM, you will need to use a video technology that supports it.
Even with DRM you simply can't - whatever you've sent to client (keys/content/whatever), client can simply save and replay when he needs decoded stream again. The only solution that would reliably delay decoding, is some hardware solution, but as I understand you'll be going over regular HTTP and browser.
Your problem is legal one and should be solved with legal means.
Overlay their unique user ID onto the video, so if they do capture it, then legal action can be taken as you can prove it's them that downloaded it.
other than that, nothing you can do really...

microphone volume control from javascript

I'd like to be able to control the system microphone volume from the browser.
I know that the microphone can be recorded from using Flash or Silverlight, but these don't allow control of the microphone volume. (Flash has Microphone.gain, but as its just a software multiplier, it doesn't help when the system mic volume is muted or too loud.) I suppose the mic could be modified via a Trusted Java Applet via JNI, but getting Java installed on a user's computer is hard for non-savvy users. (Not to mention the problems with getting an Applet to consistently load.)
I've heard that HTML5 will have some sort of microphone access, but whether it will allow volume control is unclear to me. At any rate, I don't think any browsers support it yet.
Are there any plugins that would allow volume control? The old Google Gears project has some AudioApi docs, though these don't seem to have made it into the actual plugin. There's also the Google Talk plugin- it seems to do some kind of gain control, but its unclear if there's an api to the plugin.
Perhaps there's a draft HTML5 implementation plugin for microphone access (like indexeddb, for example)?
The verdict is that it would be a security concern. There is no way the system microphone volume can be changed by a browser application unless a plugin is used, just like there is no way to change the system speaker volume. However, you can amplify or reduce the input stream in Flash or Java.

Categories

Resources