9 comments

[ 2.3 ms ] story [ 33.2 ms ] thread
Yet another new crypto protocol... "Yay"

What about when HTTP/2 becomes popular? You'll still have to deal with TLS then unless you deal with TCP connections directly (and bypass HTTP).

Nobody's taking HTTP/1.1 away.
This a very interesting development, an OTT* protocol for secure communication that can sit on top of HTTP. Perhaps this was inevitable given that so much of the underlying security infrastructure has been compromised. It appears to be able to function independently of the application layer protocol as well.

[edit] *I originally wrote 'over-the-top protocol', which in the telecom industry just means "on top of HTTP". Puzzled as to why this got down-voted until I realized some people probably interpreted it as a negative remark. On the contrary, I think OTT protocols like this may be a great way to leverage existing infrastructure while layering on new and potentially better approaches to security.

Given Netflix's position on browser DRM, and their references in this post to "platform integration" and device keys, it sounds like they're trying to implement HDCP for sockets.

Ugh.

That's pretty much what this is. As I understand it, this predates WebCrypto, too, and is also the reason that Mozilla will (pointlessly, dangerously) deliver WebCrypto code over non-TLS HTTP connections.
People should read Ryan Sleevi (of the Chromium security team) and Brian Smith (of the Mozilla security team) on Twitter for background on what this is, and why it might not be something to be excited about.

@sleevi_ and @BRIAN____.

As soon as I saw Encrypted Media Extensions, my first thought was, "Ewww." (As in, "Ewww, not something the general populace is likely to benefit from.")