Trying to figure out if the web browser support for DRM also works if you want end-to-end media encryption when you don't trust the server you're passing it through… like, can I use the W3C "Encrypted Media Extensions" for good?

@jamey No, iirc -- unless I'm misremembering, EME is a way to shell out to user-downloaded programs to decrypt the stuff. If you can't guarantee that everyone has that specific program, you can't expect everyone to be able to read it.

The better way to do E2E stuff would IMO be to push for aesgcm:// URLs from XMPP ( ) to be interpretable by web browsers.

... but actually probably to push for a slightly better version of that standard to be developed -- possibly making it interoperable with , e.g., or actually thinking of whether /requiring/ HTTPS is good for the general case, maybe be able to upgrade the hash algorithm, and a few other things.

But, that basic idea.

@gaditb I just found the section of the EME spec which says "All user agents MUST support the common key systems" in that section, namely, the "clear key" system, where the JavaScript knows the key and hands it over to the browser in the clear. I guess the distinction for things like Widevine is that the key is kept secret from scripts and only decrypted in the CDM? Anyway this sounds like exactly what I want but I'm not sure about the details yet.

@gaditb Check this out:

It doesn't work in Fennec F-Droid on my phone, but I haven't tested it in anything else yet, and the implementation looks about like I expect from what I saw in the specifications for the pile of three-letter acronyms involved here (EME, MSE, JWK) 😅

Sign in to participate in the conversation

A Mastodon instance for cats, the people who love them, and kindness in general. We strive to be a radically inclusive safe space. By creating an account, you agree to follow our CoC.