Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

yeah with a targeted attack. but I've meant big scale monitoring which person watches what.

also eme basically solves this on the audo and video side. (maybe not the best solution tough)



I think you overestimate how complex this is to purpose-build once you have the basics of DPI in place.

Also you don't need a precise measurement. Just measuring a random 10k users in 1M network daily will give you more precise viewership measurement than anything Netflix publishes.


Replying to self… I'm wondering if the recent per-country daily "Top 10" that Netflix is now exposing in its UI (now scraped by https://flixpatrol.com/) is not a response to ISPs already building this ? Like a way to kill two birds with one stone: reduce value of private measurements, and improve UX at the same time.


How does EME change anything?


EME encodes the video content. i.e. without eme you can basically extract the video via tcpdump, with eme you can't since everything, even metadata is encrypted.

the attack inside the pdf does basically mention the old technology which netflix used and not dash+eme inside video element (MPEG-CENC). i.e. widevine which is kinda funny because the browser drm is highly controversial, but in this case serves as additional privacy since video metadata and content get's encrypted, no matter which transport layer is used.


> EME encodes the video content

EME encrypts the video content, yes, but I don't see that this changes things. Netflix uses HTTPS (TLS) encryption over the top of the EME encryption, as this thread's title states.

> even metadata is encrypted.

I don't believe so. If you're delivering EME-encrypted blobs over insecure HTTP, an ISP will be able to see which blobs you are requesting, simply by their URL.

Aside: I recall reading that Netflix's CDN servers ('OCAs') store EME-encrypted blobs, so only the HTTPS encryption burdens the delivery server's CPU. Unsurprising, of course.

> without eme you can basically extract the video via tcpdump

Six years ago, sure. Today, no, as the stream is sent over HTTPS.

> in this case serves as additional privacy since video metadata and content get's encrypted, no matter which transport layer is used.

Perhaps unencrypted streams are still used to support legacy devices, but Netflix are committed to maximal use of HTTPS.

I don't see how EME's additional layer of encryption changes anything as far as privacy and unscrupulous ISPs are concerned.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: