Most active commenters
  • jcalvinowens(3)

←back to thread

Yt-dlp: External JavaScript runtime now required for full YouTube support

(github.com)
798 points bertman | 39 comments | 12 Nov 25 10:12 UTC | HN request time: 0.006s | source | bottom
Show context
xeonmc ◴[12 Nov 25 12:31 UTC] No.45899355[source]
In ten years time YouTube will be entirely inaccessible from the browser as the iPad kids generation are used to doomscrolling the tablet app and Google feels confident enough to cut off the aging demographic.
replies(9): >>45899394 #>>45899462 #>>45899465 #>>45899525 #>>45899536 #>>45900001 #>>45900317 #>>45900441 #>>45900653 #
1. vachina ◴[12 Nov 25 12:52 UTC] No.45899536[source]
They’d need dedicated hardware to enforce any kind of effective DRM. Encrypted bitstream generated on the fly watchable only on L2 attested device.
replies(7): >>45899618 #>>45899734 #>>45899739 #>>45899807 #>>45900214 #>>45900945 #>>45902867 #
2. fsflover ◴[12 Nov 25 13:01 UTC] No.45899618[source]
Which is why Windows 11 requires TPM.
replies(2): >>45900081 #>>45900531 #
3. lloeki ◴[12 Nov 25 13:14 UTC] No.45899734[source]
Netflix is already there for 4k streams
replies(3): >>45899791 #>>45899833 #>>45900375 #
4. oblio ◴[12 Nov 25 13:14 UTC] No.45899739[source]
I guess at that point we could do it the old fashioned way by pointing a camera at the screen. Or, I guess, a more professional approach based on external recording.
replies(2): >>45901572 #>>45902342 #
5. KeplerBoy ◴[12 Nov 25 13:20 UTC] No.45899791[source]
And it's an entirely useless effort. No idea how it is done but the internet is full 4k rips.
replies(2): >>45899965 #>>45901153 #
6. yard2010 ◴[12 Nov 25 13:21 UTC] No.45899807[source]
Can you explain in simple terms what would prevent one from running the decryption programmatically posing as the end client?
replies(5): >>45900061 #>>45900104 #>>45900132 #>>45900160 #>>45903399 #
7. sabatonfan ◴[12 Nov 25 13:24 UTC] No.45899833[source]
I knew of this chrome bug which could allow netflix to be ripped. I had heard it in comments of some section of youtube and I might need to look further into it but its definitely possible.
8. alex7o ◴[12 Nov 25 13:36 UTC] No.45899965{3}[source]
They find devices that are easy to hack (and I mean rip and tear) and extract the decryption keys from each of them, from what I have heard cheap chinese tvs and set top boxes, they extract the keys from the chips (hardware hacking, heard some even use microscopes to read the keys by hand), and then use them to decrypt streams, I heard that they catch them pretty fast to they use like 1 device per season. This is why they use mostly stollen devices.
replies(4): >>45900054 #>>45900188 #>>45900498 #>>45901684 #
9. 13hunteo ◴[12 Nov 25 13:42 UTC] No.45900054{4}[source]
Interesting - do you have any sources to read further?
replies(2): >>45900261 #>>45902692 #
10. Thorrez ◴[12 Nov 25 13:42 UTC] No.45900061[source]
Here are a couple ideas:

The decryption code could verify that it's only providing decrypted content to an attested-legitimate monitor, using DRM over HDMI (HDCP).

You might try to modify the decryption code to disable the part where it reencrypts the data for the monitor, but it might be heavily obfuscated.

Maybe the decryption key is only provided to a TPM that can attest its legitimacy. Then you would need a hardware vulnerability to crack it.

Maybe the server could provide a datastream that's fed directly to the monitor and decrypted there, without any decryption happening on the computer. Then of course the reverse engineering would target the monitor instead of the code on the computer. The monitor would be a less easily accessible reverse engineering target, and it itself could employ obfuscation and a TPM.

replies(1): >>45900137 #
11. goku12 ◴[12 Nov 25 13:44 UTC] No.45900081[source]
TPM isn't the only misfeature that makes Windows 11 an abomination. People who don't switch to a respectful platform is in for a lot of pain.
12. robmccoll ◴[12 Nov 25 13:46 UTC] No.45900104[source]
Let's say the only devices you can get that will run YouTube are running i/pad/visionOS or Android and that those will only run on controlled hardware and that the hardware will only run signed code. Now let's say the only way to get the YouTube client is though the controlled app stores on those platforms. You can build a chain of trust tied to something like a TPM in the device at one end and signing keys held by Apple or Google at the other that makes it very difficult to get access to the client implementation and the key material and run something like the client in an environment that would allow it to provide convincing evidence that it is a trusted client. As long as you have the hardware and software in your hands, it's probably not impossible, but it can be made just a few steps shy.
13. bayindirh ◴[12 Nov 25 13:48 UTC] No.45900132[source]
Attestation requiring a hardware TPM 2.0 (or higher), and not being able to extract the private key from the TPM on your system.

TPM is Mathematically Secure and you can't extract what's put in. See, Fritz-Chip.

14. ◴[12 Nov 25 13:49 UTC] No.45900137{3}[source]
15. GeoAtreides ◴[12 Nov 25 13:50 UTC] No.45900160[source]
Yes, it's called: Web Environment Integrity + hardware attestation of some kind

> "the technical means through which WEI will accomplish its ends is relatively simple. Before serving a web page, a server can ask a third-party "verification" service to make sure that the user's browsing environment has not been "tampered" with. A translation of the policy's terminology will help us here: this Google-owned server will be asked to make sure that the browser does not deviate in any way from Google's accepted browser configuration" [1]

https://www.fsf.org/blogs/community/web-environment-integrit...

16. gpderetta ◴[12 Nov 25 13:53 UTC] No.45900188{4}[source]
The analog hole is real.
17. ticulatedspline ◴[12 Nov 25 13:55 UTC] No.45900214[source]
maybe to stop the .01%. switching to app only, sign in only would get them pretty much all the way there.

They own the os, with sign-in, integrity checks, and the inability to install anything on it Google doesn't want you to install they could make it pretty much impossible to view the videos on a device capable of capturing them for the vast majority of people. Combine that with a generation raised in sandboxes and their content would be safe.

replies(1): >>45900457 #
18. 47282847 ◴[12 Nov 25 13:59 UTC] No.45900261{5}[source]
Search for widevine decrypt. You’ll find code and forums where at least some L3 (software) keys are publicly shared. For high resolution on some platforms, you need L1 keys, but as far as I understand the decryption process basically stays the same once you have a working key.

Random article: https://www.ismailzai.com/blog/picking-the-widevine-locks

Claimed to be L1 key leaks (probably all blacklisted by now): https://github.com/Mavrick102/WIDEVINE-CDM-L1-Giveaway

19. kelvinjps10 ◴[12 Nov 25 14:08 UTC] No.45900375[source]
It's not as easy as downloading a YouTube video though
20. spwa4 ◴[12 Nov 25 14:15 UTC] No.45900457[source]
"their" content? This is Youtube.

Of course, the same can be said for FB, Tiktok, instagram, Pintrest, reddit, ... and I'm sure the list keeps going. Frankly, Youtube is pretty damn good about this, really.

replies(1): >>45900870 #
21. jcalvinowens ◴[12 Nov 25 14:18 UTC] No.45900498{4}[source]
The really shitty thing is that vulnerable devices get blacklisted en masse, so all legitimate users get stuck with 480p video content on streaming services. The Nexus 5 got this treatment, as I understand it, because it was too easy to extract the keys.
replies(2): >>45903045 #>>45907282 #
22. icpmoles ◴[12 Nov 25 14:20 UTC] No.45900531[source]
DRM protection schemes usually don't rely on TPM, the real magic happens inside your GPU and the monitor.
replies(1): >>45904201 #
23. doublerabbit ◴[12 Nov 25 14:45 UTC] No.45900870{3}[source]
No where else to go that pays. They can pay which entices those to stay.

Google owns that monopoly.

24. gruez ◴[12 Nov 25 14:51 UTC] No.45900945[source]
>They’d need dedicated hardware to enforce any kind of effective DRM.

That's already here. Even random aliexpress tablets support widevine L1 (ie. highest security level)

25. bob1029 ◴[12 Nov 25 15:08 UTC] No.45901153{3}[source]
Breaking HDCP is a lot easier than breaking the other things. You don't have to attack the torment nexus directly. This is not the most ideal option but it is information theoretically correct assuming your capture rig is set up properly.
replies(1): >>45903013 #
26. devsda ◴[12 Nov 25 15:45 UTC] No.45901572[source]
I might be recalling it wrong,but I remember reading that there was some old hardware that refused to record protected TV/Movies probably a VCR or a DVR.

Camera manufacturers can easily refuse to record a stream of they detect it is protected, may be via watermarks or other sidechannel.

replies(1): >>45903362 #
27. alerighi ◴[12 Nov 25 15:54 UTC] No.45901684{4}[source]
More easily in the past (I don't think if it's still true for 4K) you only needed an HDMI splitter to bypass HDCP copy protection.
28. ericd ◴[12 Nov 25 16:44 UTC] No.45902342[source]
Wonder if you could train a neural net to take camera recordings and basically reconstitute the original. For a given setup, the distortions should be pretty consistent.
29. sodality2 ◴[12 Nov 25 17:10 UTC] No.45902692{5}[source]
You won't find a ton of up-to-date info that would let you do the same - the scene groups hold their methods closely specifically because of this cat-and-mouse game.
30. kevincox ◴[12 Nov 25 17:23 UTC] No.45902867[source]
iOS can already attest to websites that they are running in unmodified Safari. https://developer.apple.com/news/?id=huqjyh7k

I guess that isn't quite enough to prevent screen recording but these devices also support DRM which does this.

31. charcircuit ◴[12 Nov 25 17:32 UTC] No.45903013{4}[source]
It would be harder to break HDCP and you wouldn't even get the original compressed media content. It's a worse idea.
32. charcircuit ◴[12 Nov 25 17:34 UTC] No.45903045{5}[source]
It provides a good incentive for manufacturers to invest into security for their devices.
replies(1): >>45903225 #
33. jcalvinowens ◴[12 Nov 25 17:48 UTC] No.45903225{6}[source]
No, it provides no incentive at all!

It's the users who suffer when this happens, not the manufacturers. The manufacturers couldn't care less, the money is already in the bank.

If the manufacturers were required to replace all the revoked devices at their cost, that would be a real incentive.

34. jedberg ◴[12 Nov 25 17:57 UTC] No.45903362{3}[source]
Old VCRs looked for a hidden signal that rental videos put out so you couldn't record them. But it was easy to block with a cheap device that you put in the middle.
35. immibis ◴[12 Nov 25 17:59 UTC] No.45903399[source]
You don't get access to the decryption code nor the keys - both are hardwired in silicon.

We'll eventually be able to reverse-engineer that and run it programmatically, but it will take a long time.

And when they catch you doing so, they'll ban your (personalized) encryption key so you'll just have to buy another graphics card to get another key.

This is how it already works, not some future thing. But the licensing fees make it so it only gets used for Hollywood-level movies.

36. fsflover ◴[12 Nov 25 18:49 UTC] No.45904201{3}[source]
They can use all available tools at the same time.
replies(1): >>45905789 #
37. gruez ◴[12 Nov 25 20:11 UTC] No.45905789{4}[source]
TPMs existed for at least a decade though.
38. zelphirkalt ◴[12 Nov 25 21:51 UTC] No.45907282{5}[source]
Not a Netflix user here: Are you saying that paying customers get cut off from higher video quality, that they are possibly paying for, and pressured into buying new devices? That shit should be illegal!
replies(1): >>45907434 #
39. jcalvinowens ◴[12 Nov 25 22:03 UTC] No.45907434{6}[source]
Yes, that's exactly what happens!