Widevine CDM Considerations: Why Streaming Services Should Encourage Browser Updating
Google has published a schedule detailing when old versions of Chrome will no longer support the Widevine Content Decryption Module (CDM).
Who hasn’t heard from their favorite admin that they must always keep their systems up-to-date? If you don’t know what I’m talking about, then you may not be interested by the following article.
Still there? So you probably know that in a constantly evolving world of technology our operating systems, and also our software, must be updated frequently.
Why? As customer expectations change and our software and services progress we want to enable new features as well as support the latest developments from other vendors too.
But the main reason is security. When there is a small bug fix for a potential security breach that is even tricky to exploit: we don’t want to be the first victim of it.
And it’s especially true when it relates to content security because playing protected video in the browser relies on a security level managed by the software for most platforms (such as PC/Mac). So keeping an up-to-date version of all the components of the chain is critical.
A browser’s CDM implementation is linked to the server version of the DRM licensing service. The CDM is part of the browser distribution because they should both support the same version of the EME interface. So when you download/update your favorite browser it embeds the corresponding supported CDM.
This is a big difference between desktop applications and mobile apps. In Android’s case the Widevine CDM is managed by the OS itself, instead of being bundled with Chrome. Google can manage the features that Chrome utilizes and also limit which version users can install. Having a DRM system baked into the device is also what allows support of more secure implementations on Android compared to desktop browsers. In comparison, desktops are open environments allowing users to install any Chrome version they want which makes it difficult to control which Widevine CDM version is in use.
The main issue here is that there is one component where we cannot force an update: the browser. Browser updates are conditioned by the goodwill of the end-user. There are browser notifications and warnings on some website. But the last word belongs to the user.
Widevine CDM Deprecation
Widevine has recently announced a deprecation schedule for previous CDM versions that are built into Chrome browsers. Viewers using old Chrome versions after CDM support ends will not be able to stream protected content.
|Chrome Versions Affected||Widevine Support Ends||CDM Version (Windows / macOS)||CDM Version (Linux)||CDM Version (Chrome OS)|
|59 and earlier||July 31, 2018||126.96.36.1990||188.8.131.527||184.108.40.2067|
|59 – 63||Jan 8, 2019||220.127.116.114||18.104.22.1680
|64 – 68||August 13, 2019||22.214.171.1249||126.96.36.1999
Source: Google Widevine (Table updated: 25 Sept 2019)
Earlier this year Google stopped supporting older CDM versions like the ones that were not featuring Google’s Verified Media Path (VMP) which is used to authenticate software interfacing with the Widevine CDM. This led to some users with outdated Chrome versions not being able to view a service’s content they paid for. What could be more annoying? Especially in this particular case because as my associate Thasso explained in his recent DEMUXED talk: ‘when things go wrong with DRM you have a hard time to find out what the reason is’.
Of course it’s even worse for the user who will probably restart their browser or system a couple of times before calling the service center.
What Can Be Done?
There is no practical way to avoid a situation like this but streaming services can inform the end-user. We don’t have to explain in technical detail why updating the browser is important because they probably don’t care about our industry’s specific security concerns. But they should be informed that because browser technology is constantly evolving, their browser version needs to be regularly updated in order to continue enjoying their favorite content.
In any case, going forward it’s now important for streaming services to be aware of Widevine’s CDM deprecation plans due to the disruptive impact this can have on customer experiences when using outdated Chrome versions.