Hacker News new | past | comments | ask | show | jobs | submit login

Spotify's own clients basically download encrypted data, decrypt with the song's key, decode the vorbis and write PCM audio to the audio device like normal. Does anyone know how Widevine fits into this? What does it actually do in the case of audio (video I can imagine is different since there's DRM support baked into the output device, as I understand it)?



Netflix audio is available as unencrypted .aac files with no protection whatsoever. Netflix doesn’t use widevine for anything except video.

Here's a typical media manifest for a typical piece of netflix content: https://gist.githubusercontent.com/justjanne/b2cbff54588466f... (identifying data and URLs redacted).

Note how (a) the audio is only 128kbps, and (b) the audio is just directly linked (the files are just aac directly, you can play them in any player).


Widevine is used for Spotify's browser implementations.

Spotify would revoke the app keys if they were published in something like this I expect.


So they serve two versions of every file, one for browsers using Widevine's scheme and another for everything else using their own scheme? And the benefit of Widevine is that it's a closed-source blob shipped with the browser itself (or not, as is the fundamental issue solved by the OP) rather than some obfuscated javascript, so you have zero access to it? At least until it ultimately writes PCM to the soundcard where you can then do what you want with it.


They could use CENC and just serve one version with two key management systems, but I think they do serve two versions in practice.

And yes, by and large. Widevine offers a bit more than just being closed source in terms of Google doing breach monitoring and fixing but yes.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: