Hacker News new | past | comments | ask | show | jobs | submit login

Haven't widevine keys been discovered by pirate groups but not leaked? I assumed that was how so many webrips have been released.



Google updates the Widevine CDM regularly and has an aggressive deprecation schedule. I imagine those keys have long since been replaced as a result of this. Each piece of content is encrypted with a unique key and the CDM is only used for key exchange. The leaked keys would be useless for decrypting any stored content.


Widevine L1 keys have leaked fairly regularly though and many piracy groups have private L1 keys to allow them to get clean webrips from streaming services. These keys get dumped from a vulnerable device and then don't need to be updated unless that device gets breached publically down the line.


All it takes is another vulnerable device's keybox being yanked and abused for a while until the keybox leaks further causing revocation of those Widevine keys.

They have quite a supply of keyboxes available to keep decrypting for a while.


Widevine L3 gets broken fairly often, I'd assume that's what xfinity stream on ChromeOS is using.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: