New browser-based Widevine license request tool

[pteque]

A new browser-based tool to make Widevine license requests to a server, to obtain decryption keys:

https://emarsden.github.io/pssh-box-wasm/get-license/

Provide the PSSH, the URL of the license server and any required HTTP request headers, and a CDM in WVD format, and it should show you the decryption keys. It uses the pywidevine library compiled to WASM, running fully inside your browser (no information is uploaded to a backend server).

How does it compare to existing alternatives?

• It's functionally similar to CDRM-project / getwvkeys, but runs from your own web browser instead of via a server. However, it doesn't have the useful functionality for caching keys from other people's license requests.
  
• Somewhat similar to running a pywidevine-based Python script, but doesn't require you to install Python and make sure you have the right versions of the associated libraries. However, it doesn't currently handle license servers that require a POST payload.

[Karoolus]

don't all license servers require a POST request? I assume you mean it doesn't work with payloads with a custom format?
Either way, nice work

[larley]

Not sure how i feel about "uploading" my cdm

[jack_666]

Why not setup the html package as a local install?

The User downloads and install the package that then runs locally on the user's computer.


Looks like this will be harvesting cdm's

[LittleSoldier]

Why not setup the html package as a local install?

The User downloads and install the package that then runs locally on the user's computer.

Looks like this will be harvesting cdm's

You speak my mind Jack

[pteque]

Why not setup the html package as a local install?

The User downloads and install the package that then runs locally on the user's computer.

Looks like this will be harvesting cdm's

This tool is not actually harvesting CDMs. You can verify that (e.g. using one of the emulator CDMs published here) by looking at the network requests made.

That's a fair concern, however, and I'm not sure how to address it. Checking the javascript source code is not practical because the pywidevine library and python runtime compiled to WASM are quite large (11 MB or so). Running the code from your local disk is no help, because the tool could also be sending off the CDMs in that case (it would also require you to install a web server, because the browser has special restrictions on file:// URLs). The content-security machinery in web browsers isn't useful because it aims to protect "trusted" javascript from untrusted inputs coming from advertising for example. If anyone has ideas, I'm interested.

Stepping back a little, it's surprising to me that javascript code nicely sandboxed by your web browser can be seen as a security concern, but the community here seems to have no concern about running random binaries they download from the internet (N_m3u8DL-RE, mp4decrypt, ffmpeg, mkvmerge, dash-mpd-cli and so on). If you are running these on your computer without a container or other software isolation tool, they can access any file, make network requests anywhere, exploit any operating system vulnerabilities to enroll you in a botnet. The recent xz backdoor incident shows how much effort attackers are prepared to make to gain access to our computers; we shouldn't be making it so easy for them. (This is why I publish dash-mpd-cli as a Docker/Podman container and recommend its use via podman.)

[larley]

If ffmpeg is a random binary, then everything is
so basically just run every binary in a damn docker container

[pteque]

so basically just run every binary in a damn docker container

You say that like it's a silly idea, but it's pretty much how apps work on iOS and Android and on MacOS (which also requires apps to be notarized). It's how apps from the Microsoft Store work on Windows. It's how FlatPak and Snap third-party packages work on Linux.

[larley]

If you think that not putting every binary (even random ones ) if possible inside a sandbox is a security risk, then you can do that. But at that point the effort outweighs the gain you get from doing that.

[pteque]

That's a fair point: security is always a tradeoff. However:

• Using a prebuilt container is hardly more difficult than unprotected use of a random binary. For example, the dash-mpd-cli prebuilt container already includes the various other random binaries you'd otherwise need to install, like mp4decrypt, shaka-packager, MP4Box, ffmpeg, mkvmerge, xsltproc.
  
• We can encourage software authors to make their stuff available as prebuilt containers, or publish them ourselves when the software license allows it.
  
• Oh, is that a botnet running on your computer?

[larley]

At the end of the day, programs running in sandboxes are only more secure than the original binary if they are actually being used.
You can take a look around the forum and check if people are actually using a container. You might be able to see that they aren't because a person that just wants to download some media isn't the kind of person that spins up a docker instance before doing so. So you either make that process as easy / easier than just running the binary normally or remove the normal option completely because it seems like you're quite paranoid about hidden malware inside 'random' executables.

[PepeForEver]

"Limitations

Some DRM license servers require specific information as the "payload" of the POST request to the license server, in addition to or instead of specific HTTP headers. This tool does not currently support sending a POST payload."

The above sentence is the most important here, in short = no "payload" option + the need to send your own CDM means that it is pointless and there is a huge risk of destroying your own CDM.

[lomero]

if i can find myself pssh, lic url and upload (also!) my cdm, this project is (for me) uselees
py script already does
or without py, cdrm does (and no nee to upload your cdm ...)

[pteque]

If you have a Python script that works for you, all the better for you; please use that. I wrote this (free) tool having seen all the people here who have trouble installing pywidevine or don't know how to use the commandline. It seems useful to me to have alternatives to services like cdrm-project which might one day go offline, and whose logs might one day be seized by the authorities. Using this tool, your machine makes pretty much identical network requests to those made when watching a video online (as when using a Python script, because it is basically a Python program, just running in your browser).

Concerning POST payload: the tool makes POST requests and you can include any headers that are needed for authorization. Some license servers also require a POST payload (encoded as JSON for instance), which the tool doesn't currently support. Neither does cdrm-project as far as I can tell; I think this is not a common requirement.

I will say again that the CDM is not "uploaded"; it stays in your browser. It's true that this is difficult to verify in advance, however.

[lomero]

I wrote this (free) tool having seen all the people here who have trouble installing pywidevine or don't know how to use the commandline

yes, you're right. thanks anyway for your project