Firefox 38 arrives with contentious closed-source DRM integrated by default

One year ago Mozilla crushed the hearts of open source fans everywhere by announcing future versions of Firefox would come with the ability to play copy-protected content via HTML5, which requires the use of integrated digital rights management (DRM) technology. On Tuesday, Mozilla finally pulled the trigger.

For users who just want to use Firefox, this means that soon you won’t need Microsoft’s Silverlight plugin to watch Netflix. Instead, Firefox 38 will use Adobe’s Content Decryption Module (CDM). Firefox 38 automatically downloads the CDM in the background shortly after you upgrade or do a fresh install of the browser.

The CDM won’t be activated until you first visit a site that requires it. Both Chrome and Safari come with a CDM installed by default.

The impact on you at home: If updating Silverlight to watch premium video sites annoys you, the CDM will put that issue to rest—but not just yet. Netflix is currently testing the Firefox’s CDM integration and still required Silverlight on Firefox 38 at this writing. Premium video sites that use HTML5-based video should switch over to CDM-based viewing for Firefox in the coming weeks.

DRM with a key difference

At face value, it may appear like you’re trading one DRM-playing plugin for another, but the change has been a source of contention within the open source community. The main problem is that Firefox, which is an open source browser, now downloads and installs a closed source solution by default.

The big concern with closed source programs is that you can’t look at the code to see if it’s threatening privacy by leaking data, or if it has a giant security vulnerability that no one knows about. Those concerns are true of both Silverlight and Adobe’s CDM, but at least with Silverlight the plugin was installed on a per-user basis as opposed to an automatic install for everyone.

To overcome the security concerns, Mozilla limits how the CDM can interact with the rest of the browser by putting it in a sandbox. This stops the CDM from interacting with data or features it doesn’t require to run, or from creating too much harm should a vulnerability surface on malicious websites.

Mozilla felt it had to integrate Adobe’s technology into the browser due to the popularity of CDM-using services like Netflix and to maintain feature parity with competing browsers.

Just another plugin

Instead of baking in the CDM solution like other browsers, Mozilla is also giving users a high degree of control over the CDM just like any other plugin.

You can disable the plugin by typing about:addons in the address bar, and clicking Plugins in the left-hand navigation column. Then select Never Activate from the dropdown next to the Primetime Content Decryption Module provided by Adobe Systems, Incorporated 9 plugin.

For anyone who wants to remove the CDM after it is automatically installed type about:preferences#content in the address bar and uncheck the box next to Play DRM content.

More fierce opponents of CDM integration can also download a version of Firefox from Mozilla’s site that doesn’t install the CDM.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Related:
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.