this is good, but it would also be helpful if you supported the anti DRM movement. Some people have developed ways to get around certain DRM such was Widevine, from dumping your own CDM to Widevine proxy. Just ignoring the problem is not going to make it go away. Over the last two years DRM use for streaming content has increased significantly. If you want to really help, I would look into contributing code to these projects, or donations.
It does nothing to dissuade content gatekeepers from employing restrictive DRM on their sites.
Anti-DRM would be avoiding anything that gives money to those that employ DRM to incentivize the removal of the DRM. Frankly, flat out piracy (streaming ripped content) is more likely to result in the removal of DRM than making it appear that the DRM is working well for the provider.
We don’t want to deal with having to be forced into having specific hardware, operating systems, and browsers to watch content we paid for. I’ve had perfectly good monitors that were before HDCP was a thing, and these sites gimp the quality or outright refuse to play media because the monitor didn’t have some bogus technology.
Even as someone who isn't in the slightest interested in unauthorised copying of content, watching videos on anything which isn't VLC on my laptop is such a PITA that I never do it.
There are sites that commercially distribute DRMed video content; say, Netflix. They have a large audience, and they care, whether me and you like it or not.
Using Netflix as the example, Widevine L1 has very limited support on the desktop, i.e. Microsoft Edge on Windows and Safari on macOS.
All other configurations use L3 which is a shared key, e.g. provided by ChromeCDM as it runs entirely on the CPU - which is why Netflix content also works under Linux, albeit L3 is limited to 720p (or 1080p with browser extensions).
Given Chrome's massive browser market share, I'm not sure whether enabling DRM adds anything meaningful to the fingerprint - i.e. I don't think it's possible to revoke an L3 key without pushing out a new version of the CDM to all users of that browser, as has happened once before with Chrome.
FWIW I've tested Widevine L3 decryption works using a ”headless” docker container running Chrome. The only caveat to add is that Chrome must not be started with --headless, but you don't need a real GPU either, Xvfb works just fine.
I've never used Netflix (or other streaming sites like them) because of the DRM. Youtube manages to prove that a streaming model can be very, very profitable without it at all, as does BBC iPlayer.
AFAICT, the server can avoid serving the DRMed content until the browser proves it has a legitimate DRM-respecting playback capability, which is designed to be hard to feign. That is, unless something like [1] is correctly implemented in the headless mode, DRM content won't be available anyway.
i love the contrast in these comments. on the one hand you have all the people arguing that headless chrome is unethical because websites need to be able to block bot traffic, and on the other you have actual humans saying they try as hard as they can to behave like a bot.
i'm not blaming people for wanting privacy. i'm just saying that if you value privacy, you can't also value blocking bots, because in order to block a bot you have to collect enough information to violate the real people's desire for privacy.
and there seems to be significant overlap between the people who think enabling bots is morally wrong, and people who think fingerprinting is morally wrong. if you value privacy, you have to value privacy for all web users even before you've collected enough data to determine whether that web user is a real person or not.
TPMs do not reveal a unique serial number or similar identifier by design for privacy reasons.
A TPM can attest that some measurements were done with it and it can attest that it comes from vendor X. You can block an entire vendor if they don’t behave but not individual TPMs via remote attestation.
You can use a scheme in which you can set up an „identity“ on first use and then on next use authenticate the same identity. But that identity is kinda per use case.
Either they have a real TPM with a real nvidia graphics card able to decrypt content with a real serial number... Or they don't...
If one graphics card or TPM serial number starts acting bot-like, you can ban just that one.