Mozilla gags, but supports video copy protection in Firefox 38

Mozilla yesterday updated Firefox to version 38, patching 15 security vulnerabilities and integrating an Adobe anti-piracy technology for playing protected media, like the movies and TV shows offered by Netflix, Amazon and Hulu.

Firefox 38's most notable enhancement -- and the one that Mozilla called out in a Tuesday blog post -- was support for digital rights management (DRM), the over-arching label for technologies that prevent people from pirating video, audio and written content.

Mozilla, like other browser makers, has been trying to dump the decades-old model of relying on third-party add-ons or plug-ins to play media. Instead, browser developers have adopted HTML5, the latest version of the Web markup language, to handle those chores, part of an effort to improve security and performance.

Trouble is, Netflix and others rely on plug-ins -- especially Adobe's Flash and Microsoft's Silverlight -- to both play their content and protect it from copying.

Firefox 38 on Windows Vista and later will automatically download Adobe's Content Decryption Module (CDM), which will activate the first time a user plays DRM-protected content that calls on the module. Netflix and others have been testing DRM using Adobe's CDM for more than a year.

Mozilla first announced it would adopt DRM in May 2014, when the head of the Mozilla Foundation, Mitchell Baker, acknowledged that copy protection "goes against Mozilla's fundamental approach," but said that it had no choice but to hold its nose.

"We've contemplated not implementing the new iteration of DRM due to its flaws," Baker wrote in a May 14, 2014 blog post. But "a browser that doesn't enable video would itself be deeply flawed as a consumer product."

Yesterday, Mozilla said much the same even as it announced the results of its year-long project. "We don't believe DRM is a desirable market solution, but it's currently the only way to watch a sought-after segment of content," said Denelle Dixon-Thayer, who heads business and legal affairs at Mozilla.

As promised by Baker, Mozilla has taken several steps to assuage concerns of its users, who are more sensitive than most to copy protection because DRM is, for obvious reasons, proprietary and its secrets closely guarded. Mozilla's self-described mission is to push for an open, transparent Internet, illustrated best by Firefox, whose open-source code can be viewed by anyone.

The Adobe CDM downloaded by Firefox 38 is isolated within a "sandbox," technology designed to limit code interactions with the browser itself, and quarantine it from the device and any files stored on it. Mozilla has also published instructions for yanking the CDM from Firefox after the former's installed, and offers an alternate version of the browser sans DRM.

Only the Windows version of Firefox supports the Adobe CDM; Linux and OS X editions do not.

Not surprisingly considering its objections to DRM, Firefox is a latecomer to an HTML5 answer for displaying protected content: Apple's Safari, Google's Chrome and Microsoft's Internet Explorer have all already added DRM-locked HTML5 support.

Firefox 38 also addressed 15 vulnerabilities, five pegged as "critical," Mozilla's highest threat ranking, and six marked "high," the next level down. Among the bugs, two reported by security researcher Holger Fuhrmannek were of note because they were offshoots of similar flaws he had identified earlier, and that Mozilla patched in February.

Firefox 38 for Windows, OS X and Linux can be downloaded from Mozilla's website. Users of the browser will receive the update automatically.