Is the United "DRM Plug-In" Required for Movies a Security Risk?
#1
FlyerTalk Evangelist
Original Poster
Join Date: Aug 2005
Location: Chicago
Posts: 11,513
Is the United "DRM Plug-In" Required for Movies a Security Risk?
Techdirt: United Airlines Requires You To Install Special Brand Of DRM To Watch Movies On Flights
https://www.techdirt.com/articles/20...-flights.shtml
Can the more technically-literate among us comment? (I don't consider myself much of a computer security expert).
https://www.techdirt.com/articles/20...-flights.shtml
On Twitter yesterday, Brian Fitzpatrick, a tech entrepreneur, noted that while trying to enjoy the in-flight entertainment on the United Airlines flight he was taking, the in-flight Wi-Fi system told him he need to install its special brand of DRM. They didn't even try to sugarcoat it with some fancy confusing name. It's literally called the DRM plugin:
. . .
The "requirements" on United's website only shows "the latest version" of various browsers (oddly, Chrome is excluded -- which we'll get to) and Flash Player 15 or higher.
. . .
Notice the more detailed instructions to get it to work in Chrome (and the earlier note about how this system doesn't support Chrome)? That's because the plugin is using NPAPI, which is a security nightmare and is no longer supported in Chrome for security reasons. As the Chrome team has noted: "NPAPI is a really big hammer that should only be used when no other approach will work."
So, not only is United trying to install unnecessary and annoying DRM on your computer, it's also doing so in a way that it is recognized as being a security nightmare.
. . .
The "requirements" on United's website only shows "the latest version" of various browsers (oddly, Chrome is excluded -- which we'll get to) and Flash Player 15 or higher.
. . .
Notice the more detailed instructions to get it to work in Chrome (and the earlier note about how this system doesn't support Chrome)? That's because the plugin is using NPAPI, which is a security nightmare and is no longer supported in Chrome for security reasons. As the Chrome team has noted: "NPAPI is a really big hammer that should only be used when no other approach will work."
So, not only is United trying to install unnecessary and annoying DRM on your computer, it's also doing so in a way that it is recognized as being a security nightmare.
#2
Join Date: Jan 2009
Location: LHR (sometimes CLE, SFO, BOS, LAX, SEA)
Programs: UA 1K
Posts: 5,893
Jeez, are they really using an NPAPI plugin?
I'd be less worried about security problems and more worried about compatibility/maintainability problems, given that Google says
In April 2015 NPAPI support will be disabled by default in Chrome and we will unpublish extensions requiring NPAPI plugins from the Chrome Web Store. Although plugin vendors are working hard to move to alternate technologies, a small number of users still rely on plugins that haven’t completed the transition yet. We will provide an override for advanced users (via chrome://flags/#enable-npapi) and enterprises (via Enterprise Policy) to temporarily re-enable NPAPI while they wait for mission-critical plugins to make the transition.
In September 2015 we will remove the override and NPAPI support will be permanently removed from Chrome. Installed extensions that require NPAPI plugins will no longer be able to load those plugins.
( http://blog.chromium.org/2014/11/the...for-npapi.html )
The screenshot in the linked article shows that, in fact, UA is using software which is gonna stop working altogether in September for Chrome stable users. Oof.
In fact if you've used the old pre-Hangouts Google Voice plugin in Chrome stable since April 2015 you've seen this compatibility issue.
I'd be less worried about security problems and more worried about compatibility/maintainability problems, given that Google says
In April 2015 NPAPI support will be disabled by default in Chrome and we will unpublish extensions requiring NPAPI plugins from the Chrome Web Store. Although plugin vendors are working hard to move to alternate technologies, a small number of users still rely on plugins that haven’t completed the transition yet. We will provide an override for advanced users (via chrome://flags/#enable-npapi) and enterprises (via Enterprise Policy) to temporarily re-enable NPAPI while they wait for mission-critical plugins to make the transition.
In September 2015 we will remove the override and NPAPI support will be permanently removed from Chrome. Installed extensions that require NPAPI plugins will no longer be able to load those plugins.
The screenshot in the linked article shows that, in fact, UA is using software which is gonna stop working altogether in September for Chrome stable users. Oof.
In fact if you've used the old pre-Hangouts Google Voice plugin in Chrome stable since April 2015 you've seen this compatibility issue.
#3
Join Date: May 2009
Location: EWR
Programs: UA .5M, Vistana 1-Star owner
Posts: 992
YouTube successfully uses secure yet plugin-less HTML5 video. UA can't because it's unwilling to invest the development dollars. Its plugin is worse than just NPAPI since it needs Flash which is itself a giant security nightmare which all modern browsers (Safari, Firefox, Chrome) have banned at 1 time if not always. Good job, UA.
#4
Join Date: Jan 2008
Programs: UA 1K
Posts: 246
Last time I checked, the DRM module contains various references to Panasonic - I assume that they're the ones implementing the system. United have kind of an awkward choice to make here. HTML5 DRM support isn't ubiquitous, so you'll have a lot of customers with older browsers who can't use it. Pepper isn't supported on anything other than Chrome. NPAPI will work in Firefox, Safari and IE. Assuming that the studios refuse to let them stream material without strong DRM, what should they be using?
#5
FlyerTalk Evangelist
Original Poster
Join Date: Aug 2005
Location: Chicago
Posts: 11,513
Techdirt closed with the following:
So Panasonic is certainly the source of the plug in. (Techdirt has an angle in case no one noticed).
In the interest of science, Fitzpatrick dug a little deeper and discovered that the "DRM plugin" in question is actually Panasonic's Marlin DRM -- something we actually wrote about years ago, as an attempt to create an "open source" DRM. Though, amusingly, Fitzpatrick notes that the DRM comes with strong copyright warnings itself:
This Software Product is protected by copyright laws and treaties, as well as laws and treaties related to other forms of intellectual property. Panasonic Avionics Corporation or its subsidiaries, affiliates, ad suppliers (collectively "PAC") own intellectual property rights in the Software Product. The Licensee's ("you" or "your") license to download, use, copy, or change the Software Product is subject to these rights and to all the terms and conditions of this End User License Agreement ("Agreement").
How sweet. You need to abide by Panasonic's rules when you install its security nightmare of a DRM you didn't want, just to watch an in-flight movie.
And, really, after all this, people should be asking but why? What "threat" model requires United to force dangerous malware onto your computer? And the answer is likely that Hollywood requires it, because to Hollywood everything is a threat, and the idea that someone might be paying hundreds of dollars for flights and they might also then make a copy of a movie... well, that's just too much to handle, and they have to first ask you to break your computer and put all your data at risk. Isn't that sweet of Hollywood? Oh wait, no I didn't mean sweet. I meant insane.
I'm sure that United Airlines didn't think through much of this and the details when it agreed to these ridiculous terms. It just thought it was adding an option that sounded nice. Letting people have access to more entertainment options, including on their own devices sure sounds like a nice option for some passengers. But if it comes with forcing people to put their computers and information at risk, it gets problematic fast.
This Software Product is protected by copyright laws and treaties, as well as laws and treaties related to other forms of intellectual property. Panasonic Avionics Corporation or its subsidiaries, affiliates, ad suppliers (collectively "PAC") own intellectual property rights in the Software Product. The Licensee's ("you" or "your") license to download, use, copy, or change the Software Product is subject to these rights and to all the terms and conditions of this End User License Agreement ("Agreement").
How sweet. You need to abide by Panasonic's rules when you install its security nightmare of a DRM you didn't want, just to watch an in-flight movie.
And, really, after all this, people should be asking but why? What "threat" model requires United to force dangerous malware onto your computer? And the answer is likely that Hollywood requires it, because to Hollywood everything is a threat, and the idea that someone might be paying hundreds of dollars for flights and they might also then make a copy of a movie... well, that's just too much to handle, and they have to first ask you to break your computer and put all your data at risk. Isn't that sweet of Hollywood? Oh wait, no I didn't mean sweet. I meant insane.
I'm sure that United Airlines didn't think through much of this and the details when it agreed to these ridiculous terms. It just thought it was adding an option that sounded nice. Letting people have access to more entertainment options, including on their own devices sure sounds like a nice option for some passengers. But if it comes with forcing people to put their computers and information at risk, it gets problematic fast.
#8
A FlyerTalk Posting Legend
Join Date: Apr 2001
Location: PSM
Posts: 69,232
If you are using the United App then the DRM software is integrated into the app already.
A safe assumption and a question to which there is no good answer. Other than to stream on a PED via the app rather than on a laptop.
A safe assumption and a question to which there is no good answer. Other than to stream on a PED via the app rather than on a laptop.
#9
Join Date: Aug 2008
Location: DCA, IAD (not BWI if I can help it)
Programs: UA 1MM 1K, Marriott Gold, Hyatt Explorist, status-free on AA, AS, B6, DL, WN, Amtrak, etc.
Posts: 1,481
You don't need the plug-in for all of the streaming entertainment - I watched a TV show or two without it last year.
#10
Join Date: Mar 2013
Location: MCI
Programs: National Executive, Hertz Five Star, Hilton Diamond, BW Diamond
Posts: 323
#11
Join Date: Apr 2005
Location: Ann Arbor Area
Programs: UA Million Miler, BonVoyLifetime Platinum, UA Platinum, President's Club,
Posts: 1,494
I was just advised to install Chrome for my 9 hour flight next month. Do I not need it? I'm not computer smart in any way, and i have an iPad and a MacBook Pro. Both times I tried to use streaming I only got some tv shows, not any of the films they offered. If they're now requiring the 777-4 fliers to bring their own devices as opposed to the DTV or On-Demand, it shouldn't be so difficult to get streaming video.
I'm now quite worried about my very long flight to Hawaii as streaming never works for me. I have the United App on my iPad and it's in my bookmarks on my laptop. I have NO idea how to get the app on my laptop other than bookmark it.
So now I need some plug in as well?
I'm now quite worried about my very long flight to Hawaii as streaming never works for me. I have the United App on my iPad and it's in my bookmarks on my laptop. I have NO idea how to get the app on my laptop other than bookmark it.
So now I need some plug in as well?
#12
Join Date: Aug 2008
Location: DCA, IAD (not BWI if I can help it)
Programs: UA 1MM 1K, Marriott Gold, Hyatt Explorist, status-free on AA, AS, B6, DL, WN, Amtrak, etc.
Posts: 1,481
Installing Chrome is a good idea on general principle, as it's a good deal more secure than Safari. But it's not required to watch UA's streaming video if you'll bring an iOS or Android device on the flight with UA's app installed.
#13
Join Date: Jul 2006
Location: California
Programs: AA EXP, lowly UA 1K; Hyatt Diamond, SPG Gold, Hilton Gold; National EC, Hertz PC
Posts: 2,214
With that said, they are using some similarly special codec as that thing sucks down battery life on your device. About 2-3x faster than when I stream in any other program (Netflix, Xfinity, etc.). Typically I see about 10%/hour battery depletion on my iPad, on UA app it is closer to 25%. Wish they would get their act together (especially on those A320s that have no power plugs).
#15
Join Date: Jul 2007
Location: San Francisco/Sydney
Programs: UA 1K/MM, Hilton Diamond, Marriott Something, IHG Gold, Hertz PC, Avis PC
Posts: 8,157
That doesn't in and of itself mean that any plugin that uses it is a security risk. ie, the fact that NSAPI is bad doesn't mean that the United/Panasonic plugin is bad.
Not September, it's already happened several months ago. Their in-flight website states that Chrome is unsupported, although technically it can be made work by re-enabling support for NSAPI in Chrome (it's the ability to re-enable that goes away in September)