On Chrome Dropping H.264

The Chrome team announced they are dropping support for H.264.

WebM Support

WebM support will be growing quickly as Firefox 4 rolls out (Firefox upgrade adoption is legendary). Chrome commands sizable market share and is pushing the Chrome OS platform. Opera is also supporting WebM.

Apple and Microsoft could join the party and bundle WebM support along with the other codecs they support at any time, though they are licensors for H.264 and wouldn’t benefit from WebM market penetration. Microsoft’s implementation does allow for VP8 support if a codec is installed. I’m not aware of anything for Safari and am rather certain nothing can be done for the iPhone without Apple intervening.

On the hardware side AMD, ARM, Nvidia are backing WebM. Broadcom announced support, as did Qualicomm and TI. These are major vendors for mobile chips. Intel is working on stuff too.

H.264 Trouble

H.264 is problematic and bad for the web for many reasons I’ve mentioned here before as well as great posts by roc and shaver. I’ll leave it at that rather than rehash.

There was buzz a while back about H.264 being “free” (quotes intentional), but it’s not really “free” if you read the fine print. As Peter Csathy of Sorenson Media notes:

But, you say, MPEG LA recently announced that it will no longer charge royalties for the use of H.264. Yes, it’s true – MPEG LA recently bowed to mounting pressure from, and press surrounding, WebM and announced something that kind of sounds that way. But, I caution you to read the not-too-fine print. H.264 is royalty-free only in one limited case – for Internet video that is delivered free to end users. Read again: for (1) Internet delivery that is (2) delivered free to end users. In the words of MPEG LA’s own press release, “Products and services other than [those] continue to be royalty-bearing.”

That’s hardly “free”. That’s just one potential use case that’s now royalty exempt. The reason they are doing that is presumably if they can get H.264 adoption high enough, all the other cases will be paying and therefore subsidizing this one case.

WebM is licensed a little different: Patent wise, it’s irrevocably royalty free. License is about as liberal as you can get.

There’s no proprietary html, css, or images (GIF was, now it’s dead) used across the web. Why should video be any different? The key to success and growth has always been an open platform that’s low cost and encourages innovation.

Implementing Today

For anyone who suggests that this further fragments the market, that’s not really true. Adobe Flash actually creates an excellent shim to help migrate away from Flash to <video/>. Allow me to explain:

Adobe will soon be supporting WebM through Flash. Adobe already support H.264 in Flash. For legacy browsers and those who won’t support WebM, you have the option of delivering a Flash experience just like most websites do today. There are websites doing this today via Flash and H.264. For modern browsers you can just use <video/>. Once your non-WebM market share drops low enough, you can get rid of the Flash experience. Soon enough you’ll be able to push WebM to your Flash users. The benefit of switching your Flash experience to WebM as a middle step would be one encoding for both delivery mechanisms vs. using H.264 and WebM in parallel. Of course if you’re supporting mobile you likely need H.264 for a bit longer but likely use a smaller resolution and different profile for mobile consumption.

No matter what there will be two delivery mechanisms for those looking to push video using HTML5 to users today. The only thing that changes is the lean towards standardizing on the actively developed WebM codec vs. H.264.

All new technology has speed bumps, that’s the cost of being on the bleeding edge. However this is a positive turn as things are now starting to line up. The most awesome thing is that the codec, HTML5 specs, and some of the most popular browsers in the world are open and inviting feedback and contributions to improve things.

Firesheep Is Just The Messenger

I must say that I’m glad to see there are no plans to pull Firesheep. Add-ons have a lot of power since they run in a privileged space. Anything your browser can access, your add-ons can access. The point to being able to kill add-ons was to protect the user in situations where an add-on was either bundling malware or sending information without the users consent. Firesheep does none of that. It behaves exactly as advertised. It also causes no harm to the user or their computer.

Firesheep doesn’t do anything that couldn’t be done with a packet sniffer, it just makes it trivial enough that the average person can do it. It just makes a flaw in many websites more visible. The more technical folks have known this for years. Firesheep is just the messenger. These insecure bits of traffic have traveled across the wire for a decade or more. All traffic across Ethernet is visible to all devices. This is how Ethernet works. The network is a shared medium. It’s just a matter of looking at it. WiFi is a slightly different ballgame but at the end of the day if a wireless signal is unencrypted, it’s just a matter of listening.

I am not a lawyer (nor do I play one on TV) but from a legal perspective I suspect Gregg Keizer is correct in suggesting that it’s likely legal under federal wiretapping statutes (ethics is another debate). However a company likely can still fire you for using it, and a school likely can still kick you out for using it on their network. Private networks have their own rules and policies.

That covers the detection of a session. If you were to actually session jack, that would likely be considered fraud, hacking, identity theft, etc. depending on what you do. Generally speaking, unauthorized access to a computer system is illegal. If you are using someone else’s credentials, that’s by definition unauthorized access.

Electronic communications law is hardly considered developed or mature but generally there isn’t an expectation of privacy when no encryption is used and transmission is done over a shared connection. It’s akin to speaking to someone on the street and being overheard. That said, if someone reads their credit card number while on a cell phone call and you use the credit card information you overheard, it’s still fraud regardless of the interception method.

Bottom line: It’s time to start securing connections.

Decrypting The Internet

Bruce Schneier on the new wiretapping proposal:

Any surveillance system invites both criminal appropriation and government abuse. Function creep is the most obvious abuse: New police powers, enacted to fight terrorism, are already used in situations of conventional nonterrorist crime. Internet surveillance and control will be no different.

Official misuses are bad enough, but the unofficial uses are far more worrisome. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and the people you don’t. Any surveillance and control system must itself be secured, and we’re not very good at that. Why does anyone think that only authorized law enforcement will mine collected internet data or eavesdrop on Skype and IM conversations?

I 100% agree here. A security vulnerability, intentional or not is a vulnerability. Even systems with no known security holes are eventually broken. Look at the recent reverse engineering of HDCP, which was theorized as vulnerable in 2001 but not broken for several years, a pretty good run. Eventually all security mechanisms will be broken. Starting with something broken just increases the window of opportunity for abuse and misuse.

In theory this proposal could (I’m no lawyer, I don’t even play one on TV) even impact things like Firefox Sync (Formerly Weave) which employs the best security mechanism I’ve seen in a service. To summarize, it works by encrypting your data before transmission to the server. However the key is never sent. That means even if the Gestapo took the servers with your data, they would still need to get the key from you, or do battle with the encryption which isn’t easy. Even Mozilla can’t read your data, unless a flaw were found in the encryption algorithm. The question is if sync were considered to fall under “services that enable communications”. That seems broad enough to leave room to argue that sync facilitates communication since the browser is the ultimate communication client. The browser is also valuable since it potentially has passwords, bookmarks, and history giving a good motivator to make that argument. Argue that to a 75-year-old judge who never used a computer and it might work.

Meanwhile just weeks ago UAE ironically gets criticized by the US for proposing a Blackberry ban for the same reasons.

Protecting Photo Privacy Via Browsers

Browsers can do more to protect users from inadvertently violating their own privacy. The NY Times today had an article about a topic that has been discussed in various circles several times now. The existence of geotagging data in photos. Many cameras, in particular smart phones like the iPhone can tag photos with GPS data. This is pretty handy for various purposes including organizing photos at a later date, iPhoto for example does a pretty nice job of it. Most photo applications however don’t make this information very visible, as a result many users don’t even know it exists, others simply forget.

What the problem looks like

The data, embedded in a photo looks something like this:

GPSLatitude                    : 57.64911
GPSLongitude                   : 10.40744
GPSPosition                    : 57.64911 10.40744

Which I could map.


I propose that browsers need to have a content policy for when users upload images that can better protect them from uploading information they may not even realize. Here’s what I’m imagining:

The first time a user attempts to upload a photo that has EXIF or XMP data containing location they are prompted if they want it stripped from the image they are uploading. The original file remains unharmed, just the uploaded version won’t have the data. They can also choose to have the browser remember their preference to prevent being prompted in the future. They can revise their choice in the preferences window later if they want. This isn’t to different from how popups are handled. I thnk that per-site policy might be too confusing and not warranted, but perhaps I’m wrong.

Warning users about hidden information they may be revealing is a worthwhile effort. It’s only a matter of time before someone uses a “contest” or some other form of social engineering to solicit pictures that may reveal location data for users. Evildoers always find creative ways to exploit people.


There are a notable caveat to this approach. The most notable is that flash uploaders would bypass this security measure though individual uploaders could do it themselves, or Adobe could do it, but I don’t think that’s enough of a turnoff to this approach. The same caveat applied to “private browsing” in browsers.

Prior Work

As far as I know no browser actually implements a security feature like this yet. There are a few Firefox Add-ons like Exif Viewer and FxIF (both written in pure JavaScript) that look at EXIF data but nothing that intercepts uploads.

Who Can Do It First?

I’m curious who can do it first. By add-on (seems like it should be possible at least in Firefox), and dare I say include in a browser itself? If this were earlier in the year I would have added this to the Summer of Code ideas list. Instead I’m just throwing it into the wind until 2011 rolls around.

Firefox Home: Adults Only

Firefox Home iTunes WarningApple posted the Firefox Home application, which complies with Apple’s policies by using WebKit as opposed to Gecko. Regardless, for whatever reason Apple feels that Firefox Home is a NC-17 application.

Presumably the reasoning behind this is that since a web browser can view anything on the internet and 12% of it is porn among other things out there.

If Apple really feels the Firefox Home app is dangerous, why doesn’t it update Safari so that it warns people of the risks before first use? Presumably a fair amount of iPhone users are under 17 and potentially unaware of the risks. Should parents be warned in the store? Safari is a default app and included in every iPhone that ships.

Other web browsers like Opera and Perfect Browser have the same restriction but much less verbose warnings (only “Frequent/Intense Mature/Suggestive Themes”). At least two others, iCab Mobile and Browser has the same warnings as Firefox. Apple isn’t very consistent.

Meanwhile the Twitter app (formerly Tweetie) will let you “follow” porn starts who will provide services if a particular team won the world cup. It also embeds a web browser that will go to links in tweets regardless of content. That app is rated 4+.

This strikes me as inconsistent and unnecessary.

Edit: This is the dialog presented when you try and download it. This must be one hardcore app:

iTunes Firefox Warning Dialog


In August 2009 after the On2 announcement, I suggested that Google might open source a codec in hopes of derailing OGG which it feels is inferior as well as h.264 which is patent-encumbered. Google took VP8, the successor to the popular VP7 codec and started The WebM Project. To quote the project page:

WebM is an open, royalty-free, media file format designed for the web.

WebM defines the file container structure, video and audio formats. WebM files consist of video streams compressed with the VP8 video codec and audio streams compressed with the Vorbis audio codec. The WebM file structure is based on the Matroska container.

Google describes the license as “BSD-style”. A very good move since it’s liberal enough to encourage widespread open and proprietary inclusion. GPL is to viral for some potential adopters.

Software Support

For the browser side, Chromium and Firefox Nightly builds support WebM starting today. Opera and Google Chrome to come shortly.

Google also created patches against FFmpeg for encode as well as decode and created DirectShow filters which are available for download. I suspect by way of libavcodec we’ll see support in lots of other products in the near future.

Microsoft will support VP8 in Internet Explorer 9 if you have the VP8 codec installed. Not quite “support”, but better than nothing.

Adobe is also supporting VP8 in Flash, which means content producers can eventually kill VP7 and VP6 encoding and use VP8 to reach most of their audience. This is very important as encoding videos into several formats is costly and time consuming (I know this very well).

Hardware Support

Google has already said they are working with video and silicon vendors to add VP8 hardware acceleration to their chipsets. I suspect newer phones in the near future will be supporting it. Especially if they run Android.


Google is supporting WebM in the HTML5 test for YouTube which I mentioned a few months ago. I suspect we’ll see lots more support in the very near future.


Even more telling of the potential than the above is the list of supporters which contains some big names who can put a lot of weight behind hardware/software/content support. AMD (who owns ATI), NVIDIA, Marvell (lots of mobile chipsets), Qualcomm (think mobile chipsets), TI, Broadcom, ARM on the hardware side alone is impressive. If the majority of them add hardware support to their upcoming offerings, that will be game changing. On the software side leaves 1.5 holdouts in the web video world: Apple (1) and Microsoft (0.5).

This is a game changer.

YouTube HTML5 + Firefox

Google has been a long time supporter of HTML5. They recently launched a HTML5 beta of YouTube however it will only work in Safari and Chrome. The reason for this is not due to the actual markup but the video codec chosen. YouTube is using h.264, the same codec used for YouTube HD via Flash. This works in Safari and Chrome because Safari uses QuickTime to render <video/> and Google licensed h.264 for Chrome. Firefox however doesn’t include the proprietary codec for licensing reasons. It’s not a matter of cost but principle.

IE is supported through “Chrome Frame” which is essentially the Chrome browser in IE’s chrome. Your really just browsing the YouTube site with Chrome. Google could use this as a way to get people away from Flash and IE and onto Chrome one way or another.

I discussed the h.264 debate in more depth a few months ago.

You have to wonder why we don’t want anything proprietary slipping into HTML5, or want proprietary image formats (GIF turned us off to that) but exceptions are made for video.

Edit 1/23/2010: More on the topic:

Edit 5/21/2010: Thoughts on WebM.

Things You’ll Love About Firefox 3.6

To be honest Firefox 3.6 is a little lighter on Features than Firefox 3.5. It’s more about refining and improving than bells and whistles. Here are the things I feel are really noteworthy.

User Centric Features

UI Speed – Many things in the Firefox 3.6 UI have gotten faster. For example startup time has been improved thanks to various optimizations. My personal favorite is the awesomebar is now asynchronous, if you don’t know what that means, just trust me that it makes things feel faster if you have a slow hard drive like in a laptop.

JS/Video Speed Improvements – TraceMonkey, the fast JS engine has gotten some tweaks to improve performance even further. Seeking in <video/> is now much faster than it was in Firefox 3.5.

Focus – UI geeks will note that Firefox has had a few issues regarding focusing elements. Thanks to some refactoring it’s vastly simplified and improved.

Personas – Firefox has always supported theming, but it’s a complex process to build a theme and it’s prone to breaking as the UI evolves between versions. Personas is a light weight system to customize the look of the browser’s chrome.

Plugin Update Notification – A big cause of Firefox crashes, and security issues actually aren’t related to Firefox directly but plugins. Firefox can now notify you when you need to update a plugin helping you to keep your system as stable and secure as possible.

Full Screen For <video/> – Firefox can play native <video/> but thus far had no method to go full screen. Apple may want you to pay for “Pro” for full screen but with Firefox 3.6 you get it at no extra charge.

DLL Blacklist – To improve security/stability Firefox now has a DLL blacklist and can prevent other DLL’s from interfering with Firefox. This is Windows only at this time.

Opening Links In New Tab Position – When you opened a link in a new tab in previous versions it opened in a new tab on the far right, with lots of tabs open this created confusion as you may have several different tabs open on various things your doing. Now this will result in the new tab being created to the right of the current tab. If you don’t like this behavior you can set tabs.insertRelatedAfterCurrent to false. It takes a little getting used to, but it’s worth it.

For Developers

-moz-background-sizeThis is exactly what it sounds like. I’ve wanted to do this a few times in the past.

Poster frame for <video/>Poster frames are now supported for <video/>. It’s a small bit of polish but will hopefully benefit design and perhaps even SEO down the line.

Web Open Font Format (WOFF) – Imagine an open font format that supported compression and meta data. Now imagine that a lot of font foundries have expressed support for it. WOFF!

async attribute for <script/> – It’s simple enough, the async attribute is now supported. Those who care about performance have wanted this for a long time.

Using Files from Web ApplicationsThis is a huge step towards making web applications first class citizens. Hopefully we’ll see support for this in Google Docs at some point (one of the apps I think could best make use of this).

HTML5 Parser – Firefox 3.6 ships with an HTML5 parser, though it’s disabled for now by default. To enable set html5.enable to true.