Tag Archive for 'browsers'

MPEG LA confirms H.264 license needed for free software and end users

Currently, there is no default video format for use with the HTML5 video tag. The patent and royalty free Theora format was planned to be the default, but this was opposed by corporations like Apple and Nokia. The most popular video format at the moment is the heavily patent encumbered H.264, which is often encapsulated in Flash. As the move to HTML5 gathers steam, the battle for a video format rages on.

The issue of which format becomes prevalent is very important for the future of open web (and especially Linux). Youtube is one of the biggest providers of H.264 encoded media (currently encapsulated in Flash, but there is an HTML5 beta program) and Google will pay hefty royalties for the privilege.

The question of royalties over use of H.264 has become a popular talking point of late, because while Safari and Chrome support it, Chromium (the free software version of Chrome browser) Opera and Firefox don’t.

Now, a discussion on the Linux Weekly News site has answered the question as to whether the MPEG LA will require and enforce free software projects (and developers) to cough up for a license.

The question asked of MPEG LA via email exchange:

I read through the FAQ and can’t find out if Free and Open Source developers and products need to license the MPEG LA patents for MPEG-4 Visual. It was alleged in a comment that royalties are only necessary for products sold, not for free products. Is this correct? Could you please comment on the licensing options for Free (e.g. GPL) and open source implementations of MPEG-4 Visual, specifically h.264? What about downstream users/developers/distributors of Free and open source software?

The answer is a resounding “Yes” and even end users are liable:

In response to your specific question, under the Licenses royalties are paid on all MPEG-4 Visual/AVC products of like functionality, and the Licenses do not make any distinction for products offered for free (whether open source or otherwise)…

I would also like to mention that while our Licenses are not concluded by End Users, anyone in the product chain has liability if an end product is unlicensed. Therefore, a royalty paid for an end product by the end product supplier would render the product licensed in the hands of the End User, but where a royalty has not been paid, such a product remains unlicensed and any downstream users/distributors would have liability.

As an article over at OSNews states, we must ensure that H.264 does NOT become the de-facto standard for video on the web:

“In other words, h264 is simply not an option for Free and open source software. It is not compatible with “Free”, and the licensing costs are prohibitive for most Free and open source software projects. This means that if the web were to standardise on this encumbered codec, we’d be falling into the same trap as we did with Flash, GIF, and Internet Explorer 6.”

I guess it’s up to web developers and corporations to make the smart choice. If Google can purchase On2 Technologies, they might release later generation versions of VP (on which Theora is based) to surpass the quality of H.264.

Are all browsers equally vulnerable?

With all these Internet Explorer insecurity issues coming to light, a common argument is:

“All browsers are insecure, just practice safer browsing by not clicking on links in unsolicited mail.”

Sure, that’s a important part of being safe on the net, but it’s only half of the picture. Of course all browsers will have security holes at particular points in time, no software is perfect.

However, what we should be looking at is a vendor’s response to security vulnerabilities. It’s how quickly a vendor can patch a hole and distribute the fix which is most important. (Of course, security by design and underlying operating system are also important factors.)

To which end, I came across an entry in Wikipedia which provides a comparison of unpatched publicly known vulnerabilities in the latest stable versions of major browsers. It is based on vulnerabilities reports by SecurityFocus and Secunia.

From the list, you can see that all version of Internet Explorer have dozens of unpatched security holes, while most other browsers have none (Safari and Chrome have only one unpatched vulnerability, which is classified as “less critical”).

According to the latest information, security research firm SecurityFocus reports that IE6 has 396 known unpatched vulnerabilities, IE7 has 15, and IE8 has 32. The oldest known unpatched vulnerabilities for IE6, IE7, and IE8 date from November 20, 2000, May 17, 2007, and April 11, 2009 respectively.

How many does Firefox have? Zero. That’s right. NONE.

So yes, you should practise safe surfing, but the browser you choose will have a MAJOR impact on overall security of your system (so does the operating system). Anyone who claims that Internet Explorer is just as secure as the other major browsers is either insane or stupid.