This is the point that company breakups start to make a lot of sense.
When Google can do something that every one of it's users hates and none of us can do anything about it, they perhaps have too much market power.
I don't think this is remotely the case. Quite a few tech-savvy people I know (some of them software developers) use Chrome and mostly don't care about whatever Google does with it. I mention "manifest v3" and get a blank stare. I talk about advertising and ad blockers, and most people don't care, with some of them not even using ad blockers.
We really live in a bubble, here on HN. Most people think of privacy as some abstract thing that they have little control over, and are mostly fine with that. And some are even also fine with government erosion of privacy, in the name of "save the children" style arguments, and of corporate erosion of privacy, in the name of getting free stuff in exchange for their personal information.
It's a sad state of affairs. If most people really did care strongly about these sorts of issues, then I think it would be baffling why we haven't seen more change here -- after all, Firefox is a perfectly viable alternative to Chrome that very few people use. But the lack of change is no surprise: most people don't care.
If this weren't true, Apple could just start inserting ads into every iphone's Safari window tomorrow, and Youtube could serve the ad in the same stream as the video to defeat adblockers, and they'd make a bunch of extra money with no downside. The fact that they don't do this suggests that Apple and Google understand this: people only tolerate restricted platforms that do a convincing job of pretending to be unrestricted. In practice, this means that step 1 of Google foisting off user-hostile stuff on us is getting Firefox to include it too, which is presumably why they spend so much money on it.
Multiple bubbles on HN. Obviously, most of us are complicit in some techbro business conventions today that, 30 years ago, would've gotten us shunned by our peers, and reported to the authorities.
(Not that current phenomena weren't foreseen. SF writers had already been all over it. Anecdotally, Internet-savvy techies were often informed by various forward-looking thinking and by world history, and tended to act like stewards rather than exploiters.)
[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
When you talk about communications technology adopted at a societal scale, changes in norms and routine have ripple effects. Most certainly one of those is a change in asymmetric power relations by central communications companies, versus the user of their systems who get strictly limited information views of what is happening with their phone calls or emails.
When you have asymmetric power relations with market advantage and secondly literal surveillance at stake, a unilateral change in the service agreement is not a small "oh well" matter.
This single statement "people do not care" does not show all the players, and most especially does not show the players making decisions, the management of the companies making more money or new revenues with new decisions.
This is not support, this is lack of awareness or apathy.
Same for Web Environment Integrity API. Nobody knows what those jargon terms means. That's part of how enshittification works. If everyone knew how badly they were being fucked, this would never work.
If a journalist would explain these news to the masses AND the news has a way to reach the masses.
These days these kinds of news do not make it to broadcasted news and most people do not watch the old broadcasted news.
The news currently get people attention from the news feed on Android and Apples phones. Those feeds recommend only the kind of content you usually interact with. No many people gets tech articles. And you can even argue that there is some extra filters on what news get on the feed in first place.
Maybe it's an extension or three I'm running but I just want to use the bloody thing not sit there and figure out what extension is not working nicely (and then potentially find out it's none of them) on one platform but is fine on another.
Every so often I go back and have look to see if it's improvised but it hasn't in the last few years for me.
Just like I'll have some conversations on WeChat but if I want to talk about Chinese politics maybe I'll do that on another platform.
I don't really see the erosion in the corporate space. The erosion of privacy is happening at the government level. With "forced backdoor" laws and/or just outright forking the internet backbone (ala PRISM). I've never really understood "Corporate erosion of privacy"... It's opposite, Privacy is literally a USP of Apple products. They had to back out changes that hinted at an erosion of that trust with the on-device processing of Photos for cloud-sync. People are more aware than ever.
This quote is from page 2 of the article. It is common for certain HN commenters to remind us that HN is a bubble. True. However, the author of this article is not necessarily in this bubble.
But, honestly, what difference does it make whether HN is a bubble or not. Google is a bubble. The Register, another entity outside the HN bubble, calls Google "The Chocolate Factory".^1 Does it matter that Google is a bubble.
1. Of course it's also common for certain HN commenters to try to broadly dismiss all journalism, on a news aggregator site no less. Maybe there is a pattern here.
Would anyone outside the HN bubble try to discredit the observations about so-called "tech" companies mabe by those inside it. (Besides those with vested interests in so-called "tech" companies.) All evidence I've seen since 2009 points to the contrary.
The problem is that it isn't.
Do you know why Firefox managed to usurp IE6 in the first place? Because it won the adoption and appeal of tech enthusiasts and professionals. Mom and pop (read: the general population) switched to Firefox from IE6 because their tech nerd kids installed it for them, and the enterprise largely moved off of IE6 dependence because the general population moved off.
But the Firefox today is not the Firefox that defeated IE6. Mozilla steadily eroded and destroyed every single thing tech enthusiasts and professionals loved about Firefox, to the point it practically became just a Chrome ripoff. At that point, why bother? Chrome's right there, the real deal.
Not to mention Mozilla happily takes money from Google with no shame at all so their CEO can get her fat paychecks.
Firefox is not a viable alternative, Firefox is literally controlled opposition to pedantically argue Chrome is not a monopoly. Not even the Intel and AMD x86 duopoly is this blatant.
I don't use Firefox because it's slower than Chrome and because their behavior regarding limiting which extensions are available in phones, requiring signed extensions, Firefox Pocket, ads in new tab page, etc, does not exactly give me confidence that Mozilla truly has my interests in mind. In fact I bet they'll implement the nightmare DRM API once it's done swiftly and without complaint lest their money flow suffer.
If Mozilla ever decides to stop screwing around, clearly position themselves as an ally of the consumer, clearly express support for adblockers and put resources into making the browser faster and better and more customizable instead of whatever makes their CEO richer then I'll switch to Firefox even if it is a bit slower or has some flaws.
In the meantime uBlock works right now in Chrome which makes it usable, so since Chrome is the fastest right now, Chrome it is.
For example, when Apple makes a user-hostile hardware change, every major Android vendor will copy it in a matter of months[0]. The only thing you can go to after that is niche Chinese phone makers that will cause you a bunch of other pain.
I'm basically completely disconnected from Google at this point. My phone requirements forced me to get a phone without Google Play Services, and I live in a country where Google is not dominant. The only thing that still pops up is YouTube occasionally. (Also it would be nice if I could get my old Google Photos archives exported from Photos, but the export in Takeout keeps erroring! Oh well...)
[0]: Back when I worked at Google, there was a mailing list thread on a big internal engineering mailing list, where somebody point-blank asked "Did we remove the headphone port on the Pixel because Apple did?". The answer from the product team was a whole bunch of wishy-washy word soup, amounting essentially to "Yes".
Did you try different export options? I recently had to do one export and it kept failing but exporting using another option worked. I don't remember which one but it was either email or drive.
They aren't great, just another proprietary browser. Every time I've used it has been sub-par. It reminded me a lot of Opera in that it was very opinionated, even if it tried to offer some feature. Apple makes money off of apps, not websites, though, so it makes sense they don't invest much into their browser.
1. Unlike EME (the controversial web DRM backed by Google that was standardized somewhat recently), the Web Integrity API requires a third-party service, which involves maintenance costs, as well as development costs to constantly adjust to the arms race against all the hackers who really want to thwart these tests.
2. In a "functioning attestation industry", many attestation servers would compete on price to validate users, making the network efficient and robust. I struggle to see this becoming reality because decent attestation would require very complicated techniques for each supported browser, and there is only 1 company that does both significant browser development and also wants to run an attestation server.
3. In a monopolized attestation industry, Google would be the single point of failure for all DRM-protected media on the internet. Google's down? So is Netflix, Hulu, HBO, etc. because they can no longer validate that their users are running an approved version of Chrome. This also give Google an incredible amount of leverage over other companies, because they can change fees and policies unilaterally and there are no alternative games in town. Companies have an incentive not to put themselves in that position.
If the entire media industry coalesces around Google Chrome as the only supported browser for media on the internet, and bestowed this incredible market power and leverage upon Google, then it could work. I find it hard to believe that this will slip past every significant regulatory body on Earth, and any significant gaps in market control would make the scheme unworkable.
On top of all this, a lot of users don't care, which is a problem itself, but also leads to an even harder time trying to navigate a company breakup. The convenience is too great for them, and it's too easy for the above noted companies (alongside other giants like Walmart) to shift public opinion.
The best time to break up Google was 10 years ago.
The second-best time to break up Google is today.
https://www.spglobal.com/marketintelligence/en/news-insights...
How would this have changed the existence of the Web Integrity API?
A competitive market is way more important than Google.
Google Chrome is "open source".
Android is "open source".
ChromeOS is "open source".
Nevermind the truth being more "open source" with proprietary bits (the bits that matter).
So the opening argument often is; well, someone else can enter the market and do what they do. But that's missing the trees for the forest (and the devil's in the details).
They know that making it so tedious means it will only be used by a handful of hobbyist and nothing more significant.
I remember Google+ when they ignored feedback on users hating aspects of it and tried to force it on us using their dominant position and it didn't go very well for them.
Thankfully we have brave, Tor, Arc, Opera, GrapheneOS, calyxOS, LineageOS etc....
If you purchase a pixel phone, and put graphene OS onto it Google loses money.
Their hold on these claims are extremely tenuous. No one would be surprised if Firefox, Bing, or iOS resurged and killed Google’s offering, for example.
The only circumstance where I wouldn’t be surprised would involve regulatory action I see as an outside chance.
They're quite happy scrambling for the crumbs as it is.
Go f yourself, Google. Browser’s purpose is to serve me web pages, not to learn about me.
Complaining is easy, but apparently even small compromises like these are hard.
The only regulatory action we've seen - supported on HN - is to go after their competitors.
Google "will be able to request a token that attests key facts about the environment their client code is running in."
Google "will ultimately decide if they trust the verdict returned from the attester."
"Allow" Google "to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
I have replaced "web sites" and "web servers" in the original explainer text with "Google" for clarity of intent.
Why would Google want these capabilities in web browsers?
What does Google plan to do with them?
What follow-on actions is Google planning?
Google marketing exec: "We need to lock down web browsers so we can make more money by showing ads."
"Ad blockers need to be prevented. The new WEI APIs will ensure that ad blockers aren't running, that our ads are being seen, and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEI we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
Web Environment Integrity is the beginning of the further DRM-ification and enshittification of the Web.
See, don’t worry, they’re thinking about you, holdout.
Also known as "we'll read what the opponents say, and keep trying to poke them with convincing-sounding arguments until they surrender."
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
This phrases itself as ensuring news sites can block unpaid users, but also targets the Internet Archive, other webpage archives, possibly Reader modes, and more.
"You're trying to access your AWS console, is your laptop patched?"
> Anything we might decide would ultimately be influenced by the larger societal debate around privacy (regulations etc.) since perfect privacy means perfect immunity for criminals.
Ensuring that your devices don't spy on you on behalf of a government or company does not imply "perfect immunity for criminals".
Putting aside attestation for the moment, consider this: Modern enclave driven device encryption (and the self-destructive passcode limitations that often accompany it), for example, could be likened to designing a very good safe that can automatically destroy its contents if it is breached. Do we require governments to have their own keys to all such safes sold?
The problematic dude's disdain for humanity aside, the quote serves as a good reminder that the "but the criminals!" argument is often used and rarely justified.
All 'adversarial compatibility' from projects like Nitter, Teddit, Invidious, and youtube-dl go out the window. Any archive site (archive.org, archive.ph, etc.) can be blocked by sites requiring attestation.
And just like the book industry was terrified of piracy and were 'rescued' by Kindle, so too will journalism outlets that can't find a business model flock to Google to save them.
This is going to be rough.
What will happen if such a thing actually happens is that the underground market for "trusted device" farms grows, not too different from what's currently already happening but possibly at a far larger scale. Of course, that means the financially motivated scraping services still keep going while the honest individuals wanting user-agent freedom get screwed, just like with many other forms of DRM...
I recommend finding everyone responsible for this and exercising your right to free speech on them. It works for politicians, and it should work on this other flavour of bastard too.
Once again, Stallman was very prescient: https://www.gnu.org/philosophy/right-to-read.html
How is this, conceptually, any different from sites that used to block IE out of spite?
Would it be acceptable for a website owner to block users from Detroit (78% African Americans)[1] or block users from El Paso (82% Hispanic)[2] because the website owner claims that fraudulent ad clicking is more prevalent from those cities?
Would it be acceptable to only serve web pages to people without disabilities and without a need for specialist accessibility software because it's not economically viable to consider users with disabilities?
Would the poorest 10% of the population be able to access web pages and services delivered over the Internet with old hardware (all they can afford) and with limited computer literacy and limited ability to raise complaints (that are ignored anyway or responded to by an AI algorithm that doesn't care)?
A website owner is still discriminating when they hide behind technology such as AI algorithms, Web Integrity APIs, etc and pretend that their use of such technology is non-discriminatory.
[1] https://www.census.gov/quickfacts/fact/table/detroitcitymich...
[2] https://www.census.gov/quickfacts/fact/table/elpasocitytexas...
I don't agree with doing that either, but whereas things like changing UA headers/page-rewriting proxies would easily get around that sort of discrimination, this is now cryptographically secure.
Governments are scared of encryption because it could be used against them. The population should've realised the same could also apply to them, because it is now actually happening.
UA should be fully deprecated already. It rarely achieves its goals at this point. There are better alternatives.
I really hate this attempt by Google and hope they don't follow through, but why should this be illegal?
Software users agent strings are just an identifier added on by a browser to give the server context, it's not a protected class. Google has every right to gate use of their software however they choose, we can just stop using it.
We don't have a fundamental right to an open internet, no one owes us this. I hope we can get back to the days when the internet was much more open and less commercialized, but that day won't come by legal regulation.
At least you can spoof the user-agent string.
A lot of the push is not for bad actors literally DDOSing servers, but bad users degrading the service for other users. If most users of a service agrees to, for example, run an attestable environment to access a service, then that service should be able to refuse access to users who don’t buy into it.
With Chrome's near monopoly in browsers, most users will run an attestable environment when chrome ships it without ever knowing and agreeing to doing so.
Even if Google manages to "collect" consent, this has so much potential to adversely impact everyone(including businesses) except Google in the long term that it should not be allowed.
First of all I hate this "proposals" which is actually, "we implemented this in our flagship product, and kindly force it on our users, you don't have to use it, if you have a choice", stance.
Then comes all the "ensuring they aren't a robot and that the browser hasn't been modified or tampered with in any unapproved ways." part. I'm using an open source browser which is not Chromium based (i.e. Firefox). I can modify and recompile the way I want it. I can use links/elinks/lynx/dillo if I want (and I use them, too). Who do you think you are, and how come dictate my software I use on my own computer?
It's 90s DRM wave all over again. Constant attacks towards open software, open platforms, open protocols.
It's maddening and saddening at the same time.
Except in the 90s you controlled 100% of the code running on your computer. Now there are all kinds of treacherous computing with all those "trusted" execution environments and TPMs and all the other bullshit that can't be avoided, with someone else's public keys burned into the silicon.
However; courts, Free Software Movement and alternative operating systems plus Mozilla stopped this.
Now all of them are under attack. Esp. Free and Open Software Movement is being enshittified with a process which we can call as "Rewrite it in Permissive Licenses, so companies can hire you while closing down the ecosystem".
We really need a flood to clear this mess.
[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
It's super telling they know by how they are acting, by locking down the GitHub repo.
It's very depressing how far both Google and Googlers have fallen. What was once a home to innovation, growth, and technical creation is now just ads, abusing their market position to give Chrome an insane advantage during the later years of the browser wars, and more of the same.
It's probably time to bring anti-trust action against Google. Also if you're not already, please move to Firefox and stop using Chrome. Mozilla stands against this and these engineers pushing it [6].
[1] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[2] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[3] https://github.com/RupertBenWiser
[4] https://github.com/yoavweiss
[5] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[6] https://github.com/mozilla/standards-positions/issues/852#is...
Having said that, the comment that Weiss links to when citing himself...:
> I understand many folks here are upset about this proposal. I urge you to actually read the proposal, rather than rely on rumors about what it does or doesn't propose. If it's at all helpful, I wrote a few words about ways you can constructively engage with proposals you don't like.
... almost certainly does run afoul of the W3C's provisions for acceptable and unacceptable behavior outlined in the code of ethics and professional conduct. Implying that someone who is "upset" about the proposal is responding to rumors and that it is okay to admonish them to "actually read [it]" is both uncharitable and noxious to the discussion. There's a good reason why HN, for example, has an explicit rule against accusing people of not having read the article.
1. <https://www.w3.org/TR/design-principles/#priority-of-constit...>
Im not a fan of big government and regulation, but if we're going to have anti-trust laws on the books they should be enforced evenly. It's so crazy to me that Bill Gates got raked through the coals for years over IE while Google and Apple have been allowed to get away with much, much worse.
Like the old joke goes “you screw a goat once…”
[1] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[2] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
There is no value in this "attestation" for me as a user. I want to be able to do whatever I want with the browser (for example, remove ads or block access to canvas and webgl) and I want sites to be unable to know this. And probably this attestation will provide additional fingerprinting signals which is what I don't want.
That said, the concept is seemingly aimed at blocking ad blockers and preventing browsers like Brave from impersonating Chrome so it can block ads without the need for extensions and such.
The only user-positive use case I can think of for this is for self-hosted software. Maybe it can be used to detect MitM attacks or malware messing with the browser? In practice this will just mean "no Firefox, no Linux, no adblockers".
And no curl, no yt-dlp or youtube-dl, no alternative YouTube frontends, no scraping the web to build an alternative search engine.
In theory one could imagine a scenario like a bank website refusing to be accessed unless the entire OS & browser stack pass attestation - as that would rule out things like keyloggers, malicious browser extensions, and session hijacking.
In practice it'll just be used to lock down content and force unskippable ads on users, of course.
The important part is that "malicious" isn't up to you to decide anymore; if you have any "unapproved" software that acts in your interests and not others', this could theoretically be used to lock you out too.
Even that use case leads to bad outcomes. I already have to jump through hoops to get banking apps to run on my rooted phone. Banking websites refusing to run on anything but Chrome on Windows is a likely scenario here, and that's awful.
I don't want them to have a say in how I run my devices.
I'm not interested in being hobbled for either of those problems. I remember when banks used to reject my browser because it wasn't IE in Windows. I remember when I had to look at webpages that were 50% advertising.
Screw that.
But software already exists to do this kind of thing for private networks. I really, strongly believe that this kind of functionality has no place on the open web.
This proposal is user-hostile, and could be very dangerous to the future of the web.
I'm not a super anti-Google person. I use Gmail and Google as my search engine. But Firefox is a good browser that I use as my daily driver, and Edge, Brave, Safari and the DDG browser are other options.
Switch today and start taking away Google's leverage.
So if you really want to disrupt Google's control over the web platform the only options are really Firefox and Safari.
Firefox unfortunately does not have the numbers on their side nor will they seemingly risk their Google payout deal. At this point, if you're using it, you're doing it because it has specific features or extensions you want, or you believe that it's ethically the right choice and you're comfortable with the trade-offs.
(I love Firefox, I just think we need to be realistic here)
Edit: I will actually note, in thinking after posting this comment, that it wouldn't surprise me if Apple was actually down for this proposal. Sigh.
Google's issue if the leverage they have by having Chome used. If it is just a derivative then that lessens their leverage because the vendors of those derivative browsers do have the option of modifying Google's choices.
But if you disagree, then yes, sure: use Firefox.
It also sounds like they're promoting yet another way to make "the internet" slower, more bloated, and have greater impediments to usage.
They lost me more than a decade ago when they hoovered clear text passwords from their wifi scanning and blamed it on a single engineer.
I might user Firefox personally, but I'll have my company use Chrome.
Other Google products (Maps, Docs, Gmail) are excellently engineered and usually ahead of their competitors in terms of reliability and feature set.
It's not hard to understand why people use Google products despite the occasional moral qualm.
I don't see how advertising an open WiFi network is much different from advertising an open house. In both cases you should expect visitors.
And for most people in the world, that is "the internet".
I wish I could agree. The internet isn't in nearly as bad of shape as the web is, that's true. But it doesn't look nearly as healthy as it used to, as more and more services are moving to the web and abandoning the internet.
[0] gemini://hackersphere.space
If you are shown a product ad whilst browsing searchengine.example and then later look up the product at reviews.example, then end up making a purchase at shop.example, your browser sends all of these events to an aggregation service that allows shop.example to understand (at least in aggregate, assuming you trust the cartel running the aggregation service) that you were exposed to their product at searchengine.example and further exposed to their product at reviews.example.
youtube, prime video, netflix, banking, github
none of that for firefox users
It would be trivial for them to build a Chromebook, or Android phone, or browser that you can't flip into dev mode, but they've never done that, even though many of their competitors in the space regularly lock users out of their devices.
In a world with attestation, you can't browse any website unless you are using Chrome or another attested browser. The New York Times would refuse to serve content to unattested user agents. That is what would make everyone use Chrome.
And even if they do understand you, in most cases their perception of you is as someone really paranoid about privacy, and yes they will undoubtly ask things like: "so you don't have twitter, facebook, instagram, ...". It's really hard to convince people or at least make them truly see all these dark things going on behind the scenes.
Regular people won't even talk about this, they don't/won't care. As long as they still able to see the content they are requesting this is something that do not affect them, it affects the people that know the shit is going on under the hood because we understand how machiavelic a move like this is.
On the other side if this somehow manages to ever see the light of the day, it's a huge opportunity for other people to come up with alternatives that effectively fight back this initiative and/or bypass it. If there's something that we do not run out of in this industry is creativity, for all sort of things, even the craziest ones, and that's something no corporation will ever be able to mitigate.
Also keep in mind that no browser is going to ever be in the podium eternally. Chrome has a expiry date, we just don't know when it will expire.
It's honestly good for this to get a lot of attention though, I'm happy to see additional commentary on it getting shared.
I'd be curious to know how or if Chrome actually manages the PR around their work. Chrome lead fired off a blog post So you don't like a web proposal which effectively says it's purely a technical decision, and that only constructive technical criticism is regarded at all. https://news.ycombinator.com/item?id=36818409 https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...
But I don't feel like Google has the luxury of letting it's image burn like this. TURTLEDOVE is already a huge semi-sound but immensely scary change, MV3 is a disaster of high order and hasn't responded with anything but a stream of bandaids to challenges like Mozilla's far more capable Background Pages proposals. But I think the reputation damage here is vastly higher, as there's basically nothing being offered here to most users, or, if this spec goes through, ex-Web users. This effort is just an abominable horror show, and at some point, it feels like Google/Chrome have to stop being so blinders-on as to treat this as a merely technical discussion.
The last time these debates went down, where there was an incredibly contentious spec that got shipped, it basically took the Web creator Tim Berners-Lee using his w3c authority to stamp "ship it" on the spec. https://www.techdirt.com/2017/03/01/tim-berners-lee-endorses...
As if something with multiple downstream non-technical effects, is only a technical change
As if you can minimize and dismiss everyone’s fears and concerns as hollow, invalid and irrelevant by waving the magic wand of tis only a wee technical change, to be sure, to be sure
As if everyone’s protests and arguments against can be instantly hosed down, because aye, you guessed it laddie, it’s only a technical change
It’s almost as if the folks at Google think people are so stupid that not only do people not know what they’re talking about, but they’ll actually believe the lie and fall for that deception…
It’s almost as if Google was trying to gaslight the public about this…
If they end up groveling about this, I don’t think “in retrospect, we could have communicated this better” is going to cut it. This is a company the size, scope and sophistication of Google. This is not their first rodeo. They know exactly what they’re doing, and they mean to do it…
To me it looks like SGX for the web. Maybe it will introduce some neat and weird capabilities, but at the end of the day, it will be trivial to bypass at scale if it ever positions itself as being harmful to users.
Let's say example.com decides to require attestation from the {MS, Apple, Google} providers, and that they attest to only Chrome without extensions. You can't forge the attestation because cryptography. You can't fail to provide it (because they'll just refuse to send the bits). You can't use a "malicious" attestor because example.com won't trust it.
What's the trivial bypass I'm missing? How does a freely accessible standard impact the ability to bypass things in any way?
The iPhone is a bastion of remote attestation. You can't just rock up and download apps from the iPhone app store using a convenient API, it's restricted so only the iPhone itself can do it. Do Apple engineers hesitate to use their real names? No, because nobody cares and heck HN threads often fill up with praise over the fact that you can't even install apps outside the app store, let alone download apps from it and emulate them on a PC.
Games consoles are fully based on remote attestation. You can't connect a PC to the Xbox or PS gaming networks because they do RA to keep you out. Do the engineers who work on games consoles have to go into hiding? No, because nobody cares. HN never discusses it because it works and lots of gamers, especially the casual ones, prefer it.
Fact is that users like this tech because it solves problems that they'd otherwise have. The web lacks it and therefore has to rely on user hostile stuff like CAPTCHAs, phone codes, magic JavaScripts and social network logins which people hate, so they switch to native apps instead. And devs hate dealing with all the automated abuse they get, so that pushes them towards app-only services too.
It would be more productive to make it impersonal. E.g., by asking Chrome users to abandon it fast.
What would justify targetted harassment, then?
> by asking Chrome users to abandon it fast.
More productive? Or just utterly ineffective?
Mr Amadeo does a good job succinctly explaining the explainer.
This isn't to shit all over Mozilla, this is to highlight that browser choice is irrelevant here, this is not a "war" won by installing another program.
It is:
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
The "privacy sandbox" stuff is a perfect example of this process.
Rinse repeat.
Google needs to be broken up, and the other tech giants too. Bring back competition to the market or we'll continue marching towards Blade Runner corporate dystopia.
If they believe that it's in their best interest, I'm not really sure what we can do against this...
Want to go to an online banking site? Then we'll need to make sure your computer is unmodified and contains no unapproved software.
On one hand, I think this is wrong, because the world is full of tech companies who thought they could do whatever they want because they're big enough. "Nobody would dare switch away from Facebook! Err, I mean Twitter. No wait, I meant Chrome!" But that's a bet, not a fact. Sometimes it works out, and sometimes everyone leaves and goes somewhere else. You think you have a moat, and you do, it's just you don't always realize it's ankle deep.
On the other hand, Google can do what it wants with Chrome, because it's their product. I use Firefox, and it won't affect me. All the people who don't care about this are free to use Chrome. Likewise, anyone who wants to listen to a man in his forties tell them about why some browsers are better than others can ask me about my thoughts. Nobody has done that yet, but the offer is on the table.
That's just messed up. If like saying if your car detect you have been doing maintenance yourself, you can use this particular brand of carburetor because they will refuse to work.
And they want that... for the web?
US:
- https://www.ftc.gov/enforcement/report-antitrust-violation
- antitrust@ftc.gov
EU:
- https://competition-policy.ec.europa.eu/antitrust/contact_en
- comp-greffe-antitrust@ec.europa.eu
UK:
- https://www.gov.uk/guidance/tell-the-cma-about-a-competition...
- general.enquiries@cma.gov.uk
India:
- https://www.cci.gov.in/antitrust/
- https://www.cci.gov.in/filing/atd
Canada:
- https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/frm-e...
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.
The problem with Captchas today is that there are a lot of services you can use to bypass them. You send the token to a human, human gives you the solution-token, and you pass that to Google.
I can see why they want to make this more protected. As a user, if this lets me solve captchas less for certain sites, I'm OK with that. Of course, I don't think this API should be used for the entire web, but I definitely understand its use-case.
Unlike captchas with this you can remove adblockers, greasemonkey/stylus edits, extensions adding download links to your youtube videos, etc, from the picture.
One key difference to Captchas is that since this new system requires no user input, the "cost" of a website requesting attestation is a lot smaller. So it will probably be used more widely.
Web Environment Integrity API Proposal - https://news.ycombinator.com/item?id=36817305 - July 2023 (428 comments)
I also find it funny that the authors point to mobile platforms as an example of how this will work well. Last time I worked with ad tech, mobile ads were flooded with fake impressions, and I highly doubt that has changed. The funny thing about players like Google is that they want to be able to tell advertisers they're doing a lot to prevent fake impressions to get them to buy ads, but they don't really want to solve the problem because it would cost them a lot of money. So they kinda play the line and develop tech like this that sounds fancy but doesn't actually stop the problem in practice.
You'll be filling in captchas 10 times a day, getting randomly locked out of your Google account in the name of security, and whatever new feature they add to their services, they'll find an excuse to require the DRM for it.
Kinda like how Widevine works. No keys means lower quality.
Then, people will DDOS the attestation endpoints because why not.
Without a broad support and public opinion about this, they might shockingly just be able to get this started. Apple and on-device CSAM scanning is something I have in mind about this, as s counter example.
What's a simple narrative non-tech people understand about this? Should I ask ChatGPT?
Sounds pretty sweet from a corp security perspective. Context Aware Access lets you do attestation at SSO time but baking device integrity further into the system would be helpful.
Unfortunately, this gives a lot of power to webpages. I'm not sure it's worth the tradeoff. This seems like something better handled by an extension, but I'll have to read the spec.
If Google does this too then I guess the "mainstream" web will become invisible to me. No great loss since it's mostly thoroughly enshittified anyway.
I'm happy to move to the new un-googled "darkweb" where freedom, anonymity, and non-SEO content still prevail.
Google should've just called this HTTPS+ Everywhere and there'd be no blowback.
That's what's scary about it, because it has the potential to make large parts of the web inaccessible unless you have a signed and sealed OS layer and browser to browse it with.
But a possible way to defeat it is what I do now --- keep two devices. One that meets their requirements for cases where it is absolutely needed and another for everything else.
Of course it's dubious if it applies here, especially because the playing field doesn't feel quite equal, but I think the most effective thing we can do is simply refuse to use websites that require a custom built user agent to access.
Heck maybe we've already mostly lost the battle to keep the internet usable with curl, let's at least try to keep some of the other options open.
One can hope.
What does this change mean? There will be more such people.
Heck, you can run Opera, Vivaldi, Firefox, and Chrome 78 on 2000 or XP with a 2023 build of KernelEx.
The monopoly has been successfully changed ... to another monopoly!
If this proposal gets rejected it'll be because of feedback in the press that is impossible to ignore. My experience watching how Google has handled contentious issues in the past makes me personally feel that Google will not be receptive to concerns about whether this spec should exist. Google and the Chromium team are not willing to hear community feedback about the direction of the web or about what the web should be. They demand that feedback start from a position of assuming the best intentions of the spec, and start from a position of assuming that the spec is basically good and might just have additional concerns to address (https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...).
This has been a longstanding issue with how Google approaches web standards; according to Google there's no such thing as a harmful feature and Google's approach is never wrong; it just might need refining. The refining is the only thing that Google wants to talk about.
There is a predictable arc to this narrative as well. If blowback gets out of control, Google will blame that blowback on misinformation and accuse the community of operating in bad faith or fearmongering. At best, you'll get a few people from the Chromium team saying "we hear you and we need to communicate better." Note the underlying implication behind that statement that the original proposal wasn't bad, it just wasn't communicated well. People just need to do a better job of "getting involved" in the web standards process so that the Chromium team knows to address their concerns. And it just comes down to learning to be kind and "remembering the human" -- ie ignoring the structural damage that the human is capable of causing to the largest and arguably most important Open platform on the planet.
There will never in any situation be an acknowledgement that the direction or intent was wrong; that's just overwhelmingly not how the Chromium team operates on any issue big or small.
It's good for larger sites like Ars to cover this, and it's good for people to share thoughts on social media; the only way that users have a say over this is if the press runs with it and generates a metric ton of bad publicity for Google; and even then it's a toss-up. It comes down to what the company feels like it can ignore or dismiss with a couple of Twitter posts. And this is not just where issues like adblocking are concerned, the Chromium team has been hostile to user feedback even on more minor technical issues for a pretty long while. I was writing about this issue back in 2018 (https://danshumway.com/blog/chrome-autoplay) and it was a trend before that point as well.
It stinks to go into a conversation not assuming good will from all of the parties (and it usually is wrong to do so), but the Chromium team has not earned an assumption of good will, and it's done quite a bit to squander that assumption. It's regrettably kind of a waste of time to try and engage on this stuff, it's better to just criticize on social media and hope that the press runs with it. Because that's the only thing that Google listens to.
Of the FAAMGs my favorite is Google, but this makes me reconsider my position.
* I won't even say relatively unknown, he has 8 followers on GitHub. Simply unknown to the dev community.
https://tildes.net/~comp/18h8/web_environment_integrity_a_go...
Would you rather a capitalist dystopia, where large corporations get to approve everything you see & hear, or a socialist dystopia, where the government gets to determine what you're allowed to view?
[Answer: Neither]
The good thing is to give browsers a way to attest to their inviolability to systems on the other end. This is generally useful! In particular, it opens up a huge potential for people to run what are effectively servers in their browsers - which was TBL's vision for the web in the first place.
The not-as-bad-as-you-think thing is that Google (and others) will use this to disable ad-blockers. Ad blockers are fundamentally dishonest, and people who use them may feel guilty for doing so. The more honest approach is to simply not consume the media. And this, it turns out, is better for society at large. Anyone who gets paid to talk ekes out a living by hacking the algorithm, making a brand, and telling people what they want to hear. It's bad and it's a bad system that makes the world worse.
