The freedom problem is this: you will not be able to roll your own keys.
This is probably the biggest nail in the coffin for a ton of computers out there. In theory you could simulate via software the workings of a TPM. If you built a kernel module the browser would have no real way of knowing if it sent requests to a piece of hardware or a piece of software. But the fact that you would have to use Microsoft's or Apple's keys makes this completely impossible.
The hardware problem is this: you will not be able to use older or niche/independent hardware.
As we established that software simulation is impossible, this makes a ton of older devices utter e-waste for the near future. Most Chromebooks themselves don't have a TPM, so even though they are guaranteed updates for 10 years how are they going to browse the web? (maybe in that case Google could actually deploy a software TPM with their keys since it's closed source). I have a few old business laptops at home that have a 1.X version of the TPM. In theory it performs just as well as TPM 2.X, but they will not be supported because, again, I will not be able to use my own keys.
Lastly there is the social problem: is DRM the future of the web?
Maybe this trusted computing stuff really is what the web is bound to become, either using your certified TPM keys or maybe your Electronic National ID card or maybe both in order to attest the genuineness of the device that is making the requests. Maybe the Wild West era of the web was a silly dream fueled by novelty and inexperience and in the future we will look back and clearly see we needed more guarantees regarding web browsing, just like we need a central authority to guarantee and regulate SSL certificates or domain names.
Citation needed. I'm pretty sure all Chromebooks have a TPM and it's a firm requirement for making one. ChromeOS uses the TPM extensively and fully supports remote attestation:
https://www.chromium.org/developers/design-documents/tpm-usa...
TPMs have been a requirement on PCs since at least 2016 I think, and in reality most came with them before that too (but there's a v1 vs v2 difference).
> a 1.X version of the TPM. In theory it performs just as well as TPM 2.X but they will not be supported because, again, I will not be able to use my own keys.
This is all wrong. TPM 1.2 uses SHA1 for everything which is a broken hash function so there is a major difference in robustness between them. That's why TPM 1.2 is being phased out. It has nothing to do with "using your own keys" which is out of the domain of what TPMs do anyway, TPMs are always owned by the device user. You're thinking of firmware boot signing and other things that are separate to the TPM chip but even there, you can use your own signing keys.
This choice will still render a ton of devices basically e-waste for no real good reason
I don’t want Google and Microsoft to have the keys to the kingdom, but on the other hand, I really want a way to know that I’m having genuine interactions with real people.
I wish government was getting more involved here.
Yes completely impossible to fake by design. Otherwise whats the point? But I think the root of trust is whatever signs the hardware TPM module. So, Intel, AMD and Apple.
If I understand it correctly, the secure chain of trust will be something like, hardware TPM module -> secure boot -> windows signed kernel -> Chrome (signed binary). Its not clear to me if desktop linux will be able to participate in this ecosystem at all - which is ironic given how much google uses linux. Maybe a couple of the big distributions like Canonical will be able to sign their linux kernel builds.
> Lastly there is the social problem: is DRM the future of the web?
Its opt-in by website operators at least. Assuming this happens, there are two big questions in my mind:
1. How much of the web will go dark to anyone not using a corpo software stack? I imagine bank websites will adopt this technology immediately, while sites like HN, personal blogs and wikipedia won't touch this stuff. How much of the web will stop working on my terrible "hacker" computer where I use firefox on linux?
2. How will this interact with browser extensions and dev tools? If websites won't function outside of chrome, will we be able to continue to drive chrome programmatically? Will chrome's dev tools still work? Will websites be told about my ad blocker extensions? Will webdriver (and similar tools) be blocked?
Just think about it: I really conceptualized how I can hook my Android phone to my server, add a digital camera to photograph the OTP-Code, OCR it and have a docker based Selenium script with chromedriver to login to my bank to pull the PDFs. All that just because big banks can afford to be so customer unfriendly.
Ten bucks says that it's added to FingerprintJS or equivalent within a year and sites are "opted in" without thinking about it.
(and we'll still have fingerprinting, which this claims to remove the need for - which means we won't actually solve anything)
If you can detect if anyone is using a system that supports this then you can ban only them instead of allowing only them, right?
Maybe we should nip this in the bud? If even 10% of sites banned anyone with this enabled from day zero before anyone else is requiring it, users would turn it off and then it wouldn't be there for anyone else to use.
I don't see banks adopting it at all for consumer banking. I work for a bank; I can tell you a bank isn't interested in adopting any technology that introduces friction for high-balance customers. What would they gain? A little extra fraud protection? You'll find lots of articles online spelling out the reasons that the optimal amount of fraud is not zero.
For now. But in many countries you already have to show ID to buy a SIM card. This could be extended to all devices that have this key on them. And then it could become a dereliction of duty for certain types of websites not to do checks they could easily do.
Don't be so sure, after all they adopted TLS. Which is essentially the same shit, just slightly less draconian.
This is the actual missing key bit. The problem that Google is trying to solve here is not actually a hardware / computational problem, it's a Real Identity problem. Hardware / TPMs are a poor proxy for solving that problem.
There's drastically less eWaste and impact on software freedom if you seek attestation from a national ID provider than if you seek attestation from one of a handful of personal electronics OEMs. National ID providers can offer to sign not only Real Identity attestations, but also anonymized attestations to protect citizen privacy. A web operator can decide whether to allow for attestations from only their own national ID provider, foreign national ID providers, private ID providers, or none at all if they just have a read-only site and don't really care.
The truth is that government inaction is forcing Big Tech down the road of violating user privacy and freedoms to solve Big Tech's problems. But getting the government to offer a flat Identity Provider playing field would solve these problems in a way that doesn't require such violation.
Being a Russian passport holder who lives abroad for years, I don't want to be in touch with my gov in any way possible, and moreover depend on it.
That's actually the case for millions of people from different countries with dictatorships, do you propose just to discriminate everyone outside of 20-30 countries with more or less democratic systems ? Those countries don't care about "citizen privacy".
Apart from that, we all see the bill in the UK which is as much a disaster to human freedoms as Russian and Chinese laws, for example. So even being a citizen of a more modern country is not a guarantee.
People don't always live in their country of citizenship, they don't always live in one place (see digital nomads) and have a residence, they don't always trust their government and they should not be discriminated on internet usage because of that. That makes a person more of a government property rather than a human being.
It can replace your physical ID but it also has other useful features.
The most useful one is the ability to generate Identity Proofs that contain only the minimum required information to prove your identity.
They even have an expiration date, a named recever and a motive.
Of course the receiver can verify their legitimacy in the app.
No more sending copies of your ID !
I also think one of the features is proof of majority without revealing your identity. Probably made for adult websites because a ruling was made a while ago that they would have to enforce age restrictions better.
This is just an enormous nope for me. No better than this WEI stuff.
> The truth is that government inaction is forcing Big Tech down the road of violating user privacy and freedoms to solve Big Tech's problems.
Whether is governmental or private action, how is it right or good that everyone has to suffer just because big tech has business model problems?
I speculate that it might start off as a mesh network, maybe using unregulated spectrum on a local level. It will probably resemble BBS fidonet, but with more modern features. bandwidth and E2E latency will be terrible, but it will be free.
As long as there are skilled engineers who have the spirit of freedom, there will always be an 'open' network for humanity to communicate (with all the good and ills that comes with 'open').
Most people don't know how the internet works, don't care as long as it works and do not think about it beyond that.
Google is essentially hijacking the web and turning it into something that it can entirely control and dictate, since Google owns not only critical infrastructure (Chromium, the most used browser), but the most visited websites (Youtube, Search). That's a coup d'état, no more no less.
And the slippery slope is abrupt dude, we went from EME which was already spyware to WEI, and there will be a next step, since we would have already accepted Google's supremacy.
In which case the internet we all grew up creating will effectively turn into the "Ham radio" of digital computer communications and will be effectively bandwidth throttled the way amateur spectrum allocation is
Doesn't seem crazy that something like this would be the end result
if they control your computer, they can prevent you from incurring in 'illegal' activities such as piracy
but it all boils down to the logic of the market, the raw fact that capitalism works even with marginal costs. but when copying (and distribution) costs go lower (less than 'marginal' down to zero cost) it all starts to break down
if people aren't selling digital assets to each other (which doesn't make sense with the technology we have right now), they cannot be taxed and so on.
solution: fix the technology. make it so that only those with specially authorized keys (trust worthy actors) can copy digital information at will. everybody else will have to pay them for this privilege.
oh and nevermind the fact that computers work by copying bits all over the place
We've allowed a lot of people to become really fucking lazy. That's the bottom line. Baby Boomers, some Millennials (not all), and a lot of Gen Z.
Generation X had no choice but to gain a strong knowledge of computers if they wanted to do anything on the Internet, because it was still difficult, it still required a little reading, and you couldn't just press the WPS button on your router to connect your new MacBook Pro.
Every single problem the web faces is that. Period.
A lot of people never had to learn jack shit, so they don't know jack shit. They can't tell the difference in a legitimate website versus one that isn't. They don't know how to read a web address. They can't figure out that irs.gov is legitimate and irs.4doad04ldud.com isn't. I have met people who are 50+ years old who have used Windows computers since they were 22 years old, but look absolutely goddamned dumbfounded when you tell them, "Just click on the Start button and go to Word."
Fuck.
Them.
Fuck every single one of them. We have tolerated lazy uninterested users for long enough. I'm not saying every computer user needs to be able to debug assembly code and fix their own driver issue by rewriting it from the ground up. I'm saying that as a society, we have progressed past the point where you can throw your hands up and say, "I'm JuSt NoT A CoMpUtEr PeRsOn!"
To quote Captain Jean-Luc Picard, "NOT GOOD ENOUGH! NOT GOOD ENOUGH, DAMMIT!"
And the entire industry across the entire planet and every single national, state, county, city, provencial, whatever government is going to have to get onboard, come together, and say, "Okay, here's a baseline set of knowledge about how computers and our communications systems work that every single human being needs to have."
You cannot "tech" your way out of this problem. Not without massive corporate and government overreach and invasion of people's privacy. Lazy shitty people are just going to have to be made to suffer until they stop being lazy and shitty. There are plenty of average IQ people who can grasp the basics of how their computer and the Internet work - but they're never made to. Well it's time to start making them.
The dumbing down of every single technological product and concept does our species no favors.
If this is the future, I'm going to say "fuck the internet" and return to the soil.
As always people see the happy path down the middle of the forest, not the creatures waiting to leap out and eat them two steps down the line.
I find the easiest way to make these people think, is to attack it from a money angle. Disregard all the ideological, practical, security, surveillance related issues. Ask them how would they feel if from tomorrow, they would need to shell out money, a $100 equivalent of their local currency when buying any kind of computer (ipads, mobile phones, pcs, macs) for a stamp of approval, and then having to fork over $10 every month for renewing an "attestation license".
You are not forced to get this stamp. There will be some websites restricted that you can't access, but your computer will keep working fine. First it will be your bank website, then streaming sites, then food ordering services, and so on, until eventually all the major services will be walled off until you pay.
Because that's what will happen (among other things). All this infrastructure will need setup, maintenance, and it will not be free, and you can bet your ass that FAANG (or whoever will be running the attestation services) will be charging whoever is using their services, and they will be forwarding the bill to you, the end user.
Once upon a time, I was a homeless teenager running from a cult. If not for software I wouldn't have gotten out of that.
WEI (and other such things) are mainly about regulating who is allowed to write software, and so the way I think about it is this: If WEI existed when I was a homeless teenager, I might be dead.
I do not think I would like your girlfriend very much if she said keeping "her" stuff working was more important than my life, although I could understand her not understanding how big of a deal it is when you talk abstractly about the "open nature of the web" without putting it into human terms;
The "open" part is really important to get across because it means anyone who has the ability to can contribute: Does such a high level academic with a strong mathematical and logical background understand what can be lost not just to industry, but to science itself when a church wants to name itself the arbiter of who can work?
It takes many years of activism to build awareness for these sorts of issues. I worry that increasingly tight technological control over various aspects of our lives will create more of these situations and eventually overwhelm our capacity to build awareness. The result could be widespread cruelty.
The solution cannot be for each and everyone of us to be aware of and emotionally enganged with every possible predicament in which others could find themselves. It's just not possible psychologically.
We need to design our rules and systems to be resilient in the face of unexpected things going wrong and in the face of permanent partial brokenness of everything, including rule making itself. It's very difficult and I'm not optimistic.
No, it's about being able to prove that your device is secure. Attestation doesn't stop you from writing software for your device.
>if she said keeping "her" stuff working was more important than my life
Arguing that you would be dead if your viewpoint isn't correct is a bad argument.
>what can be lost not just to industry, but to science itself when a church wants to name itself the arbiter of who can work?
It would be a better analogy to say that "employers can run background checks on people who want to work for them." Because it is up to each website to choose which attestors they trust and the websites have the choice of doing whatever they want with information or not requiring attestation at all.
Most people are not qualified to give a crap.
We don't adopt medicines on the basis of "most people's" opinion, we don't adopt anything technological with potentially harmful impact on the basis of the opinion of large uninformed masses.
Thats why we have regulators and other institutions that should be informed and give an informed crap. On a ongoing basis and not only a result of popular outrage.
Which brings us to regulatory capture and said institutions actually failing their mandate to serve the interests of the people that fund them.
But now we have something that most people should give a crap about. This is not technical, it goes to the foundation of democracy and governance. Otherwise we might as well stop voting and accept we live in a corporate oligarchy.
Yes, but unlike say construction, the environment, or medicine, when it comes to IT, most of our gov representatives in charge of regulations are horribly out of touch with what's happening in tech world and how fast things are changing.
Just look st the senate hearings of Zuckerberg and the TikTok CEO, what questions they were getting: "can TikTok access my Wi-Fi?". I rest my case.
They have no clue how the whole "internet-thingamajigs" work, nor do they care to listen to people who actually do know, because they can also be easily lobbied by big-tech to look the other way, especially since for the US-government, having US companies dominate everything IT related on a global scale is a national-security asset rather than a curse, which could be say if Chinese companies were to take over instead.
People should never be expected to make meaningful decisions in their life only because someone with degrees said it's best for them, or even worse make no decision because the leader already made it for them. People need to be able to think for themselves and make their own decisions, even if the few experts may disagree with the decisions made.
In my opinion, this should have been the most important lesson from three years of pandemic response. We had a small group of experts getting out over their skis and speaking with certainty about the virus and what everyone must do. In reality these experts had much less research-based data to support this level of confidence, and in some cases the data even contradicted them. In the meantime we were all forced or coerced into various decisions and protocols that didn't seem to pan out, for a virus that we once got kicked off social media platforms for comparing to the cold or flu while that's precisely how said experts discuss it today.
Experts should absolutely weigh in and attempt to educate people on what's at stake and why they should make one decision of another. But a system in which a few at the top decide for and control the rest of the population is extremely dangerous and should be reserved for only the absolutely most important situations.
On personal level we have health - why can't I have fries and ice cream all day, everyday. That's what any sensible children would choose. Education - why can't I play video games and watch tik tok attention grabbing videos all day. In fact many do.
On country level, why would we want to help Ukraine or Taiwan. Why would we want to reduce carbon footprint. Stuff just keeps working.
Lead pipe worked just fine. Asbestos worked just fine. Smoking was just fine. Until they aren't.
Secondary effects require experience and education. We are not so good at grasping causal relationship when the results aren't immediate.
"Is your stuff going to keep working? There's literally a website dedicated to the products Google has killed. What makes you think you're so special that they won't do that to something you use?"
Of course, you're probably sleeping on the couch that evening...
GF: "If my stuff keeps working, why is it a problem?"
BF: "Is your stuff going to keep working? There's literally a website dedicated to the products Google has killed. What makes you think you're so special that they won't do that to something you use?"
GF: "If Google deploys this and then kills it, my stuff will keep working. So why is it a problem?"
...and she would be right. If it doesn't break her stuff when some websites start relying on it for user device attestation, then if Google kills it making it so sites can no longer use it for user device attestation those sites aren't going to just say "Oh no! User device attestation no longer works! Let's shut down the site!". They will go back to whatever they were doing before it became available.
"I can keep buying this stuff, and can't practically avoid it, therefore it doesn't affect me."
Most people don't want to dedicate hours a day to a "vote with your feet" attempt that will not even register on corporations' balance sheets.
And now history repeats itself and we have Firefox being the alternative to the mighty Google Chrome and Google emulating more and more of what people hated about Microsoft's stewardship of Internet Explorer and dictating to users what they must have their eyeballs exposed to. In Microsoft's case that was obnoxious popups and popunders, shitty toolbars, and endless crap they came up with to somehow lock users into all that. Now Google is whining that nobody wants to see their shitty ads (correct) and somehow feels entitled enough that they can dictate browsers to respect their authority regarding what users can and cannot block. It's the same behavior. And the fix is the same: abandon the Chrome ecosystem. The more users do that, the more the web will basically remain outside of the control of Google.
This is fundamentally the problem isn't it. They feel entitled _because_ they can dictate terms to the rest of the web, or at least they think so. There's no fixing this by changing Google's mind, only by forcing their hand by making this decision hurt their wallet. And as you point out, that only happens if people stay outside of the Google garden.
And also when Firefox 1.0 came out, sneaking around the school library computers and installing it as the default browser. The librarian eventually found out and asked me to just install it on all the computers so that the other kids wouldn't be confused why the browser was different on some machines.
Frankly I'm unsure if Firefoxs fate was to be EEL (embrace, extend, lock down) would we be worse off or better off than what we are right now with Chrome?
There was Opera as well.
MS hasn't thrown in the tower on Edge and is even still working on Internet Explorer.
That such a pivotal issue is not handled competently with the top priority attention it deserves says more about the state of the US polity than the horned man storming the Capitol.
This is why we need to be politically active and politically effective and I'm glad OP called that out in their post too. It's like reminding people to vote when dealing with the consequences of elected officials.
edit: What business, other than an ad business, can safely say "we don't care what digital technologies we invent, as long as they are popular we can make piles of money." IMO, that is the motto of a dominant tech company. You can see a striking example of this failing with the various home assistants. Despite their popularity, tech companies can't figure out a way to shove ads into the UX, so they can't make money.
As stated this is not strictly true. E.g., Apple would object (with at least some merit) and every tech company before adtech (i.e decades of commercially viable tech) would object as well.
What is true is that adtech is the most lucrative way to monetize any digital consumer device.
This economic dominance of adtech is real and extremely distortive of the technology landscape but 1) it is predicated on questionable behavioral stances ("consumers don't care about privacy") which are manifestly not universal (see e.g. EU-wide regulation) and 2) is an incongruous and incomplete architecture for a digital economy: e.g., there is no hard line between consumer and business devices. Do businesses also don't care about commercial secrecy?
Effectively adtech short-circuited the digital society motherboard by identifying an emerging opportunity that did not exist in traditional physically organized economies. Large and vital sections of the motherboard (e.g. journalism) are now burned out.
Its a dead end.
We didn't have to buy into these products or allow them to take over or lives if we has an issue with ad companies running them. We could simply not use them, accepting the negative impact that will have on parts of our current life. If the majority of our people don't care and have chosen the convenience, and the dopamine hit of, the digital products should politicians really step in though?
If politicians in a representative democracy are meant to represent the people then it really isn't their job to fix this, the people have already spoken. I don't agree with it and do my best to limit my use of these ad companies, but that doesn't mean it's my responsibility to rip these products of everyone else's hands of they chose their own tradeoffs. If Google wants to do this and people really care, they'll just stop using Google and accept that they won't have access to any services that decide to require this kind of DRM-like verification.
are they tho
Do we know the financial impact ad blockers are thought to have?
I’m guessing ad fraud is a way bigger problem, although some would argue that add fraud is not googles problem, it still hurts Google.
Maybe it’s also a third thing I just can’t think of right now, ad blocks just seem to niche to me. How about just enforcing a stronger monopoly on user tracking?
And also, frankly, I don't really frakking care if their purpose is to prevent ad fraud. That's not my problem, why should I be the one paying for Google to make more money from a problem they created themselves in the first place. As far as I'm concerned, if Google really wants to prevent ad fraud, they can just stop doing advertising; Problem solved.
Already, other browsers have led on tracking protection and control of third-party cookies, affecting Google's business model. So Google built Chrome, invested in it so people would prefer it, pushed it on their websites to ensure people would prefer it, and built a walled garden with Chrome Sync + Passwords.
Then they started using it to decrease privacy by signing in to Chrome when you sign in to Gmail. They track your websites visited and use it to improve their advertising even when the website doesn't use Google ads.
Theirs is the only password manager for Android which is limited to their browser. That's for a reason.
Why does Google get to do something that no other website in the world is allowed to do? This feels like something Microsoft would have gotten hit by antitrust over decades ago.
There’s no reason why logging into a Google site should silently give them all of your web browsing history across every site you browse. I know you can turn both those settings off but most people don’t even know they exist.
They can only blame themselves for faking data.
---
Dear <<REPLACE>>,
I am a <<COUNTRY>> citizen, and I live and vote in <<REPLACE>> district. Professionally I am a software engineer <<blah blah blah years of exp, exp with web etc>>. I am writing to you with a concern about a recent planned change by Google called Web Environment Integrity (WEI). I believe this change is anti-competitive, against the open web, and a risk to our country's security agencies.
Very simply WEI allows websites to verify the users browser (e.g. Chrome), and potentially the Operating System (e.g. Windows) is official and unmodified, this process is called attestation. Basically how it will work is:
1. User navigates to a website 2. The website executes a challenge to the browser (e.g. Chrome) asking for attestation and listing the acceptable attestation services. 3. The browser makes a request to a third-party attestation service (e.g. Google) 4. Software, an attestation agent, runs on the user's computer. This software scans files and memory of the user's computer or phone and sends back proof, to the attestation service (e.g. Google), the user is running an acceptable, official and unmodified browser and/or operating system. 5. Once satisfied, the attestation service issues the user's browser a token. 6. The user's browser forwards this token to the website 7. The website can use this token to check against the attestation service that the user is indeed running official or unmodified software. 8. The website then permits the user to access the site.
In the event the attestation fails or the browser fails to provide a valid token the website will likely deny access to the site.
On the face of it it may seem like this is a noble goal, unfortunately it mainly entrenches Google's position of power. Google's browser Chrome is used by 85% of users, Google search is the most popular search engine, and Google controls the biggest online advertisement service, AdWords. Once implemented Google's existing dominance places it in a position to push it onto websites and users. Google could deny access to GMail, Google Maps, and YouTube unless the user has this feature. Google could deny placement of ads, and subsequent payment to website owners unless those accessing their site have WEI enabled.
The proposal is bad for the following reasons.
1. Limited Attestation Services - Website owners have a list of attestation services they trust. It is extremely unlikely a large number of websites will add Joe Bloggs third-party attestation service as trusted. As a result it is likely only 3 attestation services will exist: Google, Microsoft and Apple. This proposal will further entrench these three companies as owners of the web. This is anti-competitive.
2. Prevents alternative browsers - Create a standards compliant browser is a monumental task which is why only a limited number exist Chrome (uses Chromium which is based off Webkit), Safari (based of Webkit), and Firefox (uses its own Gecko browser engine), most others (Brave, Microsoft Edge) use Chromium browser engine under the hood. Currently, apart from the effort, there is nothing preventing a group from creating a brand new browser engine. An extremely dedicate team could create a new browser and all websites would work with it. If WEI was implemented this new browser would need permission from the incumbents otherwise attestation would fail and users would be denied access to, potentially, most of the web. This is anti-competitive.
3. Prevents accessibility tools - Some people have additional needs due to disability or age and may use tools like screen readers or text only browsers to navigate the web. This involves additional software which injects itself into the browser in order to provide the functionality. This process, while legitimate, may result in attestation failing, especially after new software updates, and as a result denying marginalized users access to the web. This is against the open web.
4. Prevents alternative web crawlers - In order for your website to be listed in Google search an apps called Googlebot and Google crawler need to connect to your website and go through each page, this is then indexed and the results are presented based on relevant search terms. There are other web crawlers by Microsoft/Bing and Yandex which do something similar for their search engines. While they are likely to provide themselves attestation tokens in order to continue the service and new company may invent a better way of providing internet search but in order to crawl, with WEI in place, they would need to ask permission from Google to authorize their crawler. This is anti-competitive.
5. Prevents legitimate scraping - Similar to crawling there are legitimate uses for scraping, which is extracting data from a webpage by an automated tool for use as some other purpose. One example is the Internet Archive (archive.org) they regularly visit millions of websites around the world take a copy of them for historical purposes. You can use archive.org to view Google's first homepage from 1999, or Yahoo! from 1996. WEI prevents new companies or groups from creating novel tools created from legitimate scraping without asking permission from Google first. This is anti-competitive.
6. Prevents security agencies from doing their jobs - Government security agencies and police hack, monitor, and scrape, as permissible under law. These actions are performed by expert agents who are also supported by various scripts, bots, and custom built apps. These tools are rapidly modified and continuously changing depending on the operation. WEI would require these tools to be authorized by the attestation agent or service, while there are a number of ways this could occur, ultimately this requires Google to authorize each tool in order for the tool to successfully collect a valid token. Google could temporarily or permanently deny access to valid tokens, or change the algorithm for generating them to prevent security agencies from generating their own, which would deny security agencies from using their tools against operational targets. This is a risk to our country's security agencies.
I suspect most politicians this will be far too long and too technical for them to bother with.
""" Dear <<WHOEVER>>,
I'm writing to inform you of a change that Google is proposing which will:
1. Reduce the ability of the security agencies to do their jobs
2. Limit the ability of ordinary citizen to access the internet
3. Lock control to big tech companies and reduce innovation in the technology sector
As a citizen of <<COUNTRY>> living and voting in <<REPLACE>> and a software engineer with X years of experience, I believe this proposal (called Web Environment Integrity or WEI), although presented as improving security and privacy, is damaging because ... """
(edit: formatting and expanded the final line)
In the emails I sent I did use judicious formatting. i.e. "Prevents alternative browsers" is in bold, and "this is anti-competitive" is italic so someone scrolling through it could just read those.
How it works could be dropped or pushed to the end.
at which point you could attest any environment you wish, across as many machines as you want
a nice side hustle for bored university students with access to the equipment needed
(currently this doesn't happen as the TPM keys are essentially worthless)
would I pay $500 for a TPM key I can use to "attest" my hacked version of Chromium that removes ads? hell yes
would cheaters pay $500 for a TPM key to bypass valorant anti-cheat? hell yes (they do already)
would spammers pay $500 to spam Google?
and so on
ultimately attestation to control the user (vs. protect them) sows the seeds of its own demise
So if we could reliably extract keys it may be enough to break this. (or force TPM makers to have per-device keys instead of per-batch keys)
you dont have to know any keys just the structure of a valid key, then make things up according to spec
Actually it was a pyrrhic victory, as Microsoft went on to apply their ideas to XBox, Azure Sphere, and now the change is coming back as future Windows hardware requirements for secure workstations via Pluton integration.
https://www.microsoft.com/en-us/security/blog/2020/11/17/mee...
I bet mostly UNIX focused folks haven't noticed that their next PC might have a Pluton CPU on them.
https://www.thurrott.com/hardware/260917/here-come-the-first...
TLDR holdbacks might help with specifically the DRM component; but they can only go one of three ways:
- They can be effective at forcing sites not to rely on attestation, in which case there is no benefit to this proposal because everyone (including users of browsers like Chrome) will still be subjected to the same invasive backup strategies. You'll still be fingerprinted and tracked no matter what because even if you're using Chrome 1/20 times you send a request the website will just revert back to the original fingerprinting.
- Or if they aren't effective at forcing sites not to rely on attestation, well... then they haven't solved the DRM problem.
- Finally, attestation might be used to primarily decrease annoying behaviors, which will still in practice make browsing the web for anyone who doesn't use a browser with attestation so painful that they'll eventually switch. Think "you're not on Chrome, so you're going to see 9x the captchas you otherwise would see."
You can't simultaneously have "this allows us to trust the client" and "we can't rely on it." One of them has to give. At their best holdbacks would turn this into another tracking vector and would change nothing about the web for the better. More likely, holdbacks will allow sites that would previously be judicious about where they used captchas and blocks around the site to start spamming them everywhere -- because Chrome users will only see 5-10% of those annoyances. And at their worst, sites would just not implement the fallbacks because the attestation signal is still reliable enough.
Holdbacks call the entire motivation of this spec into question, since the whole point of holdbacks is to make it impossible for websites to get rid of the invasive "backup" walls and tracking and captchas that the spec claims to be trying to replace. Blocking ad fraud? Blocking automated requests? WEI only helps with that if websites can trust the signal and block browsers that aren't sending it; otherwise websites are right back to square one trying to prevent fraud. But if they can do better blocking based on that signal, then we're back in DRM territory.
----
Another point raised by another commenter: https://news.ycombinator.com/item?id=36884649
Implementing holdbacks in a way that actually prevents DRM is likely to be fairly challenging. In the most straightforward implementation, websites can simply retry the request until they get an attesation token or until they hit 10 iterations, at which point they'll ban you as normal.
Statistically profiling users and determining whether or not their browser supports attestation is likely to be fairly easy, unless Google has a much cleverer implementation of holdbacks than they've revealed so far in the spec.
This would be the worst case scenario -- holdbacks would be used as an excuse to push the changes through and sites would simply ignore them and block users based on aggregate stats: you haven't passed an attestation check in the past 30 minutes even though you made 20 different requests that should have had a token attached? Yeah, you're pretty likely on an "unsupported" browser.
The vast majority of Indian internet users are from mobile. It's a market lead by Xiaomi and other Chinese OEMs who sell phones that dies after a year or two with horrible ota updates. Some people downgrade, some use custom roms. But the majority just buys a new phone every 2-3 years. Or even 1 year. The poorest of people here buys iPhones with financing. Besides you don't need to buy expensive devices. Every GMS certified phone made in the last couple of years has it.
Now for actual computers, most are either prebuilts or laptops. They all come with secure boot since 2013?. The last Windows release without a mandatory TPM is going to be discontinued in 2025, microsoft will scare people into upgrading.
These are old machines. Any laptop made in the last 4 years will be able to access the new closed web so it won't be hard to replace of them.
I'm just hoping this "end of internet" happens really quickly. So that people would notice. One day people should wake up locked out of the web on their expensive devices. If it's a slow boil, we'll be too late to stop it. Again.
if we don't allow people who are contributing to the problem in any way or are benefitted by it, to oppose it, we are doomed to fail.
Asking people to not use Chrome isn't asking much, and yet people here can't even manage that.
Important to note here that it's only possible to "fool" SafetyNet/Play Integrity because of compatibility with older devices. The strongest Play Integrity level (MEETS_STRONG_INTEGRITY) is simply not possible to fake on a device with an unlocked bootloader, it's just not a big problem right now because most apps do not require it yet, since there are still many old devices that don't pass it, because of missing hardware or outdated android versions.
Eventually, in a few years, a time will come where the number of non-unlocked devices not compatible with MEETS_STRONG_INTEGRITY will be low enough that apps will start requiring it, and that will be the end of bootloader unlocking for most users that still do it.
How would they kill ad blockers this way? I can just use librewolf browser, sites will detect it and not work. But we already have this in form of Widevine DRM. Spotify does not work in my browser without DRM. They can't really force this on google search, because many clients will never support it (older Nokia 3x4 keyboard phones etc).
(Specific communication)
We need PQ FIPS and TLS revisions; not this.
https://www.gnu.org/philosophy/right-to-read.html
He wrote that 26 years ago. It's worth reading again just to see how much he got right.
That seems really one sided. To me that indicates that I as a user have a right to know that a human and not a robot is responsible for me seeing this ad. That's not the case of course. What this would do is kneecap the enemy/users and let the advertisers be the only ones with access to automation and integrity validation.
I doubt that many objects to see ads for powertools on a DYI forum or developer tools on Stackoverflow, seems reasonable. The objection is to being bombarded by obvious scams, micro transaction laden mobile games, online casinos and anything that in no way benefits me as a consumer. Google should perhaps focus a bit more on validating the integrity of their consumers i.e. the advertisers.
> In many ways, if we get Web Environment Integrity, we’ll need every government to regulate Google, Apple, Microsoft, and adtech in every way possible
Or was this an afterthought like everything else in their proposal?
All these elites always want to know what we plebs are running. The governments want Venmo to report anything that adds up to over $600 a year to the IRS. FATCA travel rule pushes all countries to do the same, for $1K but FINCEN has lobbied for as low as $250!
Meanwhile the Pentagon can’t account for trillions, and both parties give them more money than they even ask for. We have government officials in constant secret meetings, failing to avert disasters, then the plebs have to fight.
I say — we should have attestation that the server is running verified code, the one that was audited by third parties that I accept! That would be what I always wanted on the Web. Instead, they only do it the other way.
We the People have to rise up and demand that Google implements a standard that uses SGX extensions or whatever, to guarantee that the code managing the website matches the audited code. This is long overdue! It is also why we use smart contracts and Web3 for now.
All I really want, on the mobile Web, is a way to visit a URL that has a content hash, and it will load a static file matching a content hash, and save it so it’s always available locally. That’s it! So I can trust the code. Without having to install an extension. Instead Apple clears everything after 7 days, making it useless! And SRI only works for subresources. Which means the server can be hacked and serve malicious code to me anytime!
https://arstechnica.com/information-technology/2022/08/archi...
I’m seeing the biggest issue is who decides what a “trusted” browser is. Is it Google? I’m guessing the will establish a non-profit “independent” advisory board which will have members who somehow align with the interests of all major advertising stakeholders in the world. This is dripping with anti-compete potential. Some lawyers are going to get rich from this.
https://www.microsoft.com/en-us/security/blog/2022/01/21/cel...
Fight.
> If you haven’t been under a rock, you may have heard about Google’s evil Web Environment Integrity “proposal”. Supposedly, this is to make sure a browser environemnt can be “trusted”, but it seems Google wants this so they can kill ad blockers.
Also you misspelled environment. Surprising for a geological enthusiast.
