zlacker

[return to "Apple Could Kill CAPTCHAs with Private Access Tokens"]
1. stevew+e3[view] [source] 2022-06-15 11:19:37
>>matthe+(OP)
I posted a comment a few days ago here (https://news.ycombinator.com/item?id=31670689#31671551) about my views about this “feature”, which I’ll repeat verbatim here. Needless to say, it’s something I don’t like.

Original comment follows:

In my view, this would just DRM-ize everything on the web. Of course, Cloudflare and Fastly don't talk about this much, and Cloudflare keeps assuring you'll still get captchas if device attestation fails or is unsupported. But realistically, once all Microsoft, Google and Apple implement it in their devices, there isn't much of a reason to keep accepting non-attested devices. You can already see where this is starting to go - if you're using Linux/BSD or another niche OS, congratulations, you can't submit forms any more. And since device verification would become extremely cheap to perform this way, you'd also see websites protected entirely by this tech, effectively locking out Linux/BSD users. The Cloudflare article also talks about how, at least in the case of Apple, they'd run something like a posture assessment to confirm that your device components are genuine. I can also see this new tech locking out users of non-OEM repairs. This is a much bigger deal than what it seems like on the surface, and I'm genuinely scared about how this one simple move dwarfs all of the "evil" things that big tech has done so far.

◧◩
2. nojito+a7[view] [source] 2022-06-15 11:55:06
>>stevew+e3
This isn't DRM. A party is verifying your actions as legitimate and not a bot. There is nothing stopping the Linux/BSD community from implementing something similar.

https://www.ietf.org/archive/id/draft-private-access-tokens-...

◧◩◪
3. stevew+S9[view] [source] 2022-06-15 12:13:55
>>nojito+a7
Thanks for providing the original RFC, though reading it I find it to be much worse than I thought because of its ability to detect actions per client.

Now there’s a bunch of crypto to prevent the identification of an individual device, but websites would still be able to track your actions even if you disabled cookies, localStorage etc. (apart from the current ways such as like Etag tracking or browser fingerprinting) except that you can’t really mitigate it in any way. Whichever way you put this, PATs are not something that would preserve users’ security or privacy.

I also disagree with you that this isn’t a form of DRM - you’d still need some kind of TPM or another embedded electronic device that helps with these attestations. However, once attackers try to buy thousands of such devices to attack/scrape websites, websites would naturally use the originating vendor as the basis for allowing/denying actions. Which ultimately comes down to DRM - you’d see Windows, Android and Apple devices being allowed - and Linux/BSD/rooted Android/custom ROMs being left out to dry.

◧◩◪◨
4. nojito+9q[view] [source] 2022-06-15 13:48:13
>>stevew+S9
> but websites would still be able to track your actions even if you disabled cookies, localStorage etc. (apart from the current ways such as like Etag tracking or browser fingerprinting) except that you can’t really mitigate it in any way. Whichever way you put this, PATs are not something that would preserve users’ security or privacy.

The website doesn't receive any info other than the URL you are visiting and the fact you have an authenticated PAT.

Not entirely sure where you’re getting your information from.

[go to top]