zlacker

[return to "Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web"]
1. javajo+Hq[view] [source] 2023-07-24 23:42:39
>>jakobd+(OP)
Surprising even myself, I actually like this proposal. It does two things, one which is good, and the other which is not as bad as people are saying.

The good thing is to give browsers a way to attest to their inviolability to systems on the other end. This is generally useful! In particular, it opens up a huge potential for people to run what are effectively servers in their browsers - which was TBL's vision for the web in the first place.

The not-as-bad-as-you-think thing is that Google (and others) will use this to disable ad-blockers. Ad blockers are fundamentally dishonest, and people who use them may feel guilty for doing so. The more honest approach is to simply not consume the media. And this, it turns out, is better for society at large. Anyone who gets paid to talk ekes out a living by hacking the algorithm, making a brand, and telling people what they want to hear. It's bad and it's a bad system that makes the world worse.

◧◩
2. dolive+fr[view] [source] 2023-07-24 23:47:21
>>javajo+Hq
Do you know how rooting Android is basically useless nowadays? Most banking and government apps, at least in my country, don't work if Google didn't give the seal of approval for your system. I take it you see as good thing to bring this to the browser as well, because this somehow has to do "personal computer advocacy"? It literally cripples the users' devices.
◧◩◪
3. javajo+tx[view] [source] 2023-07-25 00:34:35
>>dolive+fr
I don't see the connection between Chrome attestation and Android attestation. A computer has only one operating system (in general) but many browsers. I see some value in attesting to a "pristine" browser environment to any application developer, as it removes a wide array of error modes (particularly useful if you have a weak or underfunded team).

Now, if the application provider chooses not to support the alternatives, I'd argue that's on the app provider (the bank and gov apps). And again, perhaps the best thing is to NOT USE THOSE KINDS OF APPS ON A PHONE. I am very concerned that people are essentially locked out of essential services if they don't have a smartphone and a working SIM card. After all "the best way to repeal an imperfect law is to enforce it perfectly."

I'm not Nostradamus; but I'm hopeful that if Google goes down this path that it will hasten the end of a wide variety of error modes in the world. Of course that may be putting a little too much faith in neoliberal capitalism, to come up with alternatives that aren't smothered in the cradle.

◧◩◪◨
4. schroe+qb1[view] [source] 2023-07-25 06:25:05
>>javajo+tx
Browser attestation only works if the OS is attestated, though. It has to be an unbroken chain of signed blobs from the TPM / boot loader to the browser - otherwise, you could just use e.g. a kernel driver to modify the behavior of a signed browser.

If WEI is implemented, we will get the combo package.

[go to top]