zlacker

[return to "Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web"]
1. superk+Um[view] [source] 2023-07-24 23:14:44
>>jakobd+(OP)
Even if this DRM doesn't get accepted and used Google's QUIC protocol they call "HTTP/3" that they whitewashed through the IETF with MS makes it so it's impossible to establish a connection to a server unless it gets 'attestation' from a third party CA TLS corporation. It's the same thing in different clothing but everyone is cool about it for some reason.

Google should've just called this HTTPS+ Everywhere and there'd be no blowback.

◧◩
2. no_tim+kZ[view] [source] 2023-07-25 04:31:02
>>superk+Um
Can you post the relevant part of the spec or discussion of it? This sounds wack but I'm not seeing it.
◧◩◪
3. superk+8e1[view] [source] 2023-07-25 06:48:49
>>no_tim+kZ
The spec suggested defaults don't matter when all current HTTP/3 implementations will not let compiled software users connect to a site with a self-signed cert (or none at all).

But also the spec itself is bad: "MUST" in capital letters when talking about setting up the HTTP3 endpoint and verifying the cert. https://datatracker.ietf.org/doc/rfc9114/

There are compile-time flags you can use to enable it in the QUIC HTTP/3 libs you can then manually link when compiling your personal browser. But with Google/Microsoft/Apple/Mozilla browser binaries used by the public they will not be able to connect.

[go to top]