zlacker

>>jakobd+(OP)
That's wrong on so many levels, I don't know even where to start.

First of all I hate this "proposals" which is actually, "we implemented this in our flagship product, and kindly force it on our users, you don't have to use it, if you have a choice", stance.

Then comes all the "ensuring they aren't a robot and that the browser hasn't been modified or tampered with in any unapproved ways." part. I'm using an open source browser which is not Chromium based (i.e. Firefox). I can modify and recompile the way I want it. I can use links/elinks/lynx/dillo if I want (and I use them, too). Who do you think you are, and how come dictate my software I use on my own computer?

It's 90s DRM wave all over again. Constant attacks towards open software, open platforms, open protocols.

It's maddening and saddening at the same time.

>>bayind+2e1
> It's 90s DRM wave all over again.

Except in the 90s you controlled 100% of the code running on your computer. Now there are all kinds of treacherous computing with all those "trusted" execution environments and TPMs and all the other bullshit that can't be avoided, with someone else's public keys burned into the silicon.

>>grishk+by1
You can still control the code running on your computer. But the websites you send http requests to don’t have to respond.

>>judge2+DE1
You can't. On most modern systems there is software that runs with privileges above your OS kernel that you can't remove or modify because it is signed with the manufacturer's key. The key is part of a "trusted" boot chain. The root of trust is usually burned into the silicon in the fuses or the initial bootloader (boot ROM).

TEE on Android, for example. Intel ME on PCs, and probably TPMs also have a firmware of their own. Secure Enclave on Apple devices.

There's an outstandingly good perspective on the issue in another thread: >>36859465

>>grishk+UF1
Even so, on most of the platforms you list you can disable the security checks and attestation mechanisms with a custom OS, which mitigates the risk of letting a site know that your computer is running any specific version of an OS with the proper anti-tamper checks. If you find a device that doesn’t, you can just not buy that device. At a certain point it’s not constructive to say “you can’t build that” when there is enough of a consumer benefit/desire and business incentive to do so.

>>judge2+Eo2
The problem is not someone knowing something. The problem is that since 99% of people use their devices in stock configuration, "no attestation available" would be interpreted as "attestation not passed". We're already seeing that with banking apps on Android. It doesn't matter whether you've rooted your stock ROM or running something without Google services, the app will refuse to work either way.

>>grishk+uv2
The bank thing doesn't bother me, personally. I can circumvent such restrictions entirely by using a bank that has a physical branch near me, and doing my business in person.