zlacker

[return to "Unpacking Google’s Web Environment Integrity specification"]
1. endisn+bz1[view] [source] 2023-07-26 17:54:38
>>dagurp+(OP)
How exactly is WEI any worse than say a peep-hole on a door? At the end of the day bots are a huge problem and it's only getting worse. What's the alternative solution? You need to know who you're dealing with, both in life and clearly on the web.

I'm probably alone in this, but WEI is a good thing. Anyone who's run a site knows the headache around bots. Sites that don't care about bots can simply not use WEI. Of course, we know they will use it, because bots are a headache. Millions of engineer hours are wasted yearly on bot nonsense.

With the improvements in AI this was inevitable anyway. Anyone who thinks otherwise is delusional. Reap what you sow and what not.

edit: removing ssl comparison since it's not really my point to begin with

◧◩
2. JohnFe+Ez1[view] [source] 2023-07-26 17:55:58
>>endisn+bz1
SSL doesn't demand that some third party approve your software and hardware in order for it to work for you.
◧◩◪
3. endisn+Mz1[view] [source] 2023-07-26 17:56:37
>>JohnFe+Ez1
TPMs with attestation do exactly that. Are you opposed to that as well?
◧◩◪◨
4. rezona+rA1[view] [source] 2023-07-26 17:58:33
>>endisn+Mz1
That's exactly what WEI is supposed to do... And yes, websites should not be able to use the TPM for attesting the user's environment.
◧◩◪◨⬒
5. endisn+IA1[view] [source] 2023-07-26 17:59:17
>>rezona+rA1
why not? how do you want to solve the problem of provenance? if you feel it's not a problem to begin with, then the sites in question can simply choose not to enable it. if they enable and believe it is a problem, then clearly there's a dissonance between the places you choose to visit and their goals, no?
◧◩◪◨⬒⬓
6. rezona+eD1[view] [source] 2023-07-26 18:08:30
>>endisn+IA1
> sites in question can simply choose not to enable it.

My problem isn't that I as a developer don't have an option to not implement attestation checks on my own web properties. I already know that (and definitely won't be implementing them).

My problem is that a huge number of websites will, ostensibly as an easier way to prevent malicious automation, spam etc, but in doing so will throw the baby out with the bathwater: That users will no longer have OS and browser choice because the web shackles them to approved, signed, and sealed hardware/software combinations primarily controlled by big tech.

[go to top]