Google is already pushing WEI into Chromium

>>topshe+(OP)
There’s a saying, on the internet nobody knows you’re a dog.

WEI is part of a broader movement to make this false - more generally to make an internet where we know you are a human staring at a screen

It turns out having dogs (or more commonly programs and scripts) on the internet is not profitable and not good for business, so corporations want to take dogs off their websites by finding clever ways to attest that a real human with eyeballs is clicking with hands and staring at ads.

Support dog rights. Don’t allow for a WEI-dominated web.

>>helen_+Nt
The whole narrative about WEI "proving" you're a human is completely false (and I'd argue a ruse). It only proves you're using a sanctioned OS and browser binary. It does nothing to stop robots being wired-up to devices w/ emulated inputs.

In fact, WEI will make it easier to use a robot w/ a sanctioned software stack since, hey, it's a "human" per WEI.

>>EvanAn+lq1
WEI proposal leaves open the functionality of the attester, so it’s neither correct to say this will prove requests are humans nor that it simply proves a sanctioned OS/browser.

The attester will attest whatever they want. They can evolve to match the further degradation of user freedoms.

>>helen_+7v1
> The attester will attest whatever they want. They can evolve to match the further degradation of user freedoms.

Agreed. Eventually the attestor will be measuring “proof of life” with the camera, for example.

“Please drink verification can” isn’t too far down that road either.

>>EvanAn+Wx1
> Agreed. Eventually the attestor will be measuring “proof of life” with the camera, for example.

Ultimately, it's all just instructions being sent to your computer to be executed, and "your computer" is whatever you say it is. Everything (e.g. Intel SGX et al) can be emulated in a sandbox. That's how modern DRM is defeated.

>>derefr+AZ1
Not if the HW has baked in private keys that you can't read, but which are known to the attester.

>>ddalex+vv4
Even in that case, your computer is still an arbitrarily-programmable Turing machine; it contains this one hardwired + proprietary component that the remote end is looking to speak to, but that component isn't in control of the system; rather, it's controlled by the system. This just moves the job of deception one target over. Rather than just turning the logic sent by the remote end into a "brain in a vat" fed a false reality by your Cartesian https://en.wikipedia.org/wiki/Evil_demon of a custom OS, you also turn its local emissary, the DRM TPM chip, into another "brain in a vat" fed lies by an enclosing evil-demon hardware platform.

The only way this attack can even be avoided in principle is to restrict distribution of the DRM TPM chip — ala Nintendo's NES CIC lockout chip that never left Nintendo's hands except in the form of finished first-party-assembled game cartridges. But even that only prevents mass production and sale of devices that defeat your DRM; any sufficiently motivated attacker can still buy a legitimate device from you that includes the DRM TPM chip, rip the DRM TPM chip out, and feed it to their evil-demon hardware to enable it to faithfully attest a lie over the network.

In short: if this was truly a practical additional layer of defense, there'd be tons of use-cases for it — game consoles, set-top boxes, kiosk computing (e.g. ATMs), etc.

But you don't see anyone using DRM TPM chips for these systems, because it's not a practical additional layer of defense: such chips would increase BOM for these systems, while only defending against attacks that weaker defenses (namely software DRM, or programmable-firmware DRM like Intel SGX) already defend against; and while not doing anything more to stop the truly motivated attackers than current layers of defense already do — as your Netflix pirate media-scraping bots, your EVE Online gold-farming bots, etc. all have the monetary incentive and capital to invest to build exactly these evil-demon systems.

zlacker