zlacker

Terrible idea. No matter how much time it would save me, I do not want “my” computer doing any work designed to snitch on me.

>>kgwxd+(OP)
It already does. That's what browser profiling is for.

>>kgwxd+(OP)
>The server doesn't know anything about the device or the person accessing it.

What sort of snitching?

>>kgwxd+(OP)
This protocol is designed to not send any data that can be used to identify you directly or fingerprint your identity.

>>dewell+w
It's designed to gatekeep access to the Internet. This is a company's solution to a problem caused by the same company and we are all forced to participate.

>>wewxjf+N1
As far as I understand, the problem is caused by massive networks of malware ridden computers and bots.

>>simonh+u
It snitches regarding what kind of device and operating system you're using. It currently seems to be limited to Apple devices, but this is the sort of thing I could see Microsoft and Google going for. Put another way, if everyone running unmodified corporate operating systems proves it as a matter of course, it effectively snitches on anyone who isn't.

Running Linux? Rooted Android? Anything else weird? If this gets popular, you might not be able to access most of the web with it, at least not without constantly filling in CAPTCHAs.

>>simonh+u
OP is mad into scalping.

>>Zak+D3
None of this is true.

Cloudflare does not know what device you're using.

>>theshr+9
So lets start by NOT adding more things that snitch.

>>nojito+e6
Cloudflare knows you're using a device that supports this feature. If a majority of internet users are eventually using devices that support it, some sites will probably deny service to those that do not just as some Android apps refuse to run on devices not using a factory OS.

>>lotsof+v3
The problem is caused by other peoples reactions to computers and bots. Bots are the servers problem, not mine, my machine should not be involved in solving it. Same reason I block ad/tracking scripts, it's no my responsibility to ensure other peoples advertising contracts are upheld, that's their problem, if they can't solve it without involving me, too bad.

>>kgwxd+(OP)
Will you forego acquiring an Apple if you don't want it, or acquiring a smartphone at all if they all have it? If not, well, your voice doesn't matter. Sorry. Not trying to be depressing or annoying, just that your/our levers aren't big enough to shift things.

>>Zak+D3
PATs are not an Apple technology, they just implemented it first. Once this is on Android, Windows, Mac, Linux and iOS the only thing they will be able to determine is that you're using a computer.

>>kgwxd+C8
My comment was to point out what I think was an incorrect characterization in these words:

> company's solution to a problem caused by the same company

The “company” needed a solution to a problem caused by bad actors in the network.

Whether or not a company’s solution causes someone else to have a problem is a different matter.

>>dewell+w
That's so wrong it's barely worth responding to.

It instantly narrows your identity down to an owner of a particular batch of hardware and will force you to have an OS owned by one of the big 3 tech companies installed (which will spy on you constantly) to function.

>>Zak+Q7
Which is a good thing.

Besides it's an open standard. https://www.ietf.org/archive/id/draft-private-access-tokens-...

>>nojito+Ko
Remember back to EME, an Open standard doesn't necessarily mean Open implementation.

The actual workflow here is an open standard, but I'm having a hard time understanding why sites won't just require that you use Mediators/Issuers that were written by one of the big tech companies and then block everything else.

Not saying that will absolutely be the case, I'm just saying that I don't understand why I shouldn't be concerned -- I've seen these exact arguments get used in the past for systems that absolutely shut out independent browser/hardware/OS/ROM development.

I mean... CAPTCHA is effectively an Open Standard, even if it doesn't have a draft that I'm aware of. But that doesn't mean much when so much of how it works is rolled up in an unstandardized implementation and when website operators are ultimately in charge of choosing CAPTCHA providers, not users. Is the same thing going to happen with PATs?

>>nojito+Ko
You appear to be writing that it would be a good thing if browsing most of the web was not possible from Linux. If that's not what you meant, please clarify.

If it is what you meant, I don't quite know how to respond except that I disagree vehemently.

>>nojito+Ko
It's a good thing only if you are Apple, Google or Microsoft, or a shareholder of them.

You'll note that no-one from Mozilla has their name attached to that RFC draft.

>>kgwxd+C8
That seems like saying that DDoS is the server's problem and that it doesn't affect you and that the issue is the server's response to bad actors, not the bad actors.

Like DDoS, bots become the problem of all users when they slip through.

Fair enough to disagree with the mitigation strategy. I suppose most web services wouldn't care to differentiate you from a bot.

>>nojito+Ko
So I can just write a linux kernel module to assert I'm a Real Person™ and all will be fine?

>>scoope+N3
I doubt anyone is saying that this is bad if you're using a web app for financial transactions like buying tickets. This proposal however is to basically force everyone on the web to use an ID that can be traced back to them for all usage. This is great for advertisers and even better for government spying

>>kgwxd+C8
Sure but, what about for instance bots on Twitter created to push all kind of agendas into our own country?

>>nojito+Ko
Apple attests that some iOS device is being operated by a real human. They accomplish this attestation through device heuristics; I believe the plan is, to run these heuristics on-device, then communicate them to Apple for signing/validation/whatever. Or, maybe it all happens on device, its not really relevant.

Its not relevant because: Apple devices only run "trusted" code. Cloudflare then says "hey, any PAT which originates from Apple is probably generated by trusted code, we know what heuristics we use, we trust those heuristics, lets approve it."

But extend the same theory to more open devices. There are two outcomes:

(1) Services trust the PAT itself. This would be pointless from a bot-mitigation angle, because anyone could just mint and submit a PAT. But, it would be "open".

(2) Services trust the PAT issuer. Implicitly, this means, they trust all the code which the issuer uses to generate the PAT, probably using device heuristics of some kind.

The second outcome is far more likely. Conways Law: these systems were built by teams with one goal: to stop bots. (1) wouldn't actually stop bots. Similar to SSL certs: We don't just trust any valid SSL cert; we only trust ones that are issued by known trustworthy third parties.

But there's no way to trust code running on open systems. They can't trust the heuristics, because they could be faked. Even if a solution evolved which looked like "the linux kernel has this built in" or "canonical distributes a known good binary which contains good heuristics algorithms", it doesn't matter, because there's no way to cryptographically validate it. We can modify the code, run whatever, and suddenly that Issuer (Linux, Canonical, whoever) can't be trusted. Only issuers which operate their heuristics in locked-down environments can be trusted.

Also similar to SSL certs: they'll say "we'll always have captchas as a fallback"; "you don't need HTTPS, HTTP is always there". It's bullshit scrying from people who can't think more than one quarter ahead. In the case of SSL, its reasonable bullshit, there's strong arguments for it, it made deploying websites slightly harder but not insurmountably. PAT is another step beyond that, and I don't see a situation where this technology is both Useful and Open. I really hope we decide to sacrifice its usefulness; but the Powers That Be probably won't.

>>xtanx+l6
Reframe it and it’s not so bad. It’s presenting a tamper evident ID card to a website that’s minted by the manufacturer of your device.

Your fake drivers license isn’t snitching on you when the bouncer looks at it.

It’s only snitching if you’re trying to get away with something and pretend you’re running unmodified Windows/macOS when you’re not.

>>Spivak+Ek1
Reframe it again, I'm running a modified OS that is free of spyware and respects my freedom, but the corporate bastards don't want that.

>>stjohn+rS
> I doubt anyone is saying that this is bad if you're using a web app for financial transactions like buying tickets.

I for one am certainly saying that this is bad if it means that you need approval from one of Apple, Google, or Microsoft to participate in financial transactions. That would be a giant step backward compared to the status quo.