https://www.ietf.org/archive/id/draft-private-access-tokens-...
I don't meant to sound negative but wouldn't bots just be able to abuse any FLOSS implementation since they can then fake certain interactions with CloudFlare in the background?
Now there’s a bunch of crypto to prevent the identification of an individual device, but websites would still be able to track your actions even if you disabled cookies, localStorage etc. (apart from the current ways such as like Etag tracking or browser fingerprinting) except that you can’t really mitigate it in any way. Whichever way you put this, PATs are not something that would preserve users’ security or privacy.
I also disagree with you that this isn’t a form of DRM - you’d still need some kind of TPM or another embedded electronic device that helps with these attestations. However, once attackers try to buy thousands of such devices to attack/scrape websites, websites would naturally use the originating vendor as the basis for allowing/denying actions. Which ultimately comes down to DRM - you’d see Windows, Android and Apple devices being allowed - and Linux/BSD/rooted Android/custom ROMs being left out to dry.
> There is nothing stopping the Spam/Bot community from implementing something similar.
I am a full time linux user, but I can guarantee you that if the bigcorps are going through with this it absolutely is going to lock out linux users, because the goal is to stop bots.
Evil.
We shouldn't fight bots. We should use trust instead. Not global trust, it must be subjective. I trust A, B, C. B trusts D, E. E trusts F. It should be weighted. There's small world effect [2]. There's just a few hops between any two people in the world. It solves SPAM, it solves reviews, scam, news and maybe politics. Somebody please get it done already.
1. https://duckduckgo.com/?q=phone+farm+bots&t=ffab&iar=images&...
Once it is implemented in windows it will quickly, if not immediately, be followed by locked bootloaders on any device available in brick and mortar stores or the big online sellers and being locked out from using attestation if you are not using an OS from Apple, MS or Google. We may see a brief window where some select linux distros get to grovel to MS to get signed, but that will quickly go away.
If it's not only technical (e.g: you must be a verified token provider), then it will stop Linux/BSD communities, just like it's today near impossible to open a community mail server.
The website doesn't receive any info other than the URL you are visiting and the fact you have an authenticated PAT.
Not entirely sure where you’re getting your information from.
Since I wrote it I became confident that algorithm which is used for cumulative trust computation should be up to each node (instead of using zk-SNARks for example). If you trust somebody, you trust them to compute it as they wish. And I would drop dimensionality at least in the beginning. Probably using multiple identities in place of it.
"Anti-cheat" and "bots" are literally the same reasoning.
And I think the big take-away is: anti-cheat systems' decision to do this hurts more real people than it does bots. Its idiotic, and anyone with half a brain recognizes that, but statistics are on their side. If 1% of both Windows & Linux players cheat, but 90% of all computer users are on Windows, then banning the 10% who aren't easily kills some number of bots. Its not many, but its nonzero.
What we're talking about with PATs is a multi-party established trust system. You're right; maybe the linux community could/will become an issuer of these tokens. I'm not sure its relevant. Any of these systems could be "compromised" to be leveraged by bots (compromised is NOT the right word, but its probably the word the people building this would use). So, being a mediator or site operator, you have to decide which issuers to trust. Apple probably, Microsoft and Google as well, they're big and represent a lot of users. But its SO EASY to just say "nah we're not going to trust Canonical". After all, there are bots on linux! Granted, there are bots everywhere, but jeeze so few real users would be impacted, we could paint with a big brush and just solve X% of the problem right now.
I don't feel this is fearmongering; I think its a legitimate concern. The reason being: the PAT attestation from the issuer is pretty black-boxed, technically. Apple just asserts to Cloudflare: we think this device isn't a bot. On Apple's end, there will be lots of device & geolocation heuristics, they probably check "hey you signed in with Apple? good, botscore *= 0.9", etc. Cloudflare (or any intermediary/site operator) needs to trust that the validator is doing a "good job" of checking for bots, and the statistical qualifications for "doing a good job" are only going to increase over time. Apple has tons of heuristics they can use; Microsoft probably has a bit less; Linux has very few, by design. Its very easy to imagine a situation where linux's solution to this isn't recognized by Large Service Providers as "up to snuff"; and they get cut off.
But, ok, lets actually fearmonger. There's been some rumblings in the anti-cheat community that one of the signals some anti-cheat systems use is: the amount of money you spend on their in-game store. Its probably a good signal: cheaters tend to cycle through accounts as they get banned, they'd lose all their cool stuff if an account is banned, so they spend less money. Imagine a reality where Apple uses spending heuristics as a signal to determine if a device is real; your account is on the verge of suspicion, and the final data point against you is that you aren't subscribed to Apple One, because per our statistical research 98% of confirmed bots aren't subscribed to Apple One.
Look: some bank and education sites have been doing a small time idiotic version of this, often via useragent parsing. It doesn't really work all that well; but it should signal that the desire for something more functional exists. This solution won't actually be more functional, in a form which allows legitimate non-Big-Tech-Users equitable access. Thus, it'll trend, slowly, toward "trusting the vendor", which also won't work all that well, but no one cares because "at least we're doing something". I think, at the end of the day, the entire domain of "bot mitigation" is misguided; they can't be stopped, you install captchas and you get warehouses of people paid pennies solving them, or you get better AI to solve them. You trust the device, attackers buy the devices. Its a treadmill that literally only serves to reduce access to computing services for minorities (differently-abled people who can't pass captchas, linux users, etc).
We need to, as an industry, take a giant step back and reframe this from "how do we stop bots" to "how do we live with bots".