zlacker

[parent] [thread] 15 comments
1. predic+(OP)[view] [source] 2023-07-18 22:36:42
Lots of people doom and gloom here about threats to user privacy and freedom.

This is the one I'd be worried about. Thought it was annoying to not be able to use banking apps on a rooted Android? Think about how annoying it will be when you can't do much of anything, even on the Web, unless it's from a sealed, signed Apple/Google/Microsoft image-based OS...

I realize the way Firefox's user share is going, it might not matter or they might feel they don't have a choice but I really, really hope Mozilla doesn't even remotely consider implementing this.

replies(5): >>bagacr+h5 >>wolpol+R5 >>TheBro+99 >>Gigach+3c >>mattst+tc
2. bagacr+h5[view] [source] 2023-07-18 23:20:49
>>predic+(OP)
Do you realize the amount of work that Google has put in over the years to provide Linux support for Google Chrome? Why would they suddenly about face on that?

Wouldn't it be great if you never had to deal with another captcha?

replies(2): >>flango+B7 >>predic+kj
3. wolpol+R5[view] [source] 2023-07-18 23:25:44
>>predic+(OP)
Safari, rather than Firefox, might be only actor with the market share and motivation to drag out the implementation and adoption of this proposal.
replies(2): >>amadeu+A6 >>NoGrav+n65
◧◩
4. amadeu+A6[view] [source] [discussion] 2023-07-18 23:31:38
>>wolpol+R5
Apple already has something like this: https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
◧◩
5. flango+B7[view] [source] [discussion] 2023-07-18 23:40:00
>>bagacr+h5
I would rather have a captcha than not be able to access a service at all.
6. TheBro+99[view] [source] 2023-07-18 23:52:29
>>predic+(OP)
Firefox doesn't allow users to install unsigned extensions unless they use a beta version, because users apparently can't be trusted to install software. I trust Mozilla to fight for privacy (they're great at it), but I do not trust them in the slightest to fight for user freedom (like accessing banking sites on an "insecure" OS).
7. Gigach+3c[view] [source] 2023-07-19 00:19:05
>>predic+(OP)
The frustrating thing is that this is both the final nail in the coffin for computing freedom, while also having a legitimate use case. I'm seeing new banks that flat out do not have a web UI at all. The reality is that desktop OSs and browsers have done nothing to stop the fact that it is trivial for a regular person to accidentally install malware which is completely transparent.

Online fraud and theft is exploding right now and the average person is simply not capable of securing a laptop so the companies have decided to only allow secure access through a phone which can usually be trusted to be malware free.

replies(2): >>predic+1j >>kevinc+nI2
8. mattst+tc[view] [source] 2023-07-19 00:21:45
>>predic+(OP)
> but I really, really hope Mozilla doesn't even remotely consider implementing this.

Apologies for the simple question, but wouldn't forks of popular browsers crop up without this attestation API implemented? Or is it a thing where websites themselves would potentially refuse traffic from browsers that didn't support it?

replies(1): >>Wirele+0d
◧◩
9. Wirele+0d[view] [source] [discussion] 2023-07-19 00:27:10
>>mattst+tc
They could, and they wouldn't get the keys needed to do this attestation. So no DRM content for you.
◧◩
10. predic+1j[view] [source] [discussion] 2023-07-19 01:30:22
>>Gigach+3c
I agree, sort of -- I still think it's a farce. Unless this is implemented in a way that has a checklist that is updated so frequently as to force Windows users to do what they're often notorious for LOUDLY refusing to do... then it's more theatre.

As long as Windows users are allowed to remain as out of date on patches as they are, and depending on what the browser users as its attestation "source", I don't see how the browser and website can ever meaningfully establish the validity of the statement "the client is trusted to be malware free".

replies(1): >>Gigach+An
◧◩
11. predic+kj[view] [source] [discussion] 2023-07-19 01:33:52
>>bagacr+h5
> Wouldn't it be great if you never had to deal with another captcha?

I run a custom build of Firefox, on a (somewhat, still-ish) niche Linux OS, with the kernel and bootloader signed by my own signing keys. What could I attest with, that will make some banking website perceive me as a trustworthy client?

The second this becomes widely available, it won't mean "bypass captchas" - it will mean "can't bank unless you use up-to-date Android or latest iOS".

◧◩◪
12. Gigach+An[view] [source] [discussion] 2023-07-19 02:25:48
>>predic+1j
I wish the answer was that MS would secure Windows better. Sandboxing applications, and making it a pain in the ass to request high privilege functions. The current state of things is you just get a useless popup to grant admin access which literally every program requests so as a user you have no real tools to combat malware.

It's too hard for even someone who is highly knowledgeable to know if they have malware, let alone the average person.

◧◩
13. kevinc+nI2[view] [source] [discussion] 2023-07-19 17:49:40
>>Gigach+3c
And in 100 years you will need to have your brain scanned to withdraw cash. The process will validate both your identity and that you aren't being coerced.

It has to stop somewhere. 100% security may reduce the banks' fraud costs but it isn't acceptable for personal freedom. "Choose a different bank then" only works until all they all adopt it.

replies(1): >>Gigach+yR3
◧◩◪
14. Gigach+yR3[view] [source] [discussion] 2023-07-19 23:12:43
>>kevinc+nI2
The banks aren't the ones taking the loss for scams since their system doesn't have any faults, it's you or your computer that authorized the translation. I can see the reasoning for the push to more secure transactions. We constantly have people being scammed of their life savings due to sophisticated attacks beyond their understanding.

I assume an old person cares about not being left poor and helpless in retirement more than they care about free software and computing freedom.

I think it's probably likely that we will end up in a situation where some devices like phones and maybe laptops are considered "secure environments" where banking transactions and such can be safely executed, while alternative devices will be available for complete freedom and tinkering. You'll likely always be able to run any program you want on your laptop but those programs will be limited to their own sandbox rather than having free access to any other programs data.

replies(1): >>chii+Ngg
◧◩
15. NoGrav+n65[view] [source] [discussion] 2023-07-20 12:35:44
>>wolpol+R5
You're right about the market share; I'm not sure about the motivation. Apple has the capacity to be an attester in this system, since they are an OS and hardware vendor. And while they care some about privacy (in as much as it's a marketing point), they manifestly don't care about user freedom (on iOS, and increasingly on MacOS). I think as long as their code running in a secure enclave is an acceptable attester to this API (which it will be), they don't have any motivation to oppose it.
◧◩◪◨
16. chii+Ngg[view] [source] [discussion] 2023-07-24 02:39:07
>>Gigach+yR3
> while alternative devices will be available for complete freedom and tinkering.

this alternative will basically not exist for all intents and purposes if the "secure" version is the norm.

Let's take an existing example - why is there no such an alternative for home gaming consoles like Xbox or PS5?

[go to top]