The person who wrote the proposal[0] is from Google. All the authors of the proposal are from Google[1].
I've been thinking carefully about this comment, but I really don't know what to say. It's absolutely heartbreaking watching something I really care about die by a thousand cuts; how do we protest this? Google will just strong-arm their implementation through Chromium and, when banks, Netflix & co. start using it, they've effectively cornered other engines into implementing it.
This isn't new to them. They did it with FLoC, which most people were opposed to[2]. The most they did was FLoC was deprecate it and re-release it under a different name.
The saving grace here might be that Firefox won't implement the proposal.
[0]: https://github.com/RupertBenWiser [1]: https://github.com/RupertBenWiser/Web-Environment-Integrity/... [2]: >>26344013
[0]: https://www.eff.org/press/releases/eff-makes-formal-objectio... [1]: https://github.com/w3c/encrypted-media
As others have said, FF doesn't have a lot of leverage left to influence those type of decisions, but Safari might. Not sure what their position is on this proposal.
The one pager has a section on stakeholder feedback [0], but doesn't name them for some reason.
[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
How can he reconciliate these views with this spec, which he is the main author of? Surely Ben sees the parallels?
He writes: "Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app."
It's honestly comical and a little sad.
[1]: http://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-o...
"Google to explore alternatives to robots.txt".
[1] https://blog.google/technology/ai/ai-web-publisher-controls-...
[2] >>36641607
I suppose Apple may object on the grounds of being a "privacy focused" company, but I'll believe that when I see it. I'm not gonna sit here holding my breath for these megacorps to do the right thing.
To take your GrapheneOS example, apps wishing to support it must add GrapheneOS keys: https://grapheneos.org/articles/attestation-compatibility-gu...
If this proposal goes ahead, it's unlikely that you'll be able to convince site owners and/or ad networks to add the keys of your open source OS.
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
https://awesomekling.github.io/Ladybird-a-new-cross-platform...
Microsoft and Real Player pushed hard for an integrated ActiveX based DRM ecosystem over a decade ago. I'm so glad that Mozilla flatly refused to entertain such idiocy. I sure wish that Mozilla still existed.
Mozilla is now just a "pick me" [1] organization to big content. They should own being a browser that caters to users, not platforms. Because they will end up with nothing.
[1]: https://www.urbandictionary.com/define.php?term=Pick%20me
By the HN guidelines this is a repost, but it would be a mistake IMO to delete it. This would mark the end of the open web, but for whatever reason this issue has never really bubbled to the surface here before. It feels like something is different this time.
Is... is the Verification Can actually going to happen? https://i.kym-cdn.com/photos/images/original/000/983/286/ea5...
They should hunker down and make the best browser they can, implementing their best web. It worked 20 years ago, and in many ways the circumstances are the same. We have tech monopolies proposing ludicrous "content security" mechanisms. Where would Mozilla have been if they tried making some sort of half baked "less evil" form of Microsoft Janus DRM[1]?
People are going to get sick of how intrusive DRM is becoming, and there should be an alternative waiting for them.
Every person who has content they thought they purchased "expire" and be erased from their device, or who can no longer use their expensive projector after the latest mandatory update.
I evangelized heavily for Firefox in the 1.x days. People were sick of IE6, and were glad to have Firefox. I worked at a computer store and probably converted 100+ people.
Even still, I think that it is wrong to give something a convenient name that espouses some virtue. They should have chosen something like Web Environment Verification API.
I think it's spyware, and I don't like it. It reminds me of the Stripe API, where you have to run some JavaScript on your site that snoops on your interactions and reports stuff to Stripe that it uses to detect fraud. >>22937303
It's easy: he works for Google. Every single public-ish web developer and/or devrel from Google will spend inordinate amounts of time lambasting Apple, writing eaassays on how Apple cripples the web etc.
While Google has broken the web so badly that Apple would need several decades to come anywhere close.
Note: the moment they leave Google, they may slightly change their tune and criticise Google a bit. For an example, see Alex Russel of web components when he went to work at Microsoft after spending a decade making sure that web browsers are turly unimplementable: https://infrequently.org/2021/07/hobsons-browser/
Yeah: it isn't shocking and can be quickly found using Google (as I just did now). (I have provided some extra links but am only quoting Brendan Eich as you seemed particularly interested in him saying the words himself rather than his team.)
https://www.reddit.com/r/BATProject/comments/bw6sek/
https://www.reddit.com/r/BATProject/comments/b7rwbx/
> 1/ native C++/Rust code, no JS tags on page that have zero integrity. That means ability to use SGX/TrustZone to check integrity and develop private user score from all sensor inputs in the enclave; ...
> We already have to deal w/ fraud. That is inherent in any system with users and revenue shares or grants. We do it better via C++ and (under way) SGX or TrustZone integrity checking + OS sensor APIs, vs today’s antifraud scripts that are routinely fooled.
> What Brave offers that's far better than today's joke of an antifraud system for ads is as follows: 1/ integrity-checked open source native code, which cannot be fooled by other JS on page; ... (1) requires SGX or ARM equivalent, widespread on mobile.
They are also building an SDK and talk about using this tech to ensure the ads presented by their SDK in someone else's app are legitimate.
https://www.reddit.com/r/BATProject/comments/9yys6b/
https://www.reddit.com/r/BATProject/comments/97trex/comment/...
> Part of the roadmap (details in update) is a BAT SDK. Obviously it would be open source, but more: we would require Secure Remote Attestation (Intel SGX broken but ARM TrustZone as used by Trustonic may be ok) to prove integrity of the SDK code in app.
Again: the very tech they are excited about to make their ad-based business model work against people cheating and blocking their ads is the same tech that Google is going to use to make their ad-based business model work against Brave cheating and blocking their ads ;P.
I already got caught by this kind of thing - a https://github.com/nativefier/nativefier app wrapping Youtube Music doesn't work, because Google detects somehow that you are not using a trusted browser and refuses to serve.
This is sort of moving in the "zero trust" (as in let's use ML etc. to detect if we trust something. username/password is not enough), which I fear because it will break a bunch of stuff for genuine users and make things less reliable.
We are an open-source browser developer and these concerns deeply resonate with us. We understand the paradox Alphabet faces, yet we firmly believe the solution isn't about exerting "DRM" level control over a ubiquitous means of access.
We're committed to standing up for the future of the web. We don't just see ourselves as a browser company but as advocates for an open, fair, and free web. We invite you to join us in this endeavor. Visit https://github.com/dosyago/BrowserBoxPro today. Stand with us for an open, free, and fair web.
As creators of a competing open-source browser, we're stirred by this. We're concerned about the future integrity of browsing - whether run remotely, headlessly, or semi-automated, we see all these threatened by such attestations. But we believe in the power of the collective, and the spirit of innovation that thrives in the open-source community.
The conundrum is real for Alphabet, but leveraging control over such a global, ubiquitous means of access cannot be the answer. However, we don't advocate a future where Google cannot derive value from its creations. The economic balance may be hard to find, but technically, solutions will emerge. We're committed to standing up for the future of the web, because we believe in its open, democratic potential.
Now, more than ever, we need you to join us in safeguarding the web's future. Come, contribute, and be part of the change. Visit https://github.com/dosyago/BrowserBoxPro today. Stand up for an open, fair, and free web.
It all started with "trusted computing", where "trusted" means "not under the owner's control". Then they tried to spin it as a "security" thing with TPMs, and created the impression that those speaking out against them were either malicious actors or insane conspiracy theorists.
Now it is actually happening. They want to control exactly what hardware and software you use, and they're doing it by ostracisation, which makes this even more sinister: you're still technically allowed to use software and hardware of your choosing, but you'll be blocked from participating.
I still remember when Intel was forced to revert adding a unique serial number to its processors because of widespread outrage, so it is possible for the public to make a difference; they just need to be educated about the coming dystopia and agitated enough to care and act upon it.
Perhaps we can start by spreading instructions on how to disable TPMs and "secure" boot along with all the advantages that come with doing so (custom drivers, running whatever OS you want, hardware you actually own, etc.) Of course the corporate-owned "security" lobby is going to start screaming that it's "insecure", but we need to make it clear that this is not the "security" we want because it is inherently hostile to freedom.
"Those who give up freedom for security deserve neither."
I also wonder what those certain baseline requirements are going to be? Weird that they're left ambiguous.
It's probably nothing to worry about. We have a ton of precedent with Widevine that "it's okay, we'll license to anyone who meets requirements" wouldn't ever be abused[0]. It's fine, you just meet the baseline requirements that aren't spelled out yet and that might be subject to change and that certainly won't include headless or highly scriptable or experimental browsers. Nothing to worry about.
[0]: https://blog.samuelmaddock.com/posts/google-widevine-blocked...
I never thought I'd see a CoC being used as ammo against this, but it's excellent.
First of all, extensions are not serverside code, so... no, that doesn't make any sense. Second of all, attestation has a lot to do with extensions because extensions are based on browser functionality, and attestation impacts which software you can run. In this case, attestation means websites can check to see if you're running modified or forked browsers that might allow for broader extension APIs.
And attestation has even more to do with extensions when extended to websites than it normally would because if the point of this is to established "trusted" environments, then arbitrary extension access to a web page means the environment is not trusted. If you allow arbitrary extension access, you can't provide guarantees about whether someone is human or not -- extension APIs allow for automation and scraping and ad fraud. And blocking that behavior is explicitly one of the use-cases listed in this proposal for the integrity API.
If this doesn't block extensions, then it's not a useful proposal for blocking bots. Quite literally every single use-case that this proposal lists are impossible if extensions are not restricted. Blocking ad fraud, blocking bots, blocking malware from a banking site, and blocking cheating in web games -- all of that requires blocking extensions. A "trusted environment" the way the proposal describes it can not have arbitrary extension access because extensions can do all of that stuff; from posting automated content to fraudulently clicking on ads to cheating at online games to stealing your bank password.
> With attestation doesn't reveal what OS you are using, so it owned still be impossible to reliably block Linux.
Do you genuinely think that an Open Linux environment is going to support attestation? We're having a hard enough time getting Passkey to support Linux, there is zero chance that Arch Linux becomes a trusted attestation provider for the Web Environment Integrity API.
And if it did, this whole proposal would be useless, because I'd be able to use Headless Chromium on Arch Linux and just have Arch Linux say that my computing environment was secure. There is no definition of "trusted computing environment" for a website provider that doesn't involve blocking access to arbitrary user-controlled code execution at the OS and browser level.
Because if you couldn't block that access, you wouldn't have any security guarantees. The entire premise falls apart if fully user-controlled environments are supported. It would be a useless proposal.
> And there is a ton of evidence that attestation will be used for DRM and to prevent adblocking > Please share it.
https://developer.android.com/google/play/integrity -- please do any amount of research into how this has played out.
> uBlock Origin already objectively runs worse on Chrome than Firefox > I use it just fine on Chrome and do not see any ads.
https://github.com/gorhill/uBlock/wiki/uBlock-Origin-works-b... -- this is also not very difficult to look up, I kind of feel like you should have been able to find this link yourself.
> FLOC is [another long explanation of why advertisers are the victim and FLOC is actually making the web more private]
I have to say again, I don't know if you expect this to sway anyone reading these comments, but it's not going to. No one is going to read that paragraph and think, "you know what, this person probably does care about adblockers and probably is really committed to making sure they're not harmed."
https://www.macrumors.com/how-to/how-to-bypass-website-captc...
For example, they threaten to remove FaceTime and iMessage from UK iPhones if the government there changes the law on encryption [1].
[1]: https://www.macrumors.com/2023/07/20/apple-threatens-to-pull...
Perhaps you haven’t been paying attention but macOS Sonoma—currently in beta, shipping this fall—has the best web app support we’ve seen in a mainstream operating system.
You can put a web app on the Dock using the Finder’s “Save to Dock” command for virtually any website or web app.
Not only do you get service workers, push notification, web app manifest support, etc. web apps have first class support in the Finder, Spotlight, Spaces, Mission Control, etc. [1].
[1]: https://developer.apple.com/videos/play/wwdc2023/10120/
"Who owns Waterfox?"
"System1 now own Waterfox, but Alex Kontos is still leading the direction of Waterfox and will be for the foreseeable future."
And who's owner, System1, states at the top of their page[1]:
"System1 operates the most dynamic Responsive Acquisition Marketing Platform
Connecting high intent customers with advertisers at scale"
[0]: https://www.waterfox.net/docs/faq#5-who-owns-waterfox [1]: https://system1.com
The only way around the dystopia this will lead to is to constantly and relentlessly shame and harass all those involved in helping create it. The scolding in the issue tracker of that wretched "project" shall flow like a river, until the spirits of those pursuing it breaks and it is disbanded.
And once the corporate hydra has regrown its head, repeat. Hopefully, enough practise makes those fighting the dystopia effective enough to one day topple over sponsoring and enabling organisations as a whole, instead of only their little initiatives leading down that path.
Not a pretty thing, but necessary.
But bank apps won't implement it because the market share isn't large enough. This is a great showcase of the issues with the new proposal as well.
[1] https://grapheneos.org/articles/attestation-compatibility-gu...
I’m hoping to get back to everyone as soon as possible. I hope you can all appreciate that I’m a human being and this has been a lot!
In the mean time, I wanted to repost my last comment on the GitHub issue thread [1]:
Hey all, we plan to respond to your feedback but I want to be thorough which will take time and it’s the end of a Friday for me. We wanted to give a quick TL;DR:
- This is an early proposal that is subject to change based on feedback.
- The primary goal is to combat user tracking by giving websites a way to maintain anti-abuse protections for their sites without resorting to invasive fingerprinting.
- It’s also an explicit goal to ensure that user agents can browse the web without this proposal [2]
- The proposal doesn’t involve detecting or blocking extensions, so ad-blockers and accessibility tools are out of scope.
- This is not DRM - WEI does not lock down content
- I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend
[1] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[2] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
It's complex and nuanced, all about altering probabilities of various bad things and TBH work still needs to be done to prove a useful middle ground even exists.
But one thing I can say for sure is there's no way I'm approving Chrome adding a feature which makes it possible for websites to be viewed only in Chrome. Nobody wants that and it's listed as an explicit anti-goal of the feature. Chrome couldn't have existed in the first place without masquerading as Safari, who masqueraded as Netscape etc.., this is something we're all very aware of and committed to in Chrome as its core to the openness of the web.
We need to promote alternative web engines like Servo and libweb and browsers based on them. Many of these engines need a major push to be competent enough for daily use. Gecko is also fine - but building a new browser with it is said to be hard.
[1] https://chromium.googlesource.com/chromium/src.git/+/refs/he...
But, it's true. Since LineageOS doesn't break Android's security model they could work with phone manufacters / Google to allow LineageOS to be trusted. Then apps would not be able to tell via play integrity that it could be lineageos since it looks like any other trusted device.
>There is zero evidence this will reduce the rate of those things.
I think this is fair criticism of the proposal. If it's not effective in practice then sites won't invest time in using it since it's a pointless API.
>Regardless, blocking Headless Chromium on its own is a restriction of user autonomy and a restriction of user freedom.
This API is not about blocking headless chromium.
>but people are still getting their bank passwords stolen by malicious extensions, lock the extensions down too
Protecting against that is unrelated to this proposal.
>:) Come on. Linux security is not the reason it would be blocked in these situations
Considering most Linux users are 1 curl | bash away from installing malware that can easily pivot to root and install a kernel module to hide itself. It's related.
>and three of them are about preventing the user from doing actions that the website owner considers harmful.
Can you quote that section. I don't see it.
>it is a proposal about blocking off user capabilities that website authors would rather the user not have.
Except this proposal doesn't block any user capabilities. It simply adds a way for sites to check if the user has a secure environment.
>That is the reason why attestation won't be coming to Linux: because Arch Linux won't lock me out of my own system and prevent me from running software that I choose.
Arch could simply have in their settings app a toggle that allows you to disable trusted mode to allow you to install kernels or whatever you built yourself. Similar to how motherboards let you disable secure boot.
>it does not escape my notice that you haven't provided an argument for why Linux won't be blocked
Firstly, this proposal isn't about blocking people. Secondly, their will be many Android bsed Linux distros that will be considered secure. For the Debians and Archs of the world they will need to work with others and prove they can provide a trusted environment. I believe this is possible and I think something similar happened in relation to secureboot.
>"it does block an OS and that's actually a good thing to do."
I never said that it was a good thing to do.
>Rooting an Android device is the part we're talking about and the part this has implications for.
Rooting breaks the android security model and provides by definition an untrusted environment. Android apps may not want to deal with supporting devices that don't support the security features an Android operating system is supposed to provide.
>It is extremely likely that Google would use the same underlying system and that Android would refuse to provide attestation for apps that aren't from the Play Store.
The Play Integrity API works with apps not from the store.
> danShumway 26 minutes ago | parent | context | flag | on: Web Environment Integrity API Proposal
> It does not tell you what browser the user is using. Websites can not block a specific browser.
This is unbelievably silly. It's like saying that Play Integrity doesn't tell you if the user is running LineageOS, so it doesn't mean that apps can block LineageOS. This is not a serious argument.
> It's about reducing the rate of those things.
Again, this is incredibly silly. There is zero evidence this will reduce the rate of those things. Extensions are very likely the most common vector for this.
And if you genuinely can't see a clear path in this proposal where website operators will say, "we can block Headless Chromium, but people are still getting their bank passwords stolen by malicious extensions, lock the extensions down too" -- then, I don't know, it must be nice to be able to somehow trust corporations that much despite the entire history of how advertisers and corporations have interacted with the web standards process.
Regardless, blocking Headless Chromium on its own is a restriction of user autonomy and a restriction of user freedom. That is still blocking me from using a specific browser. And if your argument is that scriptable browsers aren't going to be blocked, then this entire proposal is a waste of time.
This proposal will affect extensions for obvious reasons, but even if it didn't it would still be a problem.
> When Linux distributions start to actually care about security yes I do see plenty.
:) Come on. Linux security is not the reason it would be blocked in these situations, user agency to run headless browsers like Headless Chromium is the reason it would be blocked.
You're trying to shift this conversation to be about security, but security is only one of four use-cases proposed, and three of them are about preventing the user from doing actions that the website owner considers harmful. This is not primarily a security proposal, it is a proposal about blocking off user capabilities that website authors would rather the user not have.
That is the reason why attestation won't be coming to Linux: because Arch Linux won't lock me out of my own system and prevent me from running software that I choose.
Of course, it does not escape my notice that you haven't provided an argument for why Linux won't be blocked, you've provided an excuse for why Linux should be blocked. What you're telling me is "yes, your device won't support attestation and you won't be able to use your bank website on that device, but that's Linux's fault. And maybe eventually Linux will support attestation in the future."
Okay, it's nice to know I'll only be locked out using the OS I prefer for an ambiguous amount of time until it caves and meets an unspecified standard of security at some unspecified point in the future. But I'm still going to be blocked from Linux. And you've moved from "this doesn't block an OS" to "it does block an OS and that's actually a good thing to do."
> Play Integrity covers both attesting to if the system is in a secure state and if the app you are running is from the play store. This proposal only has an equivalent for the former.
Luckily the former is the part I care about and is the primary part that is abused. Rooting an Android device is the part we're talking about and the part this has implications for. You started out this conversation by asking me to read the proposal. Let me extend the same request to you: please do some research on this.
Also, please don't make claims that aren't substantiated about how attestation will work. This proposal does not specify that attestation on Android wouldn't use the Play Integrity API. It is extremely likely that Google would use the same underlying system and that Android would refuse to provide attestation for apps that aren't from the Play Store.
Nothing in this proposal preempts them from doing that, there is no reason to trust you when you say that sideloaded apps will be able to pass attestation. The proposal specifically does not lay out what attestation requirements will be.
> Chrome has worked on CNAME stuff since that was written and most of it does not really matter to most people.
"Chrome works on CNAME stuff": where?
https://bugs.chromium.org/p/chromium/issues/detail?id=118065...
Chrome now handles CNAME aliases internally: https://bugs.chromium.org/p/chromium/issues/detail?id=1151047.
We also now plan to support this for extensions as part of declarativeNetRequest API.
>FLOC would not have stopped cross site tracking or improved user privacy
Yes, but the plan was that after FLOC cross site cookies would not be sent. The whole point is to provide an alternative to people using cross site cookies before it gets removed.
---
> But, it's true. Since LineageOS doesn't break Android's security model they could work with phone manufacters / Google to allow LineageOS to be trusted.
There is no evidence that Google would do this. And you're talking about a hypothetical; the fact is that LineageOS is currently blocked. That is what is factually true right now. Saying that it could theoretically be trusted in the future doesn't mean that the Integrity API doesn't block it today.
It doesn't mean that attestation won't block OSes right now. You can't deny that currently the Play Integrity API blocks Android ROMs.
> This API is not about blocking headless chromium. [...] Protecting against that [(password theft)] is unrelated to this proposal.
So first off, this is opinion you, there is nothing in the proposal that indicates that scriptable browsers would be allowed and nothing that references Headless Chromium. You are assuming that Headless Chromium wouldn't be blocked, but I would love to see any statement from Google supporting that assumption.
But more importantly, you're basically saying this proposal blocks nothing at all. Think about what you're saying, this is a proposal that supposedly prevents bots and ad fraud and you're going to allow Headless Chromium? You're like one comment away from telling me, "well, the proposal isn't about guaranteeing OS integrity."
> Considering most Linux users are 1 curl | bash away from installing malware that can easily pivot to root and install a kernel module to hide itself. It's related.
No, this is very transparently an excuse. Out of the reasons for this proposal (as specified in the proposal), kernel level malware is relevant to basically zero of them. Kernel level malware is not the reason why Netflix doesn't run on a rooted Android device. Kernel level malware is not something that matters for blocking web scrapers or bots. Kernel level malware is not the vector through which ad fraud happens. Quite frankly, kernel level malware is not the biggest concern when thinking about bank account theft of phishing attacks.
The reason Linux is blocked is because Linux does not impose computing restrictions on the user.
----
> Can you quote that section. I don't see it.
See https://github.com/RupertBenWiser/Web-Environment-Integrity/..., specifically the bullet-point list under the introduction:
> [...] This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins. [...] Websites can only show users what content is popular with real people if websites are able to know the difference between a trusted and untrusted environment. [...] Users playing a game on a website want to know whether other players are using software that enforces the game's rules. [...] Users sometimes get tricked into installing malicious software that imitates software like their banking apps, to steal from those users.
Of those 4 proposals, only the last one (banking security) is directly related to user security, the other 3 are site policies (ad fraud/scraping, blocking bots, blocking game modifications).
> Except this proposal doesn't block any user capabilities. It simply adds a way for sites to check if the user has a secure environment.
This is borderline disingenuous. Giving website authors the ability to arbitrarily block "untrusted" environments (and specifically telling them that the purpose is to allow blocking capabilities in untrusted environments) is the same as blocking user capabilities.
It's especially absurd to deny given that mainline companies like Google will be in charge of determining what environments count as "secure" and what environments will be supported for attestation, so not only is it an API that is designed to allow websites to block clients, it is also very much going to be Google's decision whether or not a given user capability is compatible with a "trusted" environment.
----
> Arch could simply have in their settings app a toggle that allows you to disable trusted mode to allow you to install kernels or whatever you built yourself. Similar to how motherboards let you disable secure boot.
At which point it would be blocked from attestation, hence blocking user freedoms.
Also, custom-built kernels and custom user software are not side-things I can toggle on and off, my setup depends on those things. You can't go into user settings from the desktop in Arch and just turn off the kernel; if I'm using custom drivers for a monitor or input device, I can't just turn those off.
What you are saying is "your OS won't be blocked, you'll just boot into a different OS or different OS-mode without any of your custom kernels or drivers." But take a step back and think about that: the OS is blocked. And the solution you're giving me is to boot into a different OS based on a different kernel that I don't control that doesn't have my custom-compiled drivers and that might not even support my hardware. This is really silly, it's like saying that Apple Pay is fully supported on Android, you just have to boot into an iPhone.
> Rooting breaks the android security model and provides by definition an untrusted environment. Android apps may not want to deal with supporting devices that don't support the security features an Android operating system is supposed to provide.
Like I said, this is about blocking my ability to root my device. It is a reduction in user autonomy under the excuse that user autonomy to root my device makes my device untrusted.
Quite frankly, it should not be an app's choice to decide whether or not to run on a rooted device. It's none of their business whether or not my phone is rooted.
> The Play Integrity API works with apps not from the store.
Technically true in the sense that I believe Aurora spoofs Play Integrity APIs and device checks, but I'm not sure of the full details there, and in any case that's a circumvention of Google's policies, not something that Google explicitly allows. I'm not sure I understand what you mean here?
----
> https://bugs.chromium.org/p/chromium/issues/detail?id=118065...
The currently inactive issue that hasn't been updated for over a year? That's not exactly strong evidence. Let me know when the Chromium team starts working on it and merges it.
In the meantime, it is objectively true that Chrome currently has worse adblocking capabilities (particularly around CNAME cloaking) than Firefox and that it has had worse adblocking capabilities for multiple years. This is not an API that is available for extensions to use.
And the way that CNAME cloaking has played out in Chrome -- given that they are trailing behind other browsers by years does not suggest that any of the other issues with Manifest V3 are going to be better handled. The overwhelming trend here (and what this issue shows) is that Chrome is going to lag behind other browsers on adblocking.
I'm having a hard time figuring out how you're looking at an arguably orphaned issue and seeing that as evidence that the Chromium team cares about adblocking APIs or that they can be trusted to make sure that adblocking capabilities aren't broken.
> Yes, but the plan was that after FLOC cross site cookies would not be sent. The whole point is to provide an alternative to people using cross site cookies before it gets removed.
Right, that's what I said. It was for advertisers, not for users.
Firefox and Safari removed cross site cookies without supplying an alternative just fine, that was a user-focused change. Chrome refused to make a user-focused change until after it introduced a spec (FLOC, later Topics) purely for the benefit of advertisers. In addition, it introduced other specs (Same Site Sets) that weakened those same protections.
"This internal contradiction is further demonstrated by the fact that the proposed solution to prevent misuse by websites - holdbacks - is to simply sabotage the functionality of the system itself, by making attestation probabilistic. This is not a workable solution to the problem: if the holdback rate of requests is low enough, the denial of service to legitimate users will simply be a cost of business that websites will accept; if instead it is high enough, websites will not use this system as it does not provide meaningful enough information, even for analytics purposes, due to the high uncertainty. There is no goldilocks zone where this system is useful but not open to abuse by implementer websites. You're either implementing a feature that can - and most likely will - be used by websites to exclude unattested clients, or you're implementing a useless feature."
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
But this will likely fall on deaf ears because you already made up your mind last year: >>32283932
What prevents a website from using invasive fingerprinting _AND_ WEI together? I strongly suspect websites will end up using both WEI and invasive fingerprinting because:
1. Websites will want to use invasive fingerprinting on old browsers and it would work within browsers that deliberately don't implement WEI.
2. Websites will want to get as much invasive fingerprinting information as they can get their hands on.
3. It is another layer of fingerprinting in the likely event that WEI is ineffective due to TPM exploits[1], operating system/driver exploits, web browser exploits, determined actors using rooms of computer display recording devices and robotic arm mouse movers, etc. Invasive fingerprinting further increases the cost and complexity to actors the website is trying to block.
> This is not DRM - WEI does not lock down content
It is absolutely 100% DRM. Your proposal states that devices would need to attest their configuration to the website. The website can then block the user because it doesn't want to show the news article to a Linux device where the user can block annoying pop-up ad videos, copy and paste the text or save the web page. The website can instead only allow devices which are factory-configured to block copy+paste, block saving web pages, block screenshots, etc. It's still DRM even with the proposed holdback mechanism because in the best case, a user will still be blocked 9/10 times (or whatever the holdback mechanism is set to). The more likely scenario is a website owner will just refuse to serve content until the client has attested itself. "The requested page can not be provided due to an unexpected problem. Try again in a few minutes."
There are so many flaws with the scheme as currently proposed I feel I could write for days:
Will websites be expected to block and ban users of AMD-SP now that it is broken[1]? Or will whoever conducts ad fraud just buy all the AMD-SP devices they can get their hands on?
As another author replied, are Gentoo users that compile their web browsers and operating systems from scratch just ignored, and the proposal pretends it won't impact these users?
How does the proposal allow users with specialist accessibility software to browse the web without being blocked for being a minority group that is not economically worth website owner's time to support? What prevents abuse of said specialist accessibility software for other purposes?
How would a new start-up developing a competing browser or phone from scratch, and are very much unknown and in a minority position, be able to convince millions of website owners to unblock/allow their new browser or phone? Cloudflare's Friendly Bots program refuses to respond to open source projects, so why would Cloudflare as an implementer of WEI care about new start-ups or small open source software projects?