But a possible way to defeat it is what I do now --- keep two devices. One that meets their requirements for cases where it is absolutely needed and another for everything else.
It's honestly good for this to get a lot of attention though, I'm happy to see additional commentary on it getting shared.
It also sounds like they're promoting yet another way to make "the internet" slower, more bloated, and have greater impediments to usage.
I'd be curious to know how or if Chrome actually manages the PR around their work. Chrome lead fired off a blog post So you don't like a web proposal which effectively says it's purely a technical decision, and that only constructive technical criticism is regarded at all. >>36818409 https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...
But I don't feel like Google has the luxury of letting it's image burn like this. TURTLEDOVE is already a huge semi-sound but immensely scary change, MV3 is a disaster of high order and hasn't responded with anything but a stream of bandaids to challenges like Mozilla's far more capable Background Pages proposals. But I think the reputation damage here is vastly higher, as there's basically nothing being offered here to most users, or, if this spec goes through, ex-Web users. This effort is just an abominable horror show, and at some point, it feels like Google/Chrome have to stop being so blinders-on as to treat this as a merely technical discussion.
The last time these debates went down, where there was an incredibly contentious spec that got shipped, it basically took the Web creator Tim Berners-Lee using his w3c authority to stamp "ship it" on the spec. https://www.techdirt.com/2017/03/01/tim-berners-lee-endorses...
Rinse repeat.
Go f yourself, Google. Browser’s purpose is to serve me web pages, not to learn about me.
Of course it's dubious if it applies here, especially because the playing field doesn't feel quite equal, but I think the most effective thing we can do is simply refuse to use websites that require a custom built user agent to access.
Heck maybe we've already mostly lost the battle to keep the internet usable with curl, let's at least try to keep some of the other options open.
A lot of that has been happening for a long time now.
It is:
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
> Same thing for a lot of sites, probably the vast majority of them.
Once Google gets this in place, it can then perform these checks through their ads SDK and demonetize traffic from visitors that don't pass the check. This will create an incentive for any site owner that wants to make money through ads to enforce that visitors must use an approved browser. Basically the DRM equivalent of 'Please disable your ad blocker'.
Some of us called that out as a slippery slope leading to ubiquitous gatekeeping, but we were shouted down in the name of (as usual) "security."
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.
The problem with Captchas today is that there are a lot of services you can use to bypass them. You send the token to a human, human gives you the solution-token, and you pass that to Google.
I can see why they want to make this more protected. As a user, if this lets me solve captchas less for certain sites, I'm OK with that. Of course, I don't think this API should be used for the entire web, but I definitely understand its use-case.
This is the point that company breakups start to make a lot of sense.
When Google can do something that every one of it's users hates and none of us can do anything about it, they perhaps have too much market power.
Kinda like how Widevine works. No keys means lower quality.
The bigger concern for me like you call out - major institutions like banks enforcing a separate company's requirements on me in order to interface with them.
Want to go to an online banking site? Then we'll need to make sure your computer is unmodified and contains no unapproved software.
You'll be filling in captchas 10 times a day, getting randomly locked out of your Google account in the name of security, and whatever new feature they add to their services, they'll find an excuse to require the DRM for it.
Then, people will DDOS the attestation endpoints because why not.
As if something with multiple downstream non-technical effects, is only a technical change
As if you can minimize and dismiss everyone’s fears and concerns as hollow, invalid and irrelevant by waving the magic wand of tis only a wee technical change, to be sure, to be sure
As if everyone’s protests and arguments against can be instantly hosed down, because aye, you guessed it laddie, it’s only a technical change
It’s almost as if the folks at Google think people are so stupid that not only do people not know what they’re talking about, but they’ll actually believe the lie and fall for that deception…
It’s almost as if Google was trying to gaslight the public about this…
If they end up groveling about this, I don’t think “in retrospect, we could have communicated this better” is going to cut it. This is a company the size, scope and sophistication of Google. This is not their first rodeo. They know exactly what they’re doing, and they mean to do it…
Would you rather a capitalist dystopia, where large corporations get to approve everything you see & hear, or a socialist dystopia, where the government gets to determine what you're allowed to view?
[Answer: Neither]
There is no value in this "attestation" for me as a user. I want to be able to do whatever I want with the browser (for example, remove ads or block access to canvas and webgl) and I want sites to be unable to know this. And probably this attestation will provide additional fingerprinting signals which is what I don't want.
And, locally, there have been two ISPs set up (one by me and my friends) that aren't meant for public use, but to supply service to smaller groups. The one I set up was to supply internet service to a remote neighborhood that isn't likely to get reasonable commercial internet in the near or medium future.
Those two ISPs supply internet access, but they also operate an intranet that is mostly decoupled from the public internet.
All baby steps, and nobody is 100% "off the grid", so to speak, but it's a trend that started long ago and seems to be gaining a bit of momentum.
My prediction is that the web will ultimately be just for commercial use (it's already 90% there), and there will be a whole bunch of tiny networks -- that may or may not portal to the internet -- that will fill the needs that the internet is increasingly unable to fill.
> Anything we might decide would ultimately be influenced by the larger societal debate around privacy (regulations etc.) since perfect privacy means perfect immunity for criminals.
Ensuring that your devices don't spy on you on behalf of a government or company does not imply "perfect immunity for criminals".
Putting aside attestation for the moment, consider this: Modern enclave driven device encryption (and the self-destructive passcode limitations that often accompany it), for example, could be likened to designing a very good safe that can automatically destroy its contents if it is breached. Do we require governments to have their own keys to all such safes sold?
youtube, prime video, netflix, banking, github
none of that for firefox users
They lost me more than a decade ago when they hoovered clear text passwords from their wifi scanning and blamed it on a single engineer.
Because of this. If we're at the point where you need to get permisssion and approval to verify that the platform you're using is acceptable, then the gates are up and the free web is no longer free at all.
If they believe that it's in their best interest, I'm not really sure what we can do against this...
On one hand, I think this is wrong, because the world is full of tech companies who thought they could do whatever they want because they're big enough. "Nobody would dare switch away from Facebook! Err, I mean Twitter. No wait, I meant Chrome!" But that's a bet, not a fact. Sometimes it works out, and sometimes everyone leaves and goes somewhere else. You think you have a moat, and you do, it's just you don't always realize it's ankle deep.
On the other hand, Google can do what it wants with Chrome, because it's their product. I use Firefox, and it won't affect me. All the people who don't care about this are free to use Chrome. Likewise, anyone who wants to listen to a man in his forties tell them about why some browsers are better than others can ask me about my thoughts. Nobody has done that yet, but the offer is on the table.
Google "will be able to request a token that attests key facts about the environment their client code is running in."
Google "will ultimately decide if they trust the verdict returned from the attester."
"Allow" Google "to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
I have replaced "web sites" and "web servers" in the original explainer text with "Google" for clarity of intent.
Why would Google want these capabilities in web browsers?
What does Google plan to do with them?
What follow-on actions is Google planning?
Google marketing exec: "We need to lock down web browsers so we can make more money by showing ads."
"Ad blockers need to be prevented. The new WEI APIs will ensure that ad blockers aren't running, that our ads are being seen, and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEI we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
Web Environment Integrity is the beginning of the further DRM-ification and enshittification of the Web.
I wish I could agree. The internet isn't in nearly as bad of shape as the web is, that's true. But it doesn't look nearly as healthy as it used to, as more and more services are moving to the web and abandoning the internet.
I don't think this is remotely the case. Quite a few tech-savvy people I know (some of them software developers) use Chrome and mostly don't care about whatever Google does with it. I mention "manifest v3" and get a blank stare. I talk about advertising and ad blockers, and most people don't care, with some of them not even using ad blockers.
We really live in a bubble, here on HN. Most people think of privacy as some abstract thing that they have little control over, and are mostly fine with that. And some are even also fine with government erosion of privacy, in the name of "save the children" style arguments, and of corporate erosion of privacy, in the name of getting free stuff in exchange for their personal information.
It's a sad state of affairs. If most people really did care strongly about these sorts of issues, then I think it would be baffling why we haven't seen more change here -- after all, Firefox is a perfectly viable alternative to Chrome that very few people use. But the lack of change is no surprise: most people don't care.
Google needs to be broken up, and the other tech giants too. Bring back competition to the market or we'll continue marching towards Blade Runner corporate dystopia.
On top of all this, a lot of users don't care, which is a problem itself, but also leads to an even harder time trying to navigate a company breakup. The convenience is too great for them, and it's too easy for the above noted companies (alongside other giants like Walmart) to shift public opinion.
Faced with a choice between a vague future threat that might happen (an adversarial ISP or other MIM attack) and a certain future threat that will happen if we let it (incumbent gatekeepers locking down the Web), I'll take my chances with the former, and opt for less gatekeeping rather than more.
The best time to break up Google was 10 years ago.
The second-best time to break up Google is today.
And for most people in the world, that is "the internet".
The "privacy sandbox" stuff is a perfect example of this process.
If this proposal gets rejected it'll be because of feedback in the press that is impossible to ignore. My experience watching how Google has handled contentious issues in the past makes me personally feel that Google will not be receptive to concerns about whether this spec should exist. Google and the Chromium team are not willing to hear community feedback about the direction of the web or about what the web should be. They demand that feedback start from a position of assuming the best intentions of the spec, and start from a position of assuming that the spec is basically good and might just have additional concerns to address (https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...).
This has been a longstanding issue with how Google approaches web standards; according to Google there's no such thing as a harmful feature and Google's approach is never wrong; it just might need refining. The refining is the only thing that Google wants to talk about.
There is a predictable arc to this narrative as well. If blowback gets out of control, Google will blame that blowback on misinformation and accuse the community of operating in bad faith or fearmongering. At best, you'll get a few people from the Chromium team saying "we hear you and we need to communicate better." Note the underlying implication behind that statement that the original proposal wasn't bad, it just wasn't communicated well. People just need to do a better job of "getting involved" in the web standards process so that the Chromium team knows to address their concerns. And it just comes down to learning to be kind and "remembering the human" -- ie ignoring the structural damage that the human is capable of causing to the largest and arguably most important Open platform on the planet.
There will never in any situation be an acknowledgement that the direction or intent was wrong; that's just overwhelmingly not how the Chromium team operates on any issue big or small.
It's good for larger sites like Ars to cover this, and it's good for people to share thoughts on social media; the only way that users have a say over this is if the press runs with it and generates a metric ton of bad publicity for Google; and even then it's a toss-up. It comes down to what the company feels like it can ignore or dismiss with a couple of Twitter posts. And this is not just where issues like adblocking are concerned, the Chromium team has been hostile to user feedback even on more minor technical issues for a pretty long while. I was writing about this issue back in 2018 (https://danshumway.com/blog/chrome-autoplay) and it was a trend before that point as well.
It stinks to go into a conversation not assuming good will from all of the parties (and it usually is wrong to do so), but the Chromium team has not earned an assumption of good will, and it's done quite a bit to squander that assumption. It's regrettably kind of a waste of time to try and engage on this stuff, it's better to just criticize on social media and hope that the press runs with it. Because that's the only thing that Google listens to.
That said, the concept is seemingly aimed at blocking ad blockers and preventing browsers like Brave from impersonating Chrome so it can block ads without the need for extensions and such.
The only user-positive use case I can think of for this is for self-hosted software. Maybe it can be used to detect MitM attacks or malware messing with the browser? In practice this will just mean "no Firefox, no Linux, no adblockers".
It will affect you a lot if websites start refusing to serve to you because you're not using an approved browser.
[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
I would probably have dropped Firefox back then if it was the only browser that I couldn't watch Netflix in, and I wouldn't be the only one. I don't think Mozilla can bear the loss of userbase.
All 'adversarial compatibility' from projects like Nitter, Teddit, Invidious, and youtube-dl go out the window. Any archive site (archive.org, archive.ph, etc.) can be blocked by sites requiring attestation.
And just like the book industry was terrified of piracy and were 'rescued' by Kindle, so too will journalism outlets that can't find a business model flock to Google to save them.
This is going to be rough.
The end game is probably integration with a TPM that produces the token, or at least whatever part of it verifies that the chrome binary is genuine and that there is no forbidden software running on the client machine.
How would this have changed the existence of the Web Integrity API?
Multiple bubbles on HN. Obviously, most of us are complicit in some techbro business conventions today that, 30 years ago, would've gotten us shunned by our peers, and reported to the authorities.
(Not that current phenomena weren't foreseen. SF writers had already been all over it. Anecdotally, Internet-savvy techies were often informed by various forward-looking thinking and by world history, and tended to act like stewards rather than exploiters.)
https://tildes.net/~comp/18h8/web_environment_integrity_a_go...
They now have an interest in limited edition color drops and with their bespoke charactaristic allowing users to select color that best resonates with them.
You and I, as mere mortals, may not know what this means, but rest assured, mozilla does.
Google should've just called this HTTPS+ Everywhere and there'd be no blowback.
In theory one could imagine a scenario like a bank website refusing to be accessed unless the entire OS & browser stack pass attestation - as that would rule out things like keyloggers, malicious browser extensions, and session hijacking.
In practice it'll just be used to lock down content and force unskippable ads on users, of course.
[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
If this weren't true, Apple could just start inserting ads into every iphone's Safari window tomorrow, and Youtube could serve the ad in the same stream as the video to defeat adblockers, and they'd make a bunch of extra money with no downside. The fact that they don't do this suggests that Apple and Google understand this: people only tolerate restricted platforms that do a convincing job of pretending to be unrestricted. In practice, this means that step 1 of Google foisting off user-hostile stuff on us is getting Firefox to include it too, which is presumably why they spend so much money on it.
But we still have TCP and HTTP. We will rebuild this place.
I'm not a super anti-Google person. I use Gmail and Google as my search engine. But Firefox is a good browser that I use as my daily driver, and Edge, Brave, Safari and the DDG browser are other options.
Switch today and start taking away Google's leverage.
This is such a horrific & bastardly case - of creating unparalleld rank awfulness hither-to-fore unimaginable - that I am tempted to agree. And I do think there probably was some cross-pollination on this idea (which I personally would characterize as unlike the vast majority of things happening on the Chrome team).
But I still think there's a very necessary "reel it in" counter-response that has to happen here. It was me who characterized this as "only a technical change". Google is trying to shift how the web works & knows it, with this change, and that's clear, and their explainer indeed rather twists words somewhat to make it sound like it's for the user: but it is also imminently clear they seek to shift of the web works in a wide way, and they're not cloaking that behind anything or as simply technical: they're wrong & immoral & awful, but up front about what they're doing, and they're not presenting it subtly.
I linked Yoav Weiss's post with some disdain (for rebuffing), but I think a lot of these rules hold true in most circumstances, and I think even under duress many should be respected to the degree possible. But reciprocally, I've already advocated (in the HN thread) that sometimes I don't think constructive replies are appropriate or possible. When we are working to define the only open accessible shared hyper medium humanity has, there is a higher degree of engagement necessary, which also has to permit explosively deconstructive argumentation sometimes. That was my main critique: that Yoav is sheltering Chrome unjustly from the minefield of conflict he created (or more generously, let be created).
So if you really want to disrupt Google's control over the web platform the only options are really Firefox and Safari.
The good thing is to give browsers a way to attest to their inviolability to systems on the other end. This is generally useful! In particular, it opens up a huge potential for people to run what are effectively servers in their browsers - which was TBL's vision for the web in the first place.
The not-as-bad-as-you-think thing is that Google (and others) will use this to disable ad-blockers. Ad blockers are fundamentally dishonest, and people who use them may feel guilty for doing so. The more honest approach is to simply not consume the media. And this, it turns out, is better for society at large. Anyone who gets paid to talk ekes out a living by hacking the algorithm, making a brand, and telling people what they want to hear. It's bad and it's a bad system that makes the world worse.
[0] gemini://hackersphere.space
This is not support, this is lack of awareness or apathy.
See, don’t worry, they’re thinking about you, holdout.
One key difference to Captchas is that since this new system requires no user input, the "cost" of a website requesting attestation is a lot smaller. So it will probably be used more widely.
To me it looks like SGX for the web. Maybe it will introduce some neat and weird capabilities, but at the end of the day, it will be trivial to bypass at scale if it ever positions itself as being harmful to users.
The monopoly has been successfully changed ... to another monopoly!
It would be trivial for them to build a Chromebook, or Android phone, or browser that you can't flip into dev mode, but they've never done that, even though many of their competitors in the space regularly lock users out of their devices.
What will happen if such a thing actually happens is that the underground market for "trusted device" farms grows, not too different from what's currently already happening but possibly at a far larger scale. Of course, that means the financially motivated scraping services still keep going while the honest individuals wanting user-agent freedom get screwed, just like with many other forms of DRM...
So get a front row seat and get ready for what is to come in September this year to witness the beginning of the end of a company once adored by hundreds of techies finally getting broken up to pieces.
[0] https://www.cnbc.com/2020/10/20/doj-antitrust-lawsuit-agains...
[1] https://www.cnbc.com/2023/01/24/doj-files-second-antitrust-l...
Google's issue if the leverage they have by having Chome used. If it is just a derivative then that lessens their leverage because the vendors of those derivative browsers do have the option of modifying Google's choices.
But if you disagree, then yes, sure: use Firefox.
I don't see how advertising an open WiFi network is much different from advertising an open house. In both cases you should expect visitors.
Of the FAAMGs my favorite is Google, but this makes me reconsider my position.
* I won't even say relatively unknown, he has 8 followers on GitHub. Simply unknown to the dev community.
We're not in a movie. When they close the open internet, there will be no reason for them to open it back up. Everybody's Playstation will still work. Facebook will still work. Twitter will still work, but it will be all blue checks.
In the future they may not even sell general purpose computers to the public that can access the internet. The network will kick them off as unsigned machines. Maybe they won't let anything on the internet that is capable of running illegal or unlicensed encryption.
The open systems will have to be physical places where we go meet each other, and don't bring our phones. Of course, they could make you carry your ID in your phone (for a few years, there'd just be a $100 charge for a physical ID until they eventually just phased them out), or make you carry cash in your phone, so how could you meet up in person if they didn't want you to?
If we're writing stories.
Web Environment Integrity API Proposal - >>36817305 - July 2023 (428 comments)
And most of the functionality people want out of the web.
It's a neat project, but it's not responsive to the problem at hand. By design. And that's fine. But it remains nonresponsive.
I recommend finding everyone responsible for this and exercising your right to free speech on them. It works for politicians, and it should work on this other flavour of bastard too.
Once again, Stallman was very prescient: https://www.gnu.org/philosophy/right-to-read.html
edit: I'm studying ways to facilitate decentralized decisionmaking in small permissioned networks.
You can take advantage of it, but almost everyone is going to feel like it's not right unless they have consent.
An open house would be akin to have an open wifi network labeled "PleaseUseMe".
I'm not interested in being hobbled for either of those problems. I remember when banks used to reject my browser because it wasn't IE in Windows. I remember when I had to look at webpages that were 50% advertising.
Screw that.
Now, if the application provider chooses not to support the alternatives, I'd argue that's on the app provider (the bank and gov apps). And again, perhaps the best thing is to NOT USE THOSE KINDS OF APPS ON A PHONE. I am very concerned that people are essentially locked out of essential services if they don't have a smartphone and a working SIM card. After all "the best way to repeal an imperfect law is to enforce it perfectly."
I'm not Nostradamus; but I'm hopeful that if Google goes down this path that it will hasten the end of a wide variety of error modes in the world. Of course that may be putting a little too much faith in neoliberal capitalism, to come up with alternatives that aren't smothered in the cradle.
In a world with attestation, you can't browse any website unless you are using Chrome or another attested browser. The New York Times would refuse to serve content to unattested user agents. That is what would make everyone use Chrome.
A competitive market is way more important than Google.
Firefox unfortunately does not have the numbers on their side nor will they seemingly risk their Google payout deal. At this point, if you're using it, you're doing it because it has specific features or extensions you want, or you believe that it's ethically the right choice and you're comfortable with the trade-offs.
(I love Firefox, I just think we need to be realistic here)
Edit: I will actually note, in thinking after posting this comment, that it wouldn't surprise me if Apple was actually down for this proposal. Sigh.
How is this, conceptually, any different from sites that used to block IE out of spite?
Although in this grim future where all communication is monitored and censored, people like you and I will probably be up in the hills in the rebel camps, and open networking protocols might be low on our list of priorities.
I don't use Firefox because it's slower than Chrome and because their behavior regarding limiting which extensions are available in phones, requiring signed extensions, Firefox Pocket, ads in new tab page, etc, does not exactly give me confidence that Mozilla truly has my interests in mind. In fact I bet they'll implement the nightmare DRM API once it's done swiftly and without complaint lest their money flow suffer.
If Mozilla ever decides to stop screwing around, clearly position themselves as an ally of the consumer, clearly express support for adblockers and put resources into making the browser faster and better and more customizable instead of whatever makes their CEO richer then I'll switch to Firefox even if it is a bit slower or has some flaws.
In the meantime uBlock works right now in Chrome which makes it usable, so since Chrome is the fastest right now, Chrome it is.
You make these analogies attempting to equate an advertised open WiFi network to an unlocked home, while ignoring the precedent around both of those things.
It is expected that people connect to your advertised open WiFi network. It is not expected that people wiggle your doorknob to check if it's unlocked or not. If you put a sign on the door advertising, "the door is unlocked!" then I wouldn't be surprised when someone mistakes that for "come in".
Mr Amadeo does a good job succinctly explaining the explainer.
Also, Firefox just passed ahead of Chrome on some JS speed benchmark, so you should get ready to switch back!
I guess it has been the case from the good old CGI era? I do remember all those private forums that required me to wait for several days until they can "verify" my identity and "approve" my registration. The control always has been at the hand of platform. The difference is that now attacks are much more sophisticated (GPT-4 powered!), while defense line is left at a pretty miserable state.
Archive: https://catless.ncl.ac.uk/Risks/
So much of our current hellscape was foretold long ago.
and that's exactly it. putting something in your music library is a hugely more visible and tangible thing than all the nebulous privacy concerns the internet wants me to be afraid of. nobody gives a shit if google or apple or facebook or whoever else introduces some techical measure that could be used for nefarious things. they only care if that api is actually used for nefarious things. as long as the argument is "well if google implements X, then it would potentially allow them to do Y*, that's a failing argument.
like it or not, people actually do trust the big tech companies. as long as they aren't actively abusing that trust in ways that people care about, things like "google wants to know if you're a real person or a bot" aren't going to cause a whole lot of outrage. most people can understand that letting fake people pretend to be real is bad, and that preventing that is probably a good thing.
When you talk about communications technology adopted at a societal scale, changes in norms and routine have ripple effects. Most certainly one of those is a change in asymmetric power relations by central communications companies, versus the user of their systems who get strictly limited information views of what is happening with their phone calls or emails.
When you have asymmetric power relations with market advantage and secondly literal surveillance at stake, a unilateral change in the service agreement is not a small "oh well" matter.
This single statement "people do not care" does not show all the players, and most especially does not show the players making decisions, the management of the companies making more money or new revenues with new decisions.
I don't agree with doing that either, but whereas things like changing UA headers/page-rewriting proxies would easily get around that sort of discrimination, this is now cryptographically secure.
Governments are scared of encryption because it could be used against them. The population should've realised the same could also apply to them, because it is now actually happening.
This isn't to shit all over Mozilla, this is to highlight that browser choice is irrelevant here, this is not a "war" won by installing another program.
The important part is that "malicious" isn't up to you to decide anymore; if you have any "unapproved" software that acts in your interests and not others', this could theoretically be used to lock you out too.
The problem is that it isn't.
Do you know why Firefox managed to usurp IE6 in the first place? Because it won the adoption and appeal of tech enthusiasts and professionals. Mom and pop (read: the general population) switched to Firefox from IE6 because their tech nerd kids installed it for them, and the enterprise largely moved off of IE6 dependence because the general population moved off.
But the Firefox today is not the Firefox that defeated IE6. Mozilla steadily eroded and destroyed every single thing tech enthusiasts and professionals loved about Firefox, to the point it practically became just a Chrome ripoff. At that point, why bother? Chrome's right there, the real deal.
Not to mention Mozilla happily takes money from Google with no shame at all so their CEO can get her fat paychecks.
Firefox is not a viable alternative, Firefox is literally controlled opposition to pedantically argue Chrome is not a monopoly. Not even the Intel and AMD x86 duopoly is this blatant.
Look, I will absolutely criticize Mozilla for some of its policies. Pretty much every issue you've raised there is spot-on, in fact I'll go a step further and remind everyone that Pocket was kind of supposed to be Open Source by now, and it still isn't.
But it's cutting off your nose to spite your face to use Chrome. Google is less receptive to criticism than Mozilla is, has worse extension APIs and is more restrictive of how extensions get installed, has worse privacy features, allows for no extensions on phones, is more directly tied into an advertising network, and is actively trying to make the web worse.
Use Firefox.
I am not telling you to be complacent or to ignore Mozilla's problems, I am telling you not to lend support to the browser that is actively trying to make the web worse. We're all very happy for you that you're very principled about not just picking the better of two bad options. We're happy that you have those standards. But we're less thrilled about your policy of picking the worst of two bad options. At the very heckin least you're not even going to use a Chromium fork? You're just going to make the worst browser choice you can make for the Open web?
Firefox fails because there is no actual industry pressure to build a better browser. you simply can't sell a browser alone anymore: the free offerings have been good enough since the early 2000s.
Safari only needs to be good enough for iOS users to not abandon the platform entirely, and the ecosystem wants to push you into native apps anyway (Apple wants their IAP cut).
Chredge is, well, _there_, but basically just a minimum batteries included that maybe funnels some set of users into other Microsoft offerings, but it isn't the core product.
Chrome is, well, Chrome.
Firefox is comfortably supported by Google funding as an antitrust action shield. there's no real pressure for them to try and beat Chrome in market share because they're explicitly paid to be minority market share, and aren't really going to lose that share because they already have all of the "intentionally don't want to use Chrome" market. Mozilla faffs about making also-ran internet services (idk, whatever the heck that VPN offering was, etc.) because they fundamentally can't lose their main revenue stream so long as Google wants to avoid antitrust action, and have no real pressure to offer a competitive product.
Also known as "we'll read what the opponents say, and keep trying to poke them with convincing-sounding arguments until they surrender."
And no curl, no yt-dlp or youtube-dl, no alternative YouTube frontends, no scraping the web to build an alternative search engine.
"That is because without Web Integrity, there is no guarantee that the site requested is being delivered as the site intends. For example, a browser extension could remove ads or modify content on the page."
See where this slippery slope is heading? We DO NOT want what "the site intends". We want to be in control of the content we consume.
That is exactly the goal of this, and why it needs to be opposed fiercely.
Let's say example.com decides to require attestation from the {MS, Apple, Google} providers, and that they attest to only Chrome without extensions. You can't forge the attestation because cryptography. You can't fail to provide it (because they'll just refuse to send the bits). You can't use a "malicious" attestor because example.com won't trust it.
What's the trivial bypass I'm missing? How does a freely accessible standard impact the ability to bypass things in any way?
Yet, noone cares, even on HN.
Like the old joke goes “you screw a goat once…”
The choices were EME, Flash, or no premium VOD on the web.
As for performance... That sounds dubious. Declarative blocking surely will be faster than v2, but what is being blocked by v2, I would imagine, is generally way slower than the difference between v2 and v3. At the end of the day, I don't see the performance of my browser negatively impacted by uBlock Origin, I see it saving CPU, bandwidth, memory, privacy, etc.
I'd be willing to bet that whatever isn't blocked by v3 is sifnificantly slower than whatever supposed slowness there is with v2 (in general).
That's true, I was talking about desktop, I probably should have not mentioned the phone extension thing.
In Android I use Bromite (a Chromium fork) which I should probably replace since it's fairly outdated at this point.
But you're wrong about me not using Firefox out of spite, the real reason I don't use it is because it is (or apparently was according to the other replies) slower to the point it is noticeable, at least on my desktop (and even more so on my old phone). The rest is just why I don't support them despite being worse.
Also, I don’t think it’s necessary. Google is responsible for whatever its parts are doing; a corporate entity. And people are right to expect that if they get something from Google then it’s caused by Google.
Also, I think it’s wrong and too early to be diluting or shielding Google behind the pedantic hairsplitting that, “oh you see it’s not actually google at fault here, um, it was probably some guy that works in a basement somewhere, you know, his views not reflected by ours and so on…” it’s not necessary to provide them that shield or confusion at this stage.
He may work at google, you may work at Google, I may work at google; we don’t know. And it’s not important. What’s important is that Google is at fault here. (I don’t btw)
Magnitude of the malfeasance is so great they deserve to be held to account for it, and a simple label of Google is sufficient.
Also, Occam’s razor? I think it’s unnecessary to invoke the preposterously exaggerated strawman of some ghastly and convoluted conspiracy here, when their actions directly align with, and can be efficiently implemented by, their business. It’s a simple thesis: Google is at fault and they meant to do it. They know it’s bad and therefore are selling it deceptively.
It’s neither convoluted nor complex in any way. In fact, if they’d tried to engage with this technically in a way that accounted for acknowledged and respected the fears and concerns people raised in response, then I think they would’ve ended up with a solution that is more convoluted, and complex. In this we have the curse of simple evil.
I think it’s drinking the gaslit Kool-Aid to pretend “oh no, it’s an accident, it’s incompetence, they didn’t mean to.” This is directly (if harmfully and unethically) supporting their business interests. They meant to do it. That’s the simplest explanation. That’s Occam’s razor.
Their hold on these claims are extremely tenuous. No one would be surprised if Firefox, Bing, or iOS resurged and killed Google’s offering, for example.
Skepticism is a survival skill.
The only regulatory action we've seen - supported on HN - is to go after their competitors.
On HN people are more likely to complain about Safari existing and demand Chrome everywhere.
The original reason Google started the Chrome project was that the stagnation of IE6 was a barrier to implementing the web software they wanted to build. At least that's what they told us.
It seems this particular moment in history has been either forgotten or rewritten, judging from this thread and another one from yesterday.
Just like I'll have some conversations on WeChat but if I want to talk about Chinese politics maybe I'll do that on another platform.
I don't really see the erosion in the corporate space. The erosion of privacy is happening at the government level. With "forced backdoor" laws and/or just outright forking the internet backbone (ala PRISM). I've never really understood "Corporate erosion of privacy"... It's opposite, Privacy is literally a USP of Apple products. They had to back out changes that hinted at an erosion of that trust with the on-device processing of Photos for cloud-sync. People are more aware than ever.
As opposed to chrome, which doesn't allow any extensions on mobile
> requiring signed extensions,
So does chrome
> ads in new tab page
Chrome is made by a company whose main business is selling ads ...
> clearly express support for adblockers
Mozilla has long shown support for ad blockers for example, uBlock origin was the first extension aupported on mobile, Mozilla has no plans to drop the blocking WebRequest API, largely because it is needed for sophisticated ad blockers like uBlock origin, etc.
I don't agree with everything Mozilla has done, but I still think Firefox is better than the alternatives.
Unlike captchas with this you can remove adblockers, greasemonkey/stylus edits, extensions adding download links to your youtube videos, etc, from the picture.
Sounds pretty sweet from a corp security perspective. Context Aware Access lets you do attestation at SSO time but baking device integrity further into the system would be helpful.
Unfortunately, this gives a lot of power to webpages. I'm not sure it's worth the tradeoff. This seems like something better handled by an extension, but I'll have to read the spec.
This is false. Safari supports Manifest V2 and has no plans to deprecate it.
I'd guess that you're confused because Safari lacks support for webRequest BlockingResponse: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
This quote is from page 2 of the article. It is common for certain HN commenters to remind us that HN is a bubble. True. However, the author of this article is not necessarily in this bubble.
But, honestly, what difference does it make whether HN is a bubble or not. Google is a bubble. The Register, another entity outside the HN bubble, calls Google "The Chocolate Factory".^1 Does it matter that Google is a bubble.
1. Of course it's also common for certain HN commenters to try to broadly dismiss all journalism, on a news aggregator site no less. Maybe there is a pattern here.
Would anyone outside the HN bubble try to discredit the observations about so-called "tech" companies mabe by those inside it. (Besides those with vested interests in so-called "tech" companies.) All evidence I've seen since 2009 points to the contrary.
The only circumstance where I wouldn’t be surprised would involve regulatory action I see as an outside chance.
Even that use case leads to bad outcomes. I already have to jump through hoops to get banking apps to run on my rooted phone. Banking websites refusing to run on anything but Chrome on Windows is a likely scenario here, and that's awful.
Would it be acceptable for a website owner to block users from Detroit (78% African Americans)[1] or block users from El Paso (82% Hispanic)[2] because the website owner claims that fraudulent ad clicking is more prevalent from those cities?
Would it be acceptable to only serve web pages to people without disabilities and without a need for specialist accessibility software because it's not economically viable to consider users with disabilities?
Would the poorest 10% of the population be able to access web pages and services delivered over the Internet with old hardware (all they can afford) and with limited computer literacy and limited ability to raise complaints (that are ignored anyway or responded to by an AI algorithm that doesn't care)?
A website owner is still discriminating when they hide behind technology such as AI algorithms, Web Integrity APIs, etc and pretend that their use of such technology is non-discriminatory.
[1] https://www.census.gov/quickfacts/fact/table/detroitcitymich...
[2] https://www.census.gov/quickfacts/fact/table/elpasocitytexas...
If a journalist would explain these news to the masses AND the news has a way to reach the masses.
These days these kinds of news do not make it to broadcasted news and most people do not watch the old broadcasted news.
The news currently get people attention from the news feed on Android and Apples phones. Those feeds recommend only the kind of content you usually interact with. No many people gets tech articles. And you can even argue that there is some extra filters on what news get on the feed in first place.
"You're trying to access your AWS console, is your laptop patched?"
It's super telling they know by how they are acting, by locking down the GitHub repo.
It's very depressing how far both Google and Googlers have fallen. What was once a home to innovation, growth, and technical creation is now just ads, abusing their market position to give Chrome an insane advantage during the later years of the browser wars, and more of the same.
It's probably time to bring anti-trust action against Google. Also if you're not already, please move to Firefox and stop using Chrome. Mozilla stands against this and these engineers pushing it [6].
[1] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[2] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[3] https://github.com/RupertBenWiser
[4] https://github.com/yoavweiss
[5] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[6] https://github.com/mozilla/standards-positions/issues/852#is...
It's a small difference, perhaps, but its "my" browser in a way chrome will never be. Blink sucks.
Also, not a clue what you are on about - I don't have an issue with firefox. Chrome is basically for dealing with google stuff, and for the rest of the web I don't care about them.
Google Chrome is "open source".
Android is "open source".
ChromeOS is "open source".
Nevermind the truth being more "open source" with proprietary bits (the bits that matter).
So the opening argument often is; well, someone else can enter the market and do what they do. But that's missing the trees for the forest (and the devil's in the details).
They're quite happy scrambling for the crumbs as it is.
Firefox got better dev tools and mozilla did random crap for a bit, meanwhile brain-dead devs insisted on continuing to use chrome. When the devs supported it, they started favoring the googlified things.
Honestly it's a terrible browser - we are back to the bad old IE days (almost).
They aren't great, just another proprietary browser. Every time I've used it has been sub-par. It reminded me a lot of Opera in that it was very opinionated, even if it tried to offer some feature. Apple makes money off of apps, not websites, though, so it makes sense they don't invest much into their browser.
Yeah, Apple was toast after they did that. Their share price in 2014 when they did that was $24, and immediately afterwards it rose to $33 over the next 12 months. And since then, it's just been one long slow decline to almost $200 a share, as their global mobile market share has gone from the 24% it enjoyed in 2014 to the measly 29% it enjoys today.
Online outrage does not translate to action.
[1] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
[2] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
It sure seems like they're silencing opposition.
That's what's scary about it, because it has the potential to make large parts of the web inaccessible unless you have a signed and sealed OS layer and browser to browse it with.
One can hope.
If you are shown a product ad whilst browsing searchengine.example and then later look up the product at reviews.example, then end up making a purchase at shop.example, your browser sends all of these events to an aggregation service that allows shop.example to understand (at least in aggregate, assuming you trust the cartel running the aggregation service) that you were exposed to their product at searchengine.example and further exposed to their product at reviews.example.
I’m not defending google’s crap but I should be able to block anyone I want from my websites if I choose.
Actually, it was Silverlight, not Flash. But still a plugin nonetheless.
No.
I don't want them to have a say in how I run my devices.
If WEI is implemented, we will get the combo package.
It's similar to privacy 'dead bodies'[1], where users want to know actual concrete examples. I keep a collection of them in a larger directory of web pages about privacy, about instances where 'nebulous' privacy aspects meet reality and users are impacted and upset by it.
[1] Term used by a law professor in Daniel J. Solove's "I've got nothing to hide" and Other Misunderstandings of Privacy
Like which one?
First of all I hate this "proposals" which is actually, "we implemented this in our flagship product, and kindly force it on our users, you don't have to use it, if you have a choice", stance.
Then comes all the "ensuring they aren't a robot and that the browser hasn't been modified or tampered with in any unapproved ways." part. I'm using an open source browser which is not Chromium based (i.e. Firefox). I can modify and recompile the way I want it. I can use links/elinks/lynx/dillo if I want (and I use them, too). Who do you think you are, and how come dictate my software I use on my own computer?
It's 90s DRM wave all over again. Constant attacks towards open software, open platforms, open protocols.
It's maddening and saddening at the same time.
But also the spec itself is bad: "MUST" in capital letters when talking about setting up the HTTP3 endpoint and verifying the cert. https://datatracker.ietf.org/doc/rfc9114/
There are compile-time flags you can use to enable it in the QUIC HTTP/3 libs you can then manually link when compiling your personal browser. But with Google/Microsoft/Apple/Mozilla browser binaries used by the public they will not be able to connect.
Yes. And not only for discriminating. You make the web shittier than it already is, and more fragmented.
> or should I have to tolerate the script kiddies, ddosing and exploit searches?
This part is unrelated to the first part.
Just slapping another name on it doesn't make the issues go away.
This was a faustian bargain.
Now that DRM is in the browser, it's going to be pushed further, as with this proposal. It forced Firefox to compromise on their values of open-source in order to stay relevant. Streaming movies are still getting copied the same day.
We know from experience with the gaming and music industry that what protects the publishers is to provide a convenient platform, with reasonable prices. And of course the legal system to take down pirate websites.
A reminder: the tech lead for AMP who promptly closed all discussions critical of AMP and AMP for email, and banned people who raised the questions repeatedly is now the CTO of Vercel.
I also find it funny that the authors point to mobile platforms as an example of how this will work well. Last time I worked with ad tech, mobile ads were flooded with fake impressions, and I highly doubt that has changed. The funny thing about players like Google is that they want to be able to tell advertisers they're doing a lot to prevent fake impressions to get them to buy ads, but they don't really want to solve the problem because it would cost them a lot of money. So they kinda play the line and develop tech like this that sounds fancy but doesn't actually stop the problem in practice.
We didn’t stand a chance.
A better analogy is:
I leave my door open with a welcome sign out the front.
Two people enter.
One of them picks the pocket of the other.
And then the thief blames the guy who told him about the open door in the first place.
You forgot one thing – once a copy of the content is server to AT LEAST one attested user agent – what prevents him from sharing his copy with unattested users?
It is easy to see that if something will make getting the content harder – it will immediately find the path of least resistance. This is the reason any new Netflix title is available for free an hour after the premiere. And the harder Netflix will try to fight this - less time will pass before their content is stolen and re-translated for free. Exactly same will happen to New York Times if they refuse to serve - someone would serve a copy instead of them – because there is now demand created for such copy.
This is already covered by the DRM in all major web browsers today. If your software will allow that, it can't get attested.
Or what prevents me from copying NYT article and re-hosting it? What DRM has to do with it?
Uhh... Those two matters are pretty much unrelated to each other. Scraping is becoming non-existing because the era of static web pages has ended. No need to "scrap" when you have a nice, performant JSON REST API provided for you.
Just setup ublock origin to filter annoyances as well, and it actually quite quickens the browsing experience.
PS Chrome is faster because it cheats and takes shortcuts in loading CSS. Check it out, it skips some frames when loading, to show the page faster.
What does this change mean? There will be more such people.
Yes, they might even intentionally have started with proposal so over-the-top that people who are now protesting may feel that they won when some time afterwards Google presents slightly less creepy second iteration this. And the ones who don't will be cast as radicals who don't want to engage in good-faith discussion while Google seemingly proposes a reasonable compromise. Besides, would anybody please think of the child... err... banks with webpages!
Is it within your rights ? totally. Does it make sense from a business perspective ? yes, probably. Is it morally right ? I'd say no. Will most people give you a damn about it ? probably not.
Most people won't care if you discriminate against some minority they're not part of and don't interact with. Some will, but I'm not sure how much it matters to you if you're seen as a "bad person" either way ?
What's the point of asking a question (...does this make me a bad person for discriminating?) if you're not ready to accept some of the answers?
Yes, geoblocking totally makes the internet a shittier place. In the same way as the hackers and scriptkiddies make it the shittier place. It's a chicken and egg situation. You're blocking part of the world because it's dangerous waters. I am blocking part of the world because I disagree with the politics of that particular part. We are together making geo-blocking tolerable and acceptable. We're together making the internet more shitty than it deserves. Congratulations.
By the way, I'm not sure I wouldn't have done the same thing you did. I guess if I can't properly manage the security of a resource, the easiest way to deal with it would be to eliminate the source of the attack vector. I wouldn't deny that I'm part of the problem though. Because that's exactly what I am.
And even if they do understand you, in most cases their perception of you is as someone really paranoid about privacy, and yes they will undoubtly ask things like: "so you don't have twitter, facebook, instagram, ...". It's really hard to convince people or at least make them truly see all these dark things going on behind the scenes.
Regular people won't even talk about this, they don't/won't care. As long as they still able to see the content they are requesting this is something that do not affect them, it affects the people that know the shit is going on under the hood because we understand how machiavelic a move like this is.
On the other side if this somehow manages to ever see the light of the day, it's a huge opportunity for other people to come up with alternatives that effectively fight back this initiative and/or bypass it. If there's something that we do not run out of in this industry is creativity, for all sort of things, even the craziest ones, and that's something no corporation will ever be able to mitigate.
Also keep in mind that no browser is going to ever be in the podium eternally. Chrome has a expiry date, we just don't know when it will expire.
https://www.spglobal.com/marketintelligence/en/news-insights...
Complaining is easy, but apparently even small compromises like these are hard.
That's just messed up. If like saying if your car detect you have been doing maintenance yourself, you can use this particular brand of carburetor because they will refuse to work.
And they want that... for the web?
Maybe it's an extension or three I'm running but I just want to use the bloody thing not sit there and figure out what extension is not working nicely (and then potentially find out it's none of them) on one platform but is fine on another.
Every so often I go back and have look to see if it's improvised but it hasn't in the last few years for me.
For example, when Apple makes a user-hostile hardware change, every major Android vendor will copy it in a matter of months[0]. The only thing you can go to after that is niche Chinese phone makers that will cause you a bunch of other pain.
I'm basically completely disconnected from Google at this point. My phone requirements forced me to get a phone without Google Play Services, and I live in a country where Google is not dominant. The only thing that still pops up is YouTube occasionally. (Also it would be nice if I could get my old Google Photos archives exported from Photos, but the export in Takeout keeps erroring! Oh well...)
[0]: Back when I worked at Google, there was a mailing list thread on a big internal engineering mailing list, where somebody point-blank asked "Did we remove the headphone port on the Pixel because Apple did?". The answer from the product team was a whole bunch of wishy-washy word soup, amounting essentially to "Yes".
There's even a post on front page right now about Mozilla's position on the very proposal we are discussing: >>36857032
Setting aside the fact that it's as fast as or faster than Chrome, it doesn't crawl any of my machines with >500 tabs (this has 562 as of now).
If you want to dig into your performance numbers there's "about:performance" to see what is using your processor and RAM.
Microsoft recommends Edge! Review your choices! 90 days free Apple TV! Upgrade your iCloud to continue backups!
The only one that slightly moved the meter is your documents moving to OneDrive, even that only had an impact because of a data loss bug.
Three year old Mac btw... everything else runs pretty well... if I get a chance I might fire up Firefox in Parallels and see if it's a Mac issue
Except in the 90s you controlled 100% of the code running on your computer. Now there are all kinds of treacherous computing with all those "trusted" execution environments and TPMs and all the other bullshit that can't be avoided, with someone else's public keys burned into the silicon.
What is actually making the internet a shittier place is the bad actors, bots, scammers, scrapers, psychopaths and etc. Maybe those countries that get blocked should do more to stop those bad actors in the first place.
Has China or Turkey ever contributed or paid for one of my projects/services? Nope, not once. Have they caused me grief and wasted my time dealing with bullshit? Yes, absolutely!
So I don't think I am a bad, unless you think preventing myself from getting punched makes me bad guy.
Maybe you should change your frame of thought and start pointing the fingers at the actual bad guys who actually ruining the web and stop accusing people of self defense of being "bad guys".
Basically if you don't want to be treated like an asshole (geoblocked) don't act like an asshole. I know it's a very hard concept to grasp.
1. Unlike EME (the controversial web DRM backed by Google that was standardized somewhat recently), the Web Integrity API requires a third-party service, which involves maintenance costs, as well as development costs to constantly adjust to the arms race against all the hackers who really want to thwart these tests.
2. In a "functioning attestation industry", many attestation servers would compete on price to validate users, making the network efficient and robust. I struggle to see this becoming reality because decent attestation would require very complicated techniques for each supported browser, and there is only 1 company that does both significant browser development and also wants to run an attestation server.
3. In a monopolized attestation industry, Google would be the single point of failure for all DRM-protected media on the internet. Google's down? So is Netflix, Hulu, HBO, etc. because they can no longer validate that their users are running an approved version of Chrome. This also give Google an incredible amount of leverage over other companies, because they can change fees and policies unilaterally and there are no alternative games in town. Companies have an incentive not to put themselves in that position.
If the entire media industry coalesces around Google Chrome as the only supported browser for media on the internet, and bestowed this incredible market power and leverage upon Google, then it could work. I find it hard to believe that this will slip past every significant regulatory body on Earth, and any significant gaps in market control would make the scheme unworkable.
I might user Firefox personally, but I'll have my company use Chrome.
Other Google products (Maps, Docs, Gmail) are excellently engineered and usually ahead of their competitors in terms of reliability and feature set.
It's not hard to understand why people use Google products despite the occasional moral qualm.
They know that making it so tedious means it will only be used by a handful of hobbyist and nothing more significant.
UA should be fully deprecated already. It rarely achieves its goals at this point. There are better alternatives.
I'm also sure it'll end up with things like "your browser is too up-to-date" or crap like that.
This is not true either. There are many different aspects to Manifest V3, such as restrictions on script execution.
A lot of the push is not for bad actors literally DDOSing servers, but bad users degrading the service for other users. If most users of a service agrees to, for example, run an attestable environment to access a service, then that service should be able to refuse access to users who don’t buy into it.
TEE on Android, for example. Intel ME on PCs, and probably TPMs also have a firmware of their own. Secure Enclave on Apple devices.
There's an outstandingly good perspective on the issue in another thread: >>36859465
I think this illustrates that people only worry about this kind of thing if it gets shoved into their face.
The privacy thing is OK as long as it’s only used for the good. For example, I think nobody would object against a world where every killer would be caught within an hour to get a fair trial.
However, such a world also would be one where every traffic offense could be fined, and where powers that be could find some dirt on anybody in their email history, presence on on-street cameras, etc. Worse, it would take relatively few people to pull that of.
That’s something I think nobody wants, but it’s abstract until it affects you, so few people worry about it.
Give it a go.
…and they will make us use lead free solder.
It would be more productive to make it impersonal. E.g., by asking Chrome users to abandon it fast.
Same for Web Environment Integrity API. Nobody knows what those jargon terms means. That's part of how enshittification works. If everyone knew how badly they were being fucked, this would never work.
But software already exists to do this kind of thing for private networks. I really, strongly believe that this kind of functionality has no place on the open web.
This proposal is user-hostile, and could be very dangerous to the future of the web.
However; courts, Free Software Movement and alternative operating systems plus Mozilla stopped this.
Now all of them are under attack. Esp. Free and Open Software Movement is being enshittified with a process which we can call as "Rewrite it in Permissive Licenses, so companies can hire you while closing down the ecosystem".
We really need a flood to clear this mess.
The bubblethink here is out of control. A clear majority of website operators would love this tech to exist because the pile of hacks and user-hostile verification systems that currently keep bots and fraud at bay are time limited, and always have been.
The iPhone is a bastion of remote attestation. You can't just rock up and download apps from the iPhone app store using a convenient API, it's restricted so only the iPhone itself can do it. Do Apple engineers hesitate to use their real names? No, because nobody cares and heck HN threads often fill up with praise over the fact that you can't even install apps outside the app store, let alone download apps from it and emulate them on a PC.
Games consoles are fully based on remote attestation. You can't connect a PC to the Xbox or PS gaming networks because they do RA to keep you out. Do the engineers who work on games consoles have to go into hiding? No, because nobody cares. HN never discusses it because it works and lots of gamers, especially the casual ones, prefer it.
Fact is that users like this tech because it solves problems that they'd otherwise have. The web lacks it and therefore has to rely on user hostile stuff like CAPTCHAs, phone codes, magic JavaScripts and social network logins which people hate, so they switch to native apps instead. And devs hate dealing with all the automated abuse they get, so that pushes them towards app-only services too.
> Has China or Turkey ever contributed or paid for one of my projects/services?
Have other countries? What about the countries that haven’t? Isn’t it completely unrelated to the “bad actors” question?
Internet is the best thing that we have now. It’s great because it’s open. You’re ruining it. As well as the other bad actors, attackers, etc. You’re just one of them, even though you’re also the victim. So no, you’ve completely missed my point. I’m not blaming the victim. I’m blaming everybody in this particular situation. You are the part of the problem just as well as the attackers.
> I know it's a very hard concept to grasp.
Calm down. Take it as a grown up. You’ve asked for opinion yourself, don’t forget it.
When was the last time you saw a site with a JSON API providing metadata, like the json-ld for a product on an e-commerce site? Or an API just for the open graph data? How would you even discover these APIs for sites that you don't own?
It's also worth noting that very, very few JSON APIs today are actually REST. They rarely include all the context needed, and in general JSON is much less useful than XML when you're talking to other APIs that you don't own since JSON can't easily describe the shape and datatypes of the content.
Sure, there was much closed code, but there was no signed or trusted code. You could still reverse engineer, patch and reflash every single bit of it to your liking, provided you knew what you were doing. On modern hardware, even dumping the decrypted binary for the "trusted execution environment" is a challenge, and getting the thing to run your modified version is simply impossible because it needs to be signed with a key you don't have.
I assume it's something like the old Protected Media Path.
For example, if you try to screenshot a Netflix video all you screenshot is a dark-pinkish square, because the video is probably added by the graphics card at the last moment.
I really hate this attempt by Google and hope they don't follow through, but why should this be illegal?
Software users agent strings are just an identifier added on by a browser to give the server context, it's not a protected class. Google has every right to gate use of their software however they choose, we can just stop using it.
We don't have a fundamental right to an open internet, no one owes us this. I hope we can get back to the days when the internet was much more open and less commercialized, but that day won't come by legal regulation.
For one, blocking users in a geographic region would not be legally considered racial discrimination unless you can prove intent. This is the bullshit loop hole that makes it easy to get away with discrimination, but that's the way it works.
If Google really wants to play this game and create a technical gate preventing usage of sites by anyone that uses a browser that may be blocking ads, there's a legitimate business need there and all they have to say is they are no longer willing to serve users that refuse to pay by viewing ads and providing valuable data. In the case of Chrome they can extend this and say they are helping make sure anyone hosting content online can also protect their revenue as well.
Is that a shitty practice and will it cripple the internet as it was originally designed? Absolutely. But likening this to systemic racism is an insane argument and really doesn't help get at the underlying problem that we would all rather have an internet that is open, free, and not designed entirely as a corporate ad playground.
Try searching for "only chrome".
Im not a fan of big government and regulation, but if we're going to have anti-trust laws on the books they should be enforced evenly. It's so crazy to me that Bill Gates got raked through the coals for years over IE while Google and Apple have been allowed to get away with much, much worse.
Having said that, the comment that Weiss links to when citing himself...:
> I understand many folks here are upset about this proposal. I urge you to actually read the proposal, rather than rely on rumors about what it does or doesn't propose. If it's at all helpful, I wrote a few words about ways you can constructively engage with proposals you don't like.
... almost certainly does run afoul of the W3C's provisions for acceptable and unacceptable behavior outlined in the code of ethics and professional conduct. Implying that someone who is "upset" about the proposal is responding to rumors and that it is okay to admonish them to "actually read [it]" is both uncharitable and noxious to the discussion. There's a good reason why HN, for example, has an explicit rule against accusing people of not having read the article.
1. <https://www.w3.org/TR/design-principles/#priority-of-constit...>
If it's so bad, why can't we bring a monopoly lawsuit against them over chrome/chromium? This is pretty similar to what Microsoft did, isn't it?
The main complaints I still see are related to the (likely illegal) lack of support for third party browsers, and missing web APIs for things like push notifications. Those are still valid complaints today though, for anyone who cares about them.
With Chrome's near monopoly in browsers, most users will run an attestable environment when chrome ships it without ever knowing and agreeing to doing so.
Even if Google manages to "collect" consent, this has so much potential to adversely impact everyone(including businesses) except Google in the long term that it should not be allowed.
What will actually happen? Nobody knows for sure. The most likely outcome is that you will not be able to do banking, watch Twitch streams, etc. on anything other than Chrome, Firefox and Edge, on Windows and macOS. Linux will probably be relegated to the legacy web that does not enforce remote attestation. Alternate browsers like Librewolf, Brave and Mullvad Browser will just disappear as if they never existed. You can not browse Tor on clearnet websites anymore, as if you really could anyways. Etc, etc.
> If it's so bad, why can't we bring a monopoly lawsuit against them over chrome/chromium? This is pretty similar to what Microsoft did, isn't it?
Microsoft of today is doing things blatantly in the open, that Microsoft of 199x would never dream of doing. The difference now is that all of the major computer manufacturers are basically going the same way, just at different rates.
The legal system is not coming to rescue us.
What would justify targetted harassment, then?
> by asking Chrome users to abandon it fast.
More productive? Or just utterly ineffective?
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
This phrases itself as ensuring news sites can block unpaid users, but also targets the Internet Archive, other webpage archives, possibly Reader modes, and more.
Nah dog, you're overcomplicating it. All it requires is a person or two in a management chain to recognize the hint of long term business potential in a technical change. It doesn't have to be a sure thing, or a big thing, the bare minimum is that they just notice a business model that could be enabled, and choose to explore it. Then once the company takes on the initiative, some combination of communication and intuition spread the understanding of what they're doing across some of the buisness. For the wider scale, all the rank and file need to do is play dumb, or be legit unaware, about the obvious incentive they're working towards.
That's not a vast complicated conspiracy. That's every single business' outward-facing messaging strategy.
When parent poster talks about the "size, scope and sophistication of Google," the point doesn't have to be that they're meticulously coordinating. The point can simply be: there's no fucking way they're not playing dumb.
This is my problem with people using Occam's Razor to understand business decisions. They often assume the idea that someone could be employed in business development and spend months championing and refining an idea is a level of complexity that must fail to a more simplistic explanation. But we know that shit happens all the time.
May I introduce you to Tobacco?
> this has so much potential to adversely impact everyone(including businesses) except Google in the long term
How so? It prescribes mechanisms to ensure websites don’t exclude certain browsers/OSes
> To protect against both risks, we are evaluating whether attestation signals must sometimes be held back for a meaningful number of requests over a significant amount of time (in other words, on a small percentage of (client, site) pairs, platforms would simulate clients that do not support this capability). Such a holdback would encourage web developers to use these signals for aggregate analysis and opportunistic reduction of friction, as opposed to a quasi-allowlist: A holdback would effectively prevent the attestation from being used for gating feature access in real time, because otherwise the website risks users in the holdback population being rejected.
I remember Google+ when they ignored feedback on users hating aspects of it and tried to force it on us using their dominant position and it didn't go very well for them.
Sometimes impossible in my case. Google Drive is always used in any collaborative project; so is Google Colab and Google Meet. And I still have the instinctual drive to reach for Google Translate/Maps, because it's so easy to access (physically and mentally).
Google google google google google...
From a legal viewpoint, the answer is dependent on the complexity of state laws[1]. What a website owner can do with a website in one country obviously differs from what they could do in another country. Most countries have very weak anti-discrimination laws, and if they do exist, they typically only apply for very specific purposes such as employment discrimination based on age. These limited laws tend to be near impossible to enforce short of someone self-incriminating themselves. In some countries however, an example being Norway, laws against discrimination can be very strict and routinely enforced to the level of requiring all website owners to implement WCAG 2.0 at AA level[2].
From an ethical viewpoint, the Universal Declaration of Human Rights[3] states in Article 2:
"Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status.
Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty."
"Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers."
[2] https://www.uutilsynet.no/english/about-us/903
[3] https://www.ohchr.org/en/human-rights/universal-declaration/...
There are countless modern PCs that have secureboot enabled by default. Does that mean all their users endorse and agree with secure boot based attestation knowingly?
My point is defaults cannot and should not automatically be treated as implicit consent/knowledge.
Attestation will be enabled by default when Chrome ships WIE and the "majority" condition you mentioned will most certainly be true from day one. That doesn't necessarily mean that every single user of chrome is onboard and happy with WIE.
Privacy absolution is never what most people signed up for.
From what I gather it depends a lot on the country, but in some countries, including Russia where I'm from, money transfers are done through your bank's app. You probably won't go to a branch to send someone $15 for pizzas they ordered at a party or something. Your only option would be to carry cash for such occasions.
I'm in the US, but this is exactly what I do. I don't think I've ever actually used a banking app to send a small payment to someone for things like this, nor has anyone tried to use an app to send money to me. Cash is king.
(I fully understand that not everyone can or wants to handle payments this way. I'm just saying what works for me. I have no banking apps on my phone at all.)
A computer without TPM, a "management engine", an Ethernet card with real Firmware in a real ROM, no platform controller, nothing.
...and a completely open BIOS w/o any binary blobs, and UEFI layer.
Almost a 486DX, almost.
It’s everyone’s job. It’s the least we can do to prevent entshitification of this beautiful and wild ecosystem.
The problematic dude's disdain for humanity aside, the quote serves as a good reminder that the "but the criminals!" argument is often used and rarely justified.
If Google does this too then I guess the "mainstream" web will become invisible to me. No great loss since it's mostly thoroughly enshittified anyway.
I'm happy to move to the new un-googled "darkweb" where freedom, anonymity, and non-SEO content still prevail.
> an Ethernet card with real Firmware in a real ROM, no platform controller, nothing. ...and a completely open BIOS w/o any binary blobs
None of which I was talking about. But I am pretty sure that with any motherboard, you can disable onboard Ethernet and install whatever adapter you want instead.
Fun fact: You can no longer do such a project in software on stock Android. They locked down the voice audio API.
As a consultant, this would mean I can't turn down a client. Ever. It doesn't matter if I have higher paying offers, moral objections to what they want built, or silly just don't want to work with them.
This type of blanket declaration of freedoms can only extend so far as another person's rights aren't infringed upon. I the consultant example, my right to decide how I spend my time and value my work should be protected. If I can't discriminate for any reason because it could be deemed "[an]other status", my life can be wrecked because anyone asking for my services are owed good faith effort and I can't legally decline.
There are no performant json rest APIs provided these days though. The days of public APIs are long gone.
While I do remember hearing about Google Maps vehicles connecting to open WiFi networks in the news, I don't recall hearing about private credentials being published. Was that the case? I thought it was just a map of open WiFi networks that was published with basic details such as SSID?
Edit: I found the article (2010, holy cow does time fly). It looks like they did collect payload data for non-encrypted traffic. Even though the data wasn't published in any way, I must agree that they went too far. I would have no issue if they were to simply verify that they could connect and record basic info such as SSID, but collecting payload data from network requests was inappropriate.
I don't find it particularly troublesome that maps of open WiFi networks exist.
I do not, however, think that it's okay to behave maliciously, or inappropriately on open WiFi networks.
My earlier response to your comment about hoovering plain text passwords didn't properly acknowledge the bad behavior that took place. I concede that you are correct, it was rude and insidious behavior.
The attestation uses a secure enclave in your processor with a secret key you can't access to verify that secure boot is on, you booted a signed OS, the OS is in locked-down mode, etc.
It was never the connecting that bothered me, it was the storage of the data encountered.
I’d never use it due to lack of uBlock Origin and good dev tools, but it’s hard to argue with the speed and battery efficiency on macOS.
US:
- https://www.ftc.gov/enforcement/report-antitrust-violation
- antitrust@ftc.gov
EU:
- https://competition-policy.ec.europa.eu/antitrust/contact_en
- comp-greffe-antitrust@ec.europa.eu
UK:
- https://www.gov.uk/guidance/tell-the-cma-about-a-competition...
- general.enquiries@cma.gov.uk
India:
- https://www.cci.gov.in/antitrust/
- https://www.cci.gov.in/filing/atd
Canada:
- https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/frm-e...
Did you try different export options? I recently had to do one export and it kept failing but exporting using another option worked. I don't remember which one but it was either email or drive.
https://android-developers.googleblog.com/2019/09/trust-but-...
In practice, if there is a mobile app, there is an API. Whether it's creators object to your usage is mostly their own problem.
Also, “the police” are thousands of humans. That makes it harder to use the police for oppression than if “the police” were a bunch of computers and robots.
If somebody proposed the latter, I think lots of people would object.
>you can't access
Don't you see how contradictory this is?
No secure enclave of registers or hidden secret keys can help, because a person can utilize the lower-level physical world around the processor to manipulate it (e.g sending electrical currents from a programator device manually). But that is a last resort, there are simple software attacks available already to fake as many "attested" devices as needed (for the same DRM system of Android). It will only bring more jeopardy to the "integrity"
And for tech-minded people it doesn't fundamentally change anything, it just means that it now takes more time to do the same than before
That was an interesting read, thank you!
Without a broad support and public opinion about this, they might shockingly just be able to get this started. Apple and on-device CSAM scanning is something I have in mind about this, as s counter example.
What's a simple narrative non-tech people understand about this? Should I ask ChatGPT?
Thankfully we have brave, Tor, Arc, Opera, GrapheneOS, calyxOS, LineageOS etc....
If you purchase a pixel phone, and put graphene OS onto it Google loses money.
Heck, you can run Opera, Vivaldi, Firefox, and Chrome 78 on 2000 or XP with a 2023 build of KernelEx.
Don't get me wrong, I hate this proposal too and I hope it gets dismantled and forgotten. But I would probably do the same, as an owner of a controversial repository that somehow got to the top of HN frontpage.
> Have other countries? What about the countries that haven’t?
Not every country has paid, but they also haven't launched a barrage of DDOS attacks, blatant scraping, and constant scanning for exploits and etc.
You're funny because you think defending one's site from hackers is "ruining the internet". You gave your naïve opinion and I have the right to disregard it and think that it is really stupid, don't forget.