zlacker

[parent] [thread] 8 comments
1. rtpg+(OP)[view] [source] 2023-07-25 06:59:18
Since this is here and there is a point made about discussing the technical merits of [0]... can someone explain to me how the WEI stuff isn't easily "faked" by scrapers and the like?

I could see this being used in a similar way to user agents (sometimes helpful when working on bugs and fixing them on minor platforms!), but I'm really struggling to see the overall value-add here.

I get the politics aspect of it (I think...), but what's the new technical thing being added here?

[0]: https://github.com/RupertBenWiser/Web-Environment-Integrity/...

replies(1): >>mattlo+C2
2. mattlo+C2[view] [source] 2023-07-25 07:22:31
>>rtpg+(OP)
I believe the idea is that an independent third party will cryptographically sign something to attest that the client is legit.

So you can't fake that unless you have the third party's private key.

If course the question is then, how does the attestation third party ensure you are sending it real information? I've not bothered to read the proposal because I don't care, but I suspect it will require client-side plugins/libraries etc snooping on what is going on kinda like an antivirus thing snoops on things going on.

replies(3): >>charci+p4 >>ikekkd+26 >>jdiez1+J6
◧◩
3. charci+p4[view] [source] [discussion] 2023-07-25 07:37:28
>>mattlo+C2
Even if the client is legit someone can just use a web extention or the devtool protocol to navigate to pages and extract text.
replies(1): >>mattlo+tV1
◧◩
4. ikekkd+26[view] [source] [discussion] 2023-07-25 07:51:35
>>mattlo+C2
There are aimbots for all modern games even though the developers have invested in anti-cheat
replies(2): >>lozeng+Bc >>Modifi+tf
◧◩
5. jdiez1+J6[view] [source] [discussion] 2023-07-25 07:56:29
>>mattlo+C2
> how does the attestation third party ensure you are sending it real information?

The WEI standard does not prescribe this, as far as I can tell. One way to do this would be to use something like Secure Boot (broadly speaking), which can make "independent" measurements of what is being executed and sign that with a private key that never leaves (something like) a TPM.

◧◩◪
6. lozeng+Bc[view] [source] [discussion] 2023-07-25 08:50:25
>>ikekkd+26
There is still one aimbot per human player. If you are faking clicks on opponents ads to exhaust their budget you would prefer to just send the http requests. If you have to spin up an emulator it will frustrate you and if you have to run a physical device with a touchscreen it will frustrate you further.
◧◩◪
7. Modifi+tf[view] [source] [discussion] 2023-07-25 09:18:18
>>ikekkd+26
Incidentally, here's a new crowdsourced scheme for TF2 that even in prototype form has been addressing the issue far better than Valve's efforts:

I Pissed Off Every Cheater in TF2 (Data Breach Gone Wrong) | https://www.youtube.com/watch?v=LVgk5t64cRs

Creating a Third-party Client to Auto-kick Cheaters and Bots from TF2 (Part 1/3) | https://www.youtube.com/watch?v=EPsWjdkyoPo

Basically cheaters don't seem to want just a one off high like a classic troll out for havoc, they want a reputation of being better than they are for an extended ego trip. Their choice will soon be either restraining themselves to becoming very subtle, or keep having to make new accounts.

◧◩◪
8. mattlo+tV1[view] [source] [discussion] 2023-07-25 17:44:00
>>charci+p4
I think the point is that the server won't send the content if attestation fails

So the data isn't there at all - it's not just hidden away behind some JavaScript

replies(1): >>charci+PF2
◧◩◪◨
9. charci+PF2[view] [source] [discussion] 2023-07-25 20:44:39
>>mattlo+tV1
I'm saying that extentions and developer tools still exist in browsers that will be attested.
[go to top]