- Go to Settings
- Select your user account at the top
- Go to 'Password & Security'
- Scroll down to Advanced and disable 'Automatic Verification'
1. https://blog.cloudflare.com/how-to-enable-private-access-tok...
> While TLS 1.3 can still run independently on top of TCP, QUIC instead sort of encapsulates TLS 1.3. Put differently, there is no way to use QUIC without TLS; QUIC (and, by extension, HTTP/3) is always fully encrypted.
Basically there is no HTTP/3 without a TLS certificate.
I'm not sure what "problems that might arise from centralization" might be. There are many different TLS certificate providers from different CA roots.
Is your gripe that you don't like TLS? Judging by how long the migration from TLS 1.1 to 1.2 took, I assume we're at least 10-15 years away from a world where everything is encrypted by default without backwards compatibility (if we ever get there at all).
https://support.apple.com/en-us/HT213449
System Settings->iCloud Settings (your name)->Password & Security->Automatic Verification.
> Private Access Tokens are powerful tools that prove when HTTP requests are coming from legitimate devices without disclosing someone's identity
The value add is pretty clear and good, but the downsides are probably bigger than the value add, so personally I wouldn't say the compromise is worth it.
1. The only things that WebPKI CAs are required to attest to is that domain validation was properly completed and that the private key is not compromised. The system is designed (in both intent and practice) for any website to be able to easily get a certificate, and even the most untrustworthy, undesirable websites can and do get certificates on the regular. In contrast, Google's remote attestation proposal is clearly intended to assess the trustworthiness/desirability of the client.
2. The TLS requirement imposes a burden on website operators but provides a clear benefit for end users, which is totally in line with the Internet's Priority of Constituencies[1]. In contrast, Google's attestation proposal places a burden on end uses for the benefit of website operators, which violates the Priority of Constituencies.
Additionally, I must note that Firefox also requires a TLS certificate for HTTP/3 (as they did for HTTP/2). Not sure why you'd omit Mozilla from your list of browser makers doing this, but it's a misrepresentation to imply that this is something only "mega-corp browsers" do, when there is actually broad agreement that this is a good thing.
https://learn.microsoft.com/en-us/azure/active-directory/con...
Don’t shoot the messenger!
https://web.archive.org/web/20230309020227/https://www.nytim...
https://www.theregister.com/2020/12/10/south_korea_activex_c... (2020)
> South Korea knew it had an ActiveX problem way back in 2015, because even then the need to use ActiveX to do business on local websites irked outsiders.
> For locals, the requirement to run the code was so annoying that getting rid of it became an election promise at the nation’s 2017 presidential election.
> That promise has now been delivered: the nation’s Ministry of Science and ICT today (2020) annnouced the service’s planned demise.
Banks might not, but the governments may come to a similar idea, and tell the banks to tell you.
>https://tamim.io/random_shares/robot_arm_over_internet_tamim...
"Privacy Pass tokens are unlinkable, one-time-use authenticators that can be used to anonymously authorize a client"
People from Apple, Google and Cloudflare are all editors of the spec and eg Fastly has also blogged about it: https://www.fastly.com/blog/private-access-tokens-stepping-i...
Excerpt from Fastly's article above:
> When you put this together, no one entity can link client identity to website activity. And yet, this authorizes access to a website – all while eliminating human interactions.
[1] https://github.com/jwise/28c3-doctorow/blob/master/transcrip...
Apple uses it for its iCloud Private Relay service. The blind token is used so that Cloudflare can verify that a given device pays for iCloud Private Relay without revealing their identity.
Attestation is when such a blind token is proving the integrity of the software running on the device, not proving arbitrary properties. Privacy Pass could actually enable a fast, semi-decentralized system of anonymizing proxies.
If Apple exposed the “is System Integrity Protection enabled” bit to the web, then that amounts to attestation to me. But yes, Apple can do this whenever it wants, and companies want Apple to do it, and it’s scary. They’ve already done this for Apple Pay, Widevine and HDCP.
We should also consider that Apple’s solution is a way to distinguish between human vs. Non human users on an Apple device. It doesn’t allow a service to randomly lockout browsers and/or OS (which Google’s proposal does), just that if you’re already on your Apple device, you don’t have to do a “verify I’m a human” captcha.
https://blog.cloudflare.com/private-attestation-token-device...
> At WWDC 2022, Apple announced Private Attestation Tokens. Today, we’re announcing that Cloudflare Access will support verifying a Private Attestation token. This means that security teams that rely on Cloudflare Access can verify a user’s Apple device before they access a sensitive application — no additional software required.
> Private Attestation Tokens do not require any additional software to be installed on the user’s device. This is because the “attestation” of device health and validity is attested directly by the device operating system’s manufacturer — in this case, Apple.
> This means that a security team can use Cloudflare Access and Private Attestation Tokens to verify if a user is accessing from a “healthy” Apple device before allowing access to a sensitive corporate application. Some checks as part of the attestation include:
> Is the device on the latest OS version?
> Is the device jailbroken?
> Is the window attempting to log in, in focus?
> And much more.
2) Apple users being willing to sell themselves down the drain is nothing new.
However, this is shit irrespective of who does it. Period.
Obligatory repost of "The Right to Read": https://www.gnu.org/philosophy/right-to-read.en.html
https://old.reddit.com/r/dji/comments/w8mkdd/why_must_the_dj...
[1] https://blog.mozilla.org/security/2015/04/30/deprecating-non...
https://support.apple.com/en-ca/HT212650
“Lockdown Mode is an optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats. Most people are never targeted by attacks of this nature.”
However evil they are, privacy/security appears to be a case of putting their money where their mouth is. Interesting.
https://en.wikipedia.org/wiki/Safari_version_history
I found this press release from 2007 https://www.apple.com/uk/newsroom/2007/06/11Apple-Introduces...
“We think Windows users are going to be really impressed when they see how fast and intuitive web browsing can be with Safari”, said Steve Jobs, Apple's CEO. “Hundreds of millions of Windows users already use iTunes, and we look forward to turning them on to Safari's superior browsing experience too”.
History demonstrates that actually they didn't and Apple gave up quickly.
Interestingly they also have some benchmark
> [Safari] now it's the fastest browser on Windows, loading and drawing web pages up to twice as fast as Microsoft Internet Explorer 7 and up to 1.6 times faster than Mozilla Firefox 2 (*)
but by reading the more we learn that they benchmarked Safari on a Mac and the other two browsers on a Windows machine.
A few choice comments:
"I recommend finding everyone responsible for this and exercising your right to free speech on them. It works for politicians, and it should work on this other flavour of bastard too."
"I believe both of these users are acting in very-bad-faith, and not correctly observing any ethical codes of conduct in Engineering."
"As far as I am concerned the reputation of this Ben Wiser guy is so far down the toilet that there’s practically nothing he can do or say to recover it. Like the old joke goes “you screw a goat once…”"
"The people involved in this concept/idea/proposal should be shamed into retirement. They should never work in the tech sector again. They should be afraid to use their names before first knowing their audience (an agricultural audience would likely be OK)."
"sometimes I don't think constructive replies are appropriate or possible. "
"Magnitude of the malfeasance is so great they deserve to be held to account for it"
And lots more.
I'm pretty sure beyond the personalization of the issue, 90% of the difference here can be explained by ad blockers. There's no deep technical or philosophical principle at work in most of those comments but what's clearly shining through is that tech people block ads a lot, feel they have a right to do so and will get furious at any attempt to stop them. Apple doesn't care about click fraud, ad blocking or spam on the web because those are other people's problems so they limit their remote attestation to the CAPTCHA reduction use case. This use case has the advantage that it improves the browsing experience for Apple users only. HN posters dislike CAPTCHAs as much as the next guy, so nobody cares. But Google want there to be lots of web content that's free to access so also concerns itself with the publisher side of the web, not just the consumer side. They list more use cases and ask for feedback, there are more consumers than creators, so surprise surprise, they get a lot of hate.
1. https://developer.apple.com/documentation/devicecheck/valida...
[0] >>26639261
[1] >>32461690 , >>28897027 .