I find device farms way harder to pull off than a bash curl script, to be honest.
> I think it's very likely that this spec evolves to target browser extensions.
Absolutely, it very literally tries to guarantee integrity.
> Because I don't think blocking people from rooting their phones will make an observable difference in the amount of LLM spam that websites get.
I do think it would reduce the amount of abuse that's not very sophisticated. If that's worth the rest...
I feel like you're potentially overcomplicating that? What I'm getting at is that:
A) You can basically build the equivalent of a bash curl script pretty easily if individual browsers aren't blocked (which Google says it doesn't want to do, but... that's my point, they will). Guaranteeing OS integrity doesn't matter unless you go on to restrict which browsers can run and weed out the efficient headless browsers. If any headless browser gets attestation support (and I've had proponents try to tell me that headless browsers will be supported) then that's likely game over for attestation as a bot detector.
B) You can build mostly the equivalent of a bash curl script inside of a webextension (or honestly, not even, you can make requests in a loop automated within your browser's dev-tools). You don't need to leave the monitor or anything hooked up and you don't need to do anything particularly fancy and you don't need to emulate user input or build a complicated farm. Your web browser is a terminal with all of the capabilities of Bash and more.
My instinct is that any website that was vulnerable to a quick and easy bash script before is going to be just as vulnerable to a `for` loop run inside the browser dev tools.
----
It's tricky to talk about because the actual answer is what you say: ("absolutely, it very literally tries to guarantee integrity") -- that attestation will involve significantly more restrictions than proponents are pretending it will impose. But if I take the proponents at face value, and if I believe that this is about guaranteeing OS integrity and blocking root and it's not going to block headless browsers or extensions -- in that world I don't think this necessitates setting up a bunch of device farms? I think it just means you run Headless Chromium or Firefox, maybe with a remote debugger if you want to be fancy, and then you have it spam requests. Bear in mind that this will be on desktop as well; it's not only phones that would be sending attestation signals. Desktop Chromium and Firefox are incredibly easy to script.
Maybe it makes that slightly more expensive since you have to actually run a browser, but I don't think you need a rack of phones and I'm not sure that the compute cost of running a browser can be considered prohibitive? Maybe I'm underestimating the margin that bot farms operate at and forcing them to run a browser would be enough to drive some out of business. But I kind of suspect you just use one of the desktop browsers that has attestation and write your "bash" script equivalent inside of that browser and everything works mostly the same.
Am I missing something? It doesn't seem like that big of a deal whether or not you can use curl.
And the only real way to get around that is for some websites to turn off the ability to have the browser arbitrarily execute code with full access to browser/page APIs whenever the user hits F12.