This isn't Chrome/WEI defense btw. All attestation in web browsers ("user agents" my ass) is bad. Base your complaints on objective problems, not hate of one brand.
Unless there is a plan to allow attesters that are independent bodies then this is absolutely a threat to the open internet, or what's left of it.
The biggest dead canary for me is the lack of calling this out explicitly by Google or Apple. We're left to assume that Google is hand-wavingly saying "don't worry we can take care of that" when the private companies already monopolizing parts of the Internet are the absolute last people we want handling attestation.
But these days, you want to watch a 2' video on YouTube you are subjected to 20-30" of unskippable ads. Discounting the privacy (and even security) concerns, this alone pushed a lot more people to start ad-blocking were they can.
Are they sure that even more user hostility is what the modern internet misses?....
An ad-backed site’s trust on not being visited by bots, vs my privacy…
Doesn’t even sound like a trade-off from a user’s perspective.
Projects like these existed, I think it was an extension, but we'd probably need to do better than that.
And if you happen to be a tech giant that can drive the industry literally to every direction you want for decades, and what you choose to innovate is ad tech and NOTHING else, you're not evil, just stupid. Well maybe both. Or either. But definitely stupid.
We have all seen that there are absolutely no boundaries on how many adds and pop-ups sites get plastered with.
They aren't trying to balance it out on their sites, they just try to make as much money as possible. That isn't an acceptable user experience.
Now pair that with the world's most used search engine rewarding the most amount of (their) adds. It is a hellscape.
> Detect non-human traffic in advertising to improve user experience and access to web content
As if the goal to do that would be improving UX...
I’m watching a video about cars, sure show me the ad about this crappy car brand I will never buy. I’m reading an article about Prometheus, sure show me an ad about your greatest SaaS metrics platform that cost more per monitored machine than my machine.
No needs for cookies and tracking.
> However, how this plays out with browsers that allow extensions or are modified remains a grey area. As the proposal vaguely mentions, "Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality."
That's not vague at all.
Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers.
Make browsing the internet possible only on macOS, Windows, Android or iOS (no custom Android distributions, definitely no LineageOS or GrapheneOS or whatever). No competition allowed in Operating Systems, especially no open source operating systems.
Make crawling the internet possible only to Google. No private crawling and no competing search engines.
Let me know if I've missed anything...
People seem to have some severe cognitive dissonance when it comes to commercial web sites. They are crucified for selling ads and tracking then when they have the temerity to try and charge for their work people will start posting archive.is links to route around their paywalls.
If you don't like advertising then don't visit advertising funded sites or use their "free" tools. If you don't like paywalls then hit the back button and spend your attention elsewhere.
There are two risks here (examples follow):
1. hostile requirements - "the agent won't feature adblockers", or "scraping without explicit website permission must be forbidden"
2. prohibitive requirements - "the agent implements protocols X, Y and Z and adheres to standards A, B and C" - all of these may be reasonable things, but en masse they may be too much work to carry by anyone but a reasonably big vendor
Additionally these criteria must be verifiable, so user can't basically modify the agent, because then the attestation is practically void.
But in reality it's more like the newspaper publisher would then follow you around all day wherever you go and interrupt you every time you try to have a moment's thought or talk to your children, so they could perhaps interest you in this product they're advertising. Not only would they passively follow you around but instead direct you to places where you find the most outragous people you can think of. When you're all worked up they could put you in touch with the higest bidding political operative that promises to ease all your pains.
I mean sure, maybe the publisher is not evil but I don't know what to call them.
You'll be free to opt out, though most of the internet will be unusable without Environment Integrity.
I'm definitely in the latter group, but I can see how some market purists might believe in the first version.
Not everyone has the ability to act on said 'choice' and risk their jobs, income, benefits.
Would you really? I mean I keep hearing this but it doesn't ring true to me. People don't like ads in content because it interrupts what they are trying to consume and tries to leverage them away. This seems like a far greater motive to install an ad-blocker than some hand wavy tracking that probably doesn't even work that well.
It’s the arrogance that kills me.
good job!
Who clicks on ads? Really? What segment of Internet users does?
There are projects one of integrity should simply refuse to work on, if they make the world a worse place. With Google on a resume, it's not exactly hard to find jobs. People who agree to work on projects like these are defective human beings.
If you care, stop using Chrome. If you criticize this evil move, but continue using Chrome, you are part of the problem.
Awful stuff like this wouldn't stand a chance if Google didn't have such a near-monopoly position.
For the sake of the open internet, please switch to a different browser. IMO, Firefox is best*, but even something chromium based is probably fine. Just not Google Chrome.
* On desktop - Firefox is a bit weaker on Android, with an extemely limited set of extensions (but still better than Chrome with no extensions) and just a Safari wrapper on iOS, with no extensions. (But sync works everywhere!)
(I posted something similar in a different thread recently but I think it bears repeating.)
Also, many unethical choices are made or advocated for by engineers themselves.
I'd do the same thing if I was working for the devil and I knew it.
“What choice do I have?” - a Google engineer who drives a brand new Tesla, living in a $10k per month apartment.
Privacy features like user-agent reduction, IP reduction, preventing cross- site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:
- sign-in gates to access basic content
- invasive user fingerprinting, which is less transparent to users and more difficult to control
- excessive challenges (SMS verification, captchas)
My question is whether there is any data to back up those claims.
The whole ad based web industry is really desperate to authenticate humans from bots isn’t?
It's not that easy.
Also as others said, there are quite a few people who still click them or click the first ad-links in google searches
I'm slightly suspicious this won't work in any way, but I'm not exactly sure why... Maybe because "will be required" is a huge non-technical issue that has to be resolved separately in non-technical means.
And even if it stays as described, the percentage will be low enough that those that fail attestation can be safely barraged with captchas or simply told to go away. (You can try browsing the web with TOR to get a taste of how you will be treated)
The whole post can be summarized as "trust me bro"
But blanket blaming all of them and saying they all have a choice is not real. Any of them on visas? How would you feel about risking not just your job but also the ability to live somewhere.
You can't blanket blame all engineers and say they all have a choice.
I see it like smoking. It should be legal, but there need to be laws in place preventing smokers from harming and annoying anyone that chooses not to smoke. Ads should be legal, but there need to be laws in place allowing people to completely avoid them by paying a fair price. Until this is the case and everyone can choose, making them unavoidable is morally wrong.
Remember the corporations will need to be more disruptive than a nuclear war to break the internet. We can always route around them ourselves.
If website you visits asks you to confirm that you are a human user from some 3rd party API isn't that same as requiring captcha?
You can still have browser extensions that filter the ads away after the website sends you the final HTML, right?
Definitely not with the Iceweasel fork. https://github.com/fork-maintainers/fenix
This would be entirely in line with financial incentives of the proposed attesters and even logically defensible (oh well, we haven’t vetted uBlock, so you can’t browse with that installed).
In 2011 Mozilla income was 85% derrived from Google, through the primary search engine deal. Around a billion was paid over three years as part of this deal at some point. Appearantly there was bidding by Microsoft for making Bing the default, which pushed up the pricing.
So every time Mozilla speaks out against Google, it is a bit awkward, since they are biting the hand that feeds them. I suppose they could take a deal from Microsoft, Yahoo or even DDG (or Baidu!), but without interest from Google I presume the funding would be lower. Quite an interesting situation. Thank God both Firefox and Chrome are open source. That is at least some small degree of insurance against potential freedom-limiting shenanigans by tech giants.
I have refused to implement unethical code when I earned US$8.8k/year and supported my mother (living in Brazil, beginning of my career), I believe a Google engineer has much more leeway and money sloshing around to decide it's not right to do something unethical, and be vocal about it. There's much more of a choice than I had at that time and if I managed to choose to not be an asshole doing unethical bullshit, and didn't starve my family in the process, they are pretty damn able to do it as well. Might need another job but c'mon, you have Google in your CV, jobs will come, stop being a greedy pig.
Half the web is bots. And it's essential. Scrapers and bots give machine access to the internet.
There’s no reason you couldn’t hook a bot up, via video feed and inputs, to an “attestable” device and have it use the Internet that way. This just raises the bar on bot sophistication.
In another thread somebody talked about pointing a camera at a phone and using a robot “finger” to interact with it. If anything WEI would make that easier because you’re not getting CAPTCHAs anymore! You’re a “human”, after all.
Not if there's only one browser that you're allowed to use, and it's owned by the world's largest advertising company.
Victim blaming BS.
Let's see who else is the problem. How about all those engineers who decided not to contribute to Firefox? Or all those website developers who didn't test their site in Firefox? Or hell, why not all those Mozilla engineers who didn't fix Firefox hard enough?
Let's put the blame where it actually is. Google is to blame. Not the users of their free products they advertise all over the place and have an unlimited marketing budget for.
Make browsing the internet possible only on SoCs allowed by Apple, Microsoft, Google. No competition allowed in SoC. [0]
Make browsing the internet possible only on form factors approved by Apple, Microsoft, Google. So no calculator with a web browser [1]. No competition allowed in form factor.
Make browsing the internet possible only on UX approved by Apple, Microsoft, Google. So backtracking 10 years ago, when Android made documents-oriented web browser (= each tab appears just like a standalone app in recent apps), that would have been abuse of that position. No competition allowed in UX. [2]
PS: I come from Android OS world, all those examples already apply to Google/Android.
[0] Well this one will depend on whether their Web Environment Integrity implementation will enforce full secure boot approved by them. Considering how it went for Android, I'd say it will, but can't say for sure.
[1] Yes you can find calculators running Android (but can't run Google/Android so no Chrome). Amongst a lot of other weird Android devices. You can find walking robots, toothbrushes, urinals running Android.
[2] You'll probably find a better example. Arguably it's the same as "competition allowed in browsers", but that was an OS-wide change, but saying it's "OS" IMO largely reduces it.
If they pull this inversion off it’ll move us significantly towards death of the free open internet as we know it.
Anyone sick at home? Anyone with a visa? Any debt? Student loans? Kids?
You wouldn't just need any other job, you'd need another comparable job.
"Im used to spending too much money so in order to not getting a minimal pay cut im gonna work on unethical proyects." Isthe kind of insane thinking only people at HN seem to say without flinching.
Like at that point do not work at google, write ransomware for a company in Russia, they will pay even more money. Make bio weapons for a dictator in a civil war afflicted country of the third world. If Life style creep and your new Tesla to drive your kids to the private school is the only thing keeping you in check, you might as well trade stocks against life expectancy based on obesity reports and climate change effects on coastal areas.
This time I won't be shamed into doing it again. I don't have the time or motivation.
edit: forgot to mention explicitly, it's not Firefox, it's me. I'm not strong enough.
I'm sure I'll get a new advertisement video soon which will load despite my Adguard DNS. That's how Google can confirm whether their ad-blocking-blocking works.
Opinion Rewards is great not just for being able to get apps for 'free', but also to be one of the first to see what Google is researching.
I want the overt metric of a site visit caused by the ad, and the per-click fee to the advertisement host, to be as obfuscated as possible (or ideally, non-existent).
Also what would be the benefit for other companies to agree to have their customers be vetted by Google run API that excludes portion of customers?
Making the internet worse? That’s bad, but I’m not convinced it warrants the same reaction.
The point is that using anything that's not Google Chrome is better for the internet.
The only reason Google think we do is because they implemented AdSense incorrectly. E.g. Using an impractical and underpriced PPC model. If they used a fixed pricing model this would not be a problem, and fake clicks would not even be an issue.
Some will point out that Chrome is based on open-source software. In reality, however, Google has a huge amount of power here. If Google is serious about this initiative, they will try to force it into the projects, and make it an essential part of the web experience. As others have pointed out, Google is also a primary supporter of Firefox, so they have influence there as well.
And aside from niche platforms, do you want the 3 big companies to decide what you're allowed to see on the internet?
Do any of them support a sick kid, spouse, parent? Any of them send money home?
All I'm saying is that some of them might not be in a situation in which they could, on a whim, risk getting fired. And we shouldn't blame them because the fix for that is not on their hands.
The site claims they get 1M visitors per day; should an advertiser believe them?
That also accounts for expenses.
Do any of them send money home? Help parents or grandparents? Do any of them had to bring their parents or grandparents to live with them due to health issues? Lifestyle creep takes into account taking on more debt. That debt is not just in luxury like how most people think.
I switched to Chrome pretty much the day it first came out and it was revolutionary. Switched back to Firefox a few years ago due to Chrome becoming too dominant and Google throwing their weight around in standards committees too much. When I desperately need Chromium for something I use Edge (which I actually rather like).
There might be ways to filter away the ads after they've been served, such as memory manipulation, but the problem can't be solved with a plugin anymore, as browser attestion could let websites deny you access altogether if you use a plugin they don't like.
A blacklist seems like a fine idea here, but it's important it be specific enough to pick out just the bad actors.
The way I manage my life, I want to make sure the work I do makes the world a better place. For the past many years, virtually everything I've done has been aligned with advancing humanity (education, medical, etc.), and has been open-source. I'm fortunate enough to be somewhat well-known for a former project, so I've always been able to find jobs like that. My values state that:
- If that meant working at a good subdivision in an evil organization, I'd do that.
- If it meant doing evil work for a good organization, I wouldn't.
- Heck, if it meant helping reform an evil, powerful organization to be good, that seems like worthwhile work too.
I haven't been in a position to need to manage those conflicts, mind you, but that's how I'd play them according to my ethical compass, if they came up.
I'll also mention: It's also important to be aware of people's situations and more complex trade-offs. Consider a person who does scammy sales pitch telemarketing calling during dinner to sell you on snake oil medicines. Now, consider that they make minimum wage, it's the only job in their town, and they have a five-year-old they need to feed. I'm in no position to judge.
I am in position to judge Ben, Borbala, Phillip, and Sergey.
For example, the per-device configuration (GPU acceleration enabled or not, etc) is not there, the statistics collection infrastructure, the WebAPK minting code is not there, etc.
if most of us Devs do this, this change would have no chance.
What would be even nicer is If someone can build a JS file that the rest of us could include to show a hard blocking pop up just to show how the future web might look like, supported with a nice explanation and link to good videos, that would be nice too.
It’s not always so easy to walk away from an entire platform. People’s entire livelihoods could be based around Google.
I don’t see any issue with Google owning some of this responsibility.
Let me get this straight, so they want to establish "personhood" without attesting a unique ID to also preserve privacy.
Then how will they prevent a single secure element attesting an entire FSB worth of fake internet users? I feel like these two goals are mutually exclusive.
This is of course the least of my concerns. The whole thing should've been uprooted ages ago.
> "Users often depend on websites trusting the client environment they run in."
Nope, websites depend on the advertisers trusting them. WEI is solving a website vendor problem, not a user problem.
> "The web page executing in a user's web browser"
From a user perspective web pages "render" in the browser, not "execute". Vendors that want "execution" on a client machine should distribute a rich client app, where many OS platforms already support environment attestation. WEI is web page vendors wanting to have their cake and eat it.
I never seen a single chrome add. I'm sure we're in different part of the world and in different add segments, but seems to me chrome marketing in not that widespread, is it ?
As a retired FE engineer, the top reason I used chrome and test with it was the powerful yet light devtools.
I don't know what you're doing wrong (all I can say is that the name of the collection is case sensitive) but I haven't had any trouble adding the custom collection settings to my Firefox installs.
Some that help their parents, some that have kids, some that have sick spouses, some that brought their parents to live with them and support them due to health issues, some that have work visas.
I am simply saying that even though the right thing to do would be refusing, you also have to consider everyone's life circumstances when they make decisions.
The fact that they make $100k, $200k, $300k like another comment said means that they don't just need a job, they need a job making roughly the same amount of money and having the same benefits to be able to risk getting fired.
My original comment I wrote it so that we wouldn't just place everyone in the same group and generalize. It's not necessarily always as easy as refusing and risking your job. You're risking whoever else you support for example.
I’ve been doing webdev for 20+ years, haven’t used chrome for the past few years besides using its inspector in Chrome canary. I’m content, I don’t feel like I miss it. I will try to convert my family to FF as I did in the past. But this makes me feel hopeless, unless there’s a strong legislative pushback (probably from the EU) or we break up the behemoth… It’s the first time I can’t see a way out of this.
Chromium being open source is a red herring. The web is a protocol between clients and servers, and having the ability to fork the client doesn't matter if all the servers ignore your fork and continue speaking the protocol dictated by the dominant client. You need to fork the entire protocol, which is to say, you need to fork the entire web.
Mozilla's opposition to such initiatives matters only because of their users. And there are no other significant fighters in this ring on _our_ side, unfortunately.
Forcing someone to use their approved list of hardware to browse open web is the most absurd thing I have heard so far.
There's also Google engineers driving Corollas and helping their parents back home with expenses.
It'll kill open platforms like the rare open source RISC-V implementations, but for almost any platform in use today this can be implemented.
The real question is "but will it", and in practice websites will probably only whitelist Chrome, Edge, and (reluctantly) Safari.
There's an immense power disbalance about this and any privacy limiting or freedom limiting features. Once they go through, there's no coming back from it.
Lifestyle creep is believing luxuries or non essentials are essentials due to now them having become part of your day to day.
I'm sorry but I don't believe that. I do understand that line of thought if you are in a very complicated personal/financial situation but you're stating that the only driver is money, which is clearly wrong...
They do it because the money, though. I turned down a FAANG job partly because I'd have to relocate across the US and partly because I didn't think I could sleep at night working for them. Total compensation package for first year was $250-350K depending on performance, and there was a signing bonus. This was 2015 or so.
I often half regret that decision, because it hurts to know I could've ticked that income box rather than fighting month after month to keep work coming in (self employed/contractor).
Buying stuff is on a spectrum and I think a consumer should be able to chose a tightly regulated system for exchanging currency.
Most everything else should be free to choose.
Any browser that implements this, I will not use.
So any webpage that requires that API to be present, I will not be able to use. If your webpage requires this, I will not be a user of your website.
It is really that simple.
I have zero issues using FF everywhere. I used to have to use Chromium every couple months because some dumb website was pulling in a library that was using some non-industry-standard thing chromium did - and everything broke due to their utter lack of testing - but even that has died down. There is a newer trend where I have to disable uBlock every once in a while to complete a task, which is just as bad, but I rarely have to actually use another browser.
not sure how far using 'ungoogled-chromium' takes you though.
One extremely small example from the last 60 minutes of my life is that many Google workspace products don't work very well in non-Chrome browsers. I have to switch from Firefox to Chrome whenever I call someone in Google Meet, because the system load is higher and some features are not supported (e.g. visual effects like background blurring). I'm skeptical that these features can't be done in Firefox, but when you try to use them you get a warning to use a supported browser.
I dug into this a little more and they have a page https://support.google.com/meet/answer/10058482?hl=en-GB&exp... which asks you to check for WebGL support, without a major performance caveat, and link to https://webglreport.com/?v=2
On Firefox on a M2 mac, I see "Major Performance Caveat: No".
Currently Firefox is faster than Chrome : >>36770883
On Google, I avoid the ad links
You cannot expect Google to act against its own self-interest only because you ask nicely. You have to stop giving them the market power to do it.
I can't think of a single candidate other than Mozilla that has the technical expertise, experience, trust, reputation, resources (not to mention non-profit structure) built over 20 years defending the open web. I don't understand why Mozilla is dragging their feet on this. They should have owned the entire VPN market by now. VPNs aren't cryogenic rockets.
This is precisely what the reported issues are trying to achieve, regardless of their tone. The current path is completely wrong and reckless. The first step of working together would be to abandon this approach entirely.
This is akin to suggesting that we'd solve global warming by triggering a nuclear winter. This is not something you can solve by iterating and finding a middle path. The entire premise of this proposal is dangerous and should be binned.
Just think about all the potential ways in which this approach can (and obviously would) be abused.
(Posting this here as I just noticed they disallowed commenting)
Not using Chrome comes with zero cost - you can use the same websites everyone else is using, just use Firefox.
Mozilla was once a bright shinning beacon of hope for the open web, but they wasted their good will on too many of us, and it pains me to think what could have been.
Other than that... No, I'm newer clicking on ads.
In the article they write:
> Social websites need to differentiate between real user engagement and fake engagement.
No, they really don't. Why would they? They have a platform, you can buy ad space on that platform, it's not the job of the website to provide you with engagement numbers. You run an ad campaign for a given period, you track if sales increase during that time, if they don't your campaign was no good. I'm also okay with tracking sales directly from each campaign, have a tracking code for that campaign, but not the user/customer, that fine. The obsession with tracking everything single little detail back to a person is becoming increasingly obnoxious.
The amount of effort that goes in to playing advertising metric games of YouTube is ridiculous to me. Anyone that says well people have to get paid I say maybe.
Real creators create and don't need the like, subscribe, patreon, mantra. Most of the gunsmithing sights on YouTube are moving towards this idea.
I don't believe in the discovery myth so many talk about as essential. It is only essential if you need inorganic growth.
I would say it's an emerging trend and that the more they tighten their grip the more creators will slip through their fingers.
This is a perfect case in which I’d like to see my taxes funding their work.
[1] https://arstechnica.com/gaming/2021/07/cheat-maker-brags-of-...
No, "I have kids" is not an excuse. You do see how that makes this even worse, yes? To pretend to give a shit about future generations while gleefully destroying the liberties of those future generations?
It will voluntarily segregate the happy conformists into their safe, normalised, walled-garden whilst the, likely technically proficient types that can wrangle hardware and software and therefore the single most dangerous group of individuals on the planet, non-conformists are easily identified by their continued participation in the wild-west-web of yore, eschewing, or at least not exclusively joining, the new utopia.
Maybe we'll get back the web we keep saying we miss, with Eternal September nicely walled-off, but maybe it'll be a case of be careful what you wish for, because now it'll put us on watch lists, not because law enforcement understand the technology any better, but because they've got their own tools to build what they think is a better mousetrap. And law enforcement love their own tools.
https://increditools.com/ad-blockers/
I think survey results showing 40% using ad-blockers is sufficient to question your assertion that most people don't know about ad-blockers. Folks may not all be using them, but I think a majority certainly are aware. And outside the U.S., even a majority use them in some countries.
Ordinary folks on the Internet have friends and family that are technically inclined and often seek advice from them. But most of the time, ordinary folks figure things out just fine in their own.
The above is true only to the extent that you believe it. I don't believe it at all so I'm not part of the "you" I'm an "other".
The "News" is a whole other problem closer to truth. So not technical entirely. Individuals started newspapers and individual will deliver the news.
A big issue corporations currently face is that everything has become so cheap that their scale of effort is a hindrance.
If a corporation is not acting ruthlessly efficient the economy of scale breaks down quickly. The crux of this will cause the success of many smaller scale efforts that don't hold the overhead of a corporation.
The original promise of the public internet was the idea that broadcasting was dead and narrowcasting was the wave of the future. This was true up until ads became legal/common on the internet.
Take away the commercial interest and you are left with passionate publishers and audiences.
I'm curious what "better forum," if any, Google will actually engage with on this matter. I too wouldn't this sort of overwhelming reaction to happen in a personal repository. But the conversation needs to happen somewhere!
Firefox/Safari on the Linux box/Macbook
Chrome is dead to me, it started getting unstable about 12 months ago, not looked back since I ditched it.
Forgive my stupidity, but isn't this only going to be the case for websites that will opt into the use of this api? Currently, websites can already do user agent sniffing, or hide their content behind a login wall; but we are not complaining that this is the end of the web. Or are we?
It's a shit idea but honestly Google isn't even the bad guy here. Everyone is mad at the theoretical anti-adblock usage of theoretical websites. Be mad at those websites instead!
Almost every free service out there runs on ads. If you pay your subscriptions, you probably won't even notice these shitty websites. There is exactly one group of people who will be hit the worst, and that's people who want everything for free with no ads and no requirement to provide anything of value in return. Guess what? No business can operate like that!
Google is in some very deep shit if the alleged ad fraud stories are true. They need to be able to verify that people are human or they will collapse under lawsuits.
We wouldn't need this crap if we, as a society, hadn't decided that we want everything for cheap or for free. Remote attestation can actually be valuable (i.e. for company owned devices entering a corporate intranet) but the fact everyone fears getting locked out of everything is a symptom of a much bigger problem with the internet today, one we're probably not willing to face.
I'm all for killing the big tech giants and bringing back competition, but Google quickly going bankrupt will be disastrous. Youtube and about fifteen years of human existence will disappear from the internet, billions of phones will stop receiving updates, gmail.com will disappear and businesses all over the world will be ruined as a result.
Even if this falls through, Google will still need to validate real browsers somehow. Expect CAPTCHAs for every news article instead. Maybe solve some puzzles before you can comment. This is their user friendly, unobtrusive attempt to get this tech through; if it fails, I expect their next attempt to be much worse. The web may very well end up being like browsing through Tor.
Of the remaining 1%, most don't need a VPN for anything personal. It's literally just a handful of geeks who need VPN (mainly for secure piracy, or accessing different regional Netflix catalogs), and maybe a few dozen journalists living in dictatorships.
Mozilla needs to gut spending. Get rid of all the diversity /hr/evangelism people bloating their employee headcount and funneling people's donations to divisive causes like that org that doesn't hire white men (forgot the name but it made me cancel my monthly donation to Mozilla). They shouldn't need more than 25% non-technical staff, and the purpose of those 25% should be exclusively to support the technical staff. Instead they became another bloated Big NGO that's basically welfare for liberal arts majors in California.
Web Environment Integrity API Proposal – >>36817305 (618 points/4 days ago/442 comments)
Google Chrome Proposal – Web Environment Integrity – >>36778999 – (117 points/7 days ago/94 comments)
Web Environment Integrity Explainer – >>36785516 (87 points/6 days ago/44 comments)
Extreme technological complexity is just about the best possible moat a huge business can have. Though in this case "walls around the prison in which the users are incarcerated" might be a better analogy.
And all the prisoners, who just can't resist the endless shiny new goodies added to the web standards, are forever building their own prison walls higher...
Do you mean a kind of Linux where root cannot do anything he wants? Like Android?
(FAANG salaries are not an "order of magnitude" higher than salaries at other U.S.-based companies for similar jobs.)
FAANG salaries are just at the level at which those companies discovered people are willing to sell their souls, or that is high enough to attract naive people who won't question why it pays more.
Not at all. Controlled opposition has to pretend being an opposition.
I personally avoid any Google products and services when possible.
That evil company has grown simply too big and we need to take its power down. Now.
If Netflix introduced a freemium mode where you can watch their content with injected ads for free, would that be evil as well?
I am reminded of a story of a retailer who adódnak l accidently stopped advertising online and so no adverse change in sales. While I can't find the exact one I have in mind, it seems this isn't rare.
https://www.forbes.com/sites/augustinefou/2021/01/02/when-bi...
Absolutely not, Google is the driving force giving them that power, knowing it's very ripe for that sort of abuse.
Google is experimenting with detecting adblockers on YouTube. Don't for a moment think that the fact that this can be used to stop adblocking is lost on google. Honestly I wouldn't be surprised if that was secretly one of the main drivers behind it all.
How many web sites still serve you http:// instead of https:// ?
The transition was (is) entirely voluntary. Transition happened more slowly until browsers made the lack of https:// look scary.
https://blog.mozilla.org/security/2017/01/20/communicating-t...
I don’t expect Google to act against its own will, but they should.
Hello, Mr. Yakamoto! Welcome back to The Gap…
At some point, you might think about a product subconsciously due to any reason, and since you saw the ads, you'll think of a specific company's product and likely rank them higher among "unknown" brands by default. That will bubble up at some point and you'll have a desire for it which you either accept or reject. Most will accept, causing more to accept to be in the group. It's human nature.
Any interaction is a bonus.
"We" need to do more / better to educate them!
I tried to implement pi-hole for some extended family members. They asked me to turn it off within a week because they couldn't watch advertising videos to earn a new 'life' on candy crush (or something closely resembling that).
I can't relate to "normies" anymore, it's too late for me...
https://httptoolkit.com/blog/apple-private-access-tokens-att...
I'm very sure if you are earning US$300k/year and depending on every job you get to be comparable or better you have set yourself to be fucked for life... Again, with Google on your CV you can get another job for a visa, or to pay student loans, if you depend on earning US$300k/year to just live your life you have much bigger problems.
You are trying to make it look like someone with one of the highest paid white collar jobs in the world is struggling to live and depends on earning that amount. Let's be real, it's a very, very very very small subset of people earning on that bracket that actually might have enough issues in their lives that require earning that amount (huge amounts of medical and student debt, supporting a family with disabilities [spouse, kids, etc.], etc.).
They might exist in this case, yes they might, but making that possible exception into a "think of the poor golden handcuffed employee who is being forced by some freak life situation to do this hugely unethical thing in name of their employer" excuse is not reality, in reality it's just much more likely these are people that want to keep their cushy job ingratiating their employer by making the web worse for everyone else. Greedy. Pigs.
Money is going to be a required tool to fight back against google, whether we like it or not. Capitalizing on the lesser evil to fight the bigger evil is not a terrible idea in my estimation.
> I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend
After the weekend - leaves long comment but doesn't reopen comments as promised.
No doubt Wix is doing this for my own protection.
I can definitely see the majority of the web going in a similar direction.
https://www.theverge.com/2023/6/26/23774547/microsoft-sony-x...
The FTC lost that case.
I think at this point, if a big tech executive avoids doing something due to the threat of antitrust lawsuits, they're just incompetent.
Why not get paid by the devil while fighting his plans?
You don't even have to make it obvious that you are cratering it. There are so many shiny things in tech you could make it look entirely incidental.
Part of me reserves hope that this is what some of the engineers inside of Google are doing right now.
Your social graph is more accessible to other 'actors' than it would be if it weren't on Meta.
You may not care about this kind of thing, but I do. Unfortunately I'm not entirely free of it either, so any finger wagging on my part is at least partially hypocritical.
Here you answered it yourself why people adblock. If ads were served on either side of the holy grail layout like the good ol days it wouldnt have been such a pain in the ass.
I remember jumping on the ad-blocking wagon when google started serving their shitty ads in between scroll content, serving diseased peoples photo ( ketto.org ) and getting frighteningly accurate/curated ads of what I searched for previously. Literally fuck google for having a digital private investigator on my ass 24/7 just to sell me shit. I am gonna use ad-blocker till the end of time.
The possibility that this is a thinly veiled attempt at introducing Digital Rights Management into web pages is a concern that should not be dismissed lightly. This may well be a sly effort to muzzle ad-blocking capabilities, thus reducing the web to a cacophonous bazaar of incessant advertisements, a capitalist wet dream at the expense of user experience. I echo the critics who view this as a potential threat to the open web. Furthermore, the question of who controls the "attesters" is a serious concern that evokes dystopian scenarios of a digital oligarchy. In a world increasingly reliant on digital verification, the potential to manipulate trust scores essentially hands over the reins of the digital world to a select few. This, far from enhancing trust, could potentially further erode it.
The ambiguity surrounding browser modifications and extensions further fuels suspicions. In its guise of ensuring legitimacy, the proposal seems to conveniently overlook the diversity and customization that has been a hallmark of the digital world, creating an environment of dubious one-size-fits-all integrity.
Moreover, the vague explanation of the enforcement and establishment of baseline requirements does little to allay fears of vendor exclusion. What are these requirements and who indeed gets to decide them?
It focuses heavily on privacy concerns and how those will be resolved - the vast majority of criticism I've seen hasn't been related to this at all, and those aren't especially hard problems to solve in the context of the existing spec.
It still largely ignores browser diversity & experience this will create for non-Chrome users. His argument is that blocking fingerprinting in future will mean anti-fraud will make the web unusable, and WEI will make it usable again. Given you accept the premise, still the conclusion is only true for browsers that can access WEI - which means the web will become unusable for browsers who can't (Linux, rooted Android, Firefox, etc etc).
For the ecosystem as a whole, it's better if everybody has a fair playing field. By definition, WEI structurally privileges certain clients. The more widespread that becomes the worse the effect on the wider ecosystem is. If WEI does not exist, and fingerprinting does not exist, providers will be forced to find ways to limit the impact of anti-fraud mechanisms. If 90%+ of browsers use attestation, that pressure decreases dramatically. Using Tor on the web today is a good example of the likely experience.
The mention of holdbacks here touches on this (though for full blocks, rather than wider impact) but ignores the existing strong pushback against holdbacks from others closely involved in the spec & discussion around this (https://github.com/RupertBenWiser/Web-Environment-Integrity/...) and ignores that the attestation they already shipped on Android for exactly the same use case does _not_ do this.
Fundamentally, the issue isn't about privacy during these checks, or whether defeating fraud without fingerprinting is valuable. Those are reasonable but obvious points. The issue is that client-focused validation for fraud is a flawed goal in itself (it's impossible - even with full & perfect attestation, you can set up a fully automated + WEI-approved machine by automating input peripherals directly) that risks enormous collateral damage, and we shouldn't encourage it in any sense. We definitely shouldn't standardize practices to make it easier.
At the end of the day, if you want to block fraud you have to do so server side (statistical analysis, rate limits, validated user accounts, requiring payments, some kind of proof of work, etc). This is a hard problem, absolutely, but it's unavoidable.
For example, elsewhere on this page someone is saying that Google is trying to do [x], where x is something that would kill one of the main apps on Samsung's phones. Of course Samsung would submit an antitrust complaint and win. Assuming Samsung wouldn't is stupid. I really wish people would put forward their arguments without such stupidity.
It reminds me of the Microsoft criticism of 10-20 years agom, when there was so much stupid criticism of Micosoft that it devalued the substantive, intelligent criticism. Lots of people assumed that the substantive criticism was just more ranting, and ignored it.
</digression>
I just don't know how this is possibly conceived as ok, or how they can possibly justify trying to block ad-blockers - I consider ad-blockers as a more important security barrier than a virus scanner - that's been the case for me going on a decade.
Sometimes I pick up on actual fraud, like 'affiliate marketing' traffic 'boosters' that just result in someone clicking through a banner, making and order and not paying. 200 times in a day. Nobody cares, as long as the stats look good
Apple already shipped attestation on the web, and we barely noticed - >>36862494 - (530 points/1 day ago/398 comments)
The open minded tech comminity can move mountains but this is now bigger than a mountain.
At this point about the only slingshot manouevre that could help us escape this fate is a reasonably resourced sovereign entity fully underwriting an open source stack (desktop, mobile, browser, cloud, fediverse) and nudging / seeding a mass user base by making it mandatory for engaging with public functions, paying taxes, transacting is sovereign money etc.
Effectively by declaring a tech "liberation" war.
I don't give this scenario high odds of happening but hopefully not every sovereign is captured. History is not made by the dazed and confused indulging in debilitating apathy.
How else are they going to learn more about me and shove ads that they think I care about?
More secure variants like Android, leveraging SELinux and such, help with sandboxing but I don't think that SELinux is a struct requirement.
> An owner of this repository has limited the ability to comment
I don't think people are going to mobilize for privacy! I think people will just jump ship to avoid giant banners...
Even still, there are ways to implement this using an open source, signed, reproducibly built daemon that gets loaded early in the boot process. Altering the daemon would've out of the question but it would solve the more immediate problem of "Netflix doesn't work" that most people would actually care about.
Most people "choose" a specific browser like I "choose" my landlord when I move in to a new place. It's what's there.
On the other hand, most of the money in advertising today is in brand advertising. No one clicks through an ad for Ford or Coke and buys immediately. You can run experiments on these at a very coarse level, but that level is approximately "the English speaking internet". Which means brand advertisers are willing to pay far more if they know real people are seeing their ads.
(I used to work in ads, but quit a year ago and have no plans to go back)
Ad blocking is at least as big a deal as speed in terms of browsing comfort.
They don't need the extra adblock detection, they need to validate that a human is watching the ads that do come up. You, as a user with an adblocker, are not YouTube's customer (unless you're paying for Premium, in which case you don't need standard adblock); their advertisers are.
I don't think adblock is such an immediate concern just yet. If they want to cut down on adblock usage, they can just restrict adblock users to a limited amount of videos per day, or limit them to 480p, or pull all kinds of other stunts. Premium exclusive higher bitrate streams seem to be slowly rolling out, but I suspect that's just the first step.
What Google desperately needs is proving to their real customers that they're not scamming them out of advertiser money. An ad not playing isn't costing them much, but an ad playing in a scraper's virtual browser window is a liability.
To most employers, that would read as "prone to insubordination", and be an immediate red flag. Because each and every one of them will inevitably ask you to do something at some point that will be fucked up.
Financial transactions could become so streamlined that a "commerce fob" is likely to emerge. That would be a credit card with a screen and buttons.
Think about how streamlined all these tasks have become. Putting those in a single ROM that has a screen and is tied into some legitimate network will emerge.
It is only out of convenience that these services are currently tied to a "phone".
- Content sites implement Web Integrity API to block bots
- But they still allow Google crawlers, because Google is their source of traffic
- Google competitors are locked out
How do attesters solve this problem?
I would love to have a Mozilla hosted email and calendar service from them, for example. I don't understand why they aren't branching out into more common web citizen needed services.
1. Native integration across devices: Safari integrates seamlessly with Apple's ecosystem due to proprietary features like iCloud, Handoff, and universal clipboard, allowing for a consistent user experience across all Apple devices, with seamless transition among them to stay in your flow across devices.
2. iCloud Private Relay: This is a recent security tool from Apple and participating CDNs that encrypts all Safari traffic and protects the user's privacy by preventing anyone, including both Apple and network providers, from seeing which sites are visited.
3. Password Management Integration: Safari offers seamless integration with Apple’s Keychain for password and two-factor authentication (2FA) management across devices and across apps and browsers. Safari leverages Apple's OS level full password manager that's been quietly iterated each major release, now including support for TOTP and compromised-site checks.
4. Increased security/privacy: Safari uses AI/ML backed Intelligent Tracking Prevention to identify and block trackers, ensuring enhanced user privacy. While similar features can be added to Firefox via extensions, Safari has these capabilities by default.
5. Improved Power Efficiency and Performance: Multiple battery life tests confirm that Safari is significantly more power-efficient than Firefox and Chrome. Apple pulls this off through co-optimization of hardware and software, power-efficient technologies, hardware acceleration, conservative use of resources, efficient resource handling, and the blocking of resource-heavy ads and trackers. In real world use, you may see twice the battery life during web heavy usage.
6. Extended Support for WebKit: Use the browser your users use, so you understand and support their experience.
Other factors like persistent tab groups, 120hz scroll performance, and first class "retina" typography simply add to the smooth experience Safari provides on macOS and iOS.
Here are some lesser known tips for tuning up Safari to your liking and using features folks may be less familiar with:
https://www.pcmag.com/how-to/hidden-tricks-inside-apples-saf...
"There seems to be something wrong with your request, try reloading this page"
Good luck getting this ad infinitum you are on an environment that Google doesn't approve.
Browsers are still memory hogs, but at some point you have to decide if you want speed or low memory usage. Fast reaction time or nicely rendered pictures. On a decent machine, not even a fast one, there is no difference. That said, I despise notebooks and usually use towers.
I will concede that if you're all-in on Apple, then Safari is certainly more convenient. It's also more power efficient on macOS, so if I know I'm going to be on battery all day, I may switch to Safari for the day.
Apple has a pretty terrible record on security given the Pegasus spyware and 0 clicks. Although most are related to iMessage and hardware exploits.
I still have a hard time believing the Privacy stuff since PRISM and Apple's openness to give data to China and Russia. But if you believe them, don't mind the government's access, and don't want to use other software, I can see where you are coming from.
"Oh, this area of $hot_social_media_site is for people earning ($user_salary * 1.4). But you can get access for just $10/month paid monthly or $9/month paid a year in advance! You don't want to be left out and lose the chance to network with higher earners, do you?!?"
Expecting engineers to die on this hill for us seems incredibly unfair. To balk at someone not upturning their life and (under the US healthcare system at least) endangering the health and well-being of themselves and their families in the name of dignity or morality when the net result of doing so would be exactly zero because Google can replace them in a heartbeat is, in my opinion, a gross and unnecessary misdirection of blame.
If you don’t want to stop using Chrome, then your alternative is to buy a controlling share of Alphabet and appoint a Board that forgoes advertising revenue in exchange for being nice to adblock users.
Next comes the state that demands clients are verified in a way that they can ensure the age and identity of the user. This doesn't lead to anything good.
Google was essential in securing the web. Their acceleration of HTTPS adoption was constructive. This is for their ad business, against privacy and against the open web for very questionable benefits.
Let's say I have a kid at a school. I don't use WhatsApp, but several parents have me in their phonebooks. They use WhatsApp and also use Facebook on their phones. Facebook gathers their location information, and given what Facebook knows about them, it isn't difficult to infer that I also must have a kid attending a school at a particular address at particular times during the day.
Data mining quickly gets scary.
You can also look at it another way: if this information wasn't valuable, do you think Facebook/Meta would have paid a billion for WhatsApp back in the day? Do you think they maintain the "end-to-end encrypted" communications app out of the goodness of their hearts? This is extremely valuable information: millions of people share their identifying information (their phone number) and their social network (their phonebook). It's worth a lot!
Not quite. Increasingly, as Chrome became popular, you get websites that "work better in Chrome". Or do not work at all in other browsers. And you hear recommendations to "just use Chrome", so that things work. It's just more convenient all around.
Maybe I'm just really bad at marketing/promoting myself or I gasp have to take work "below my pay grade" because it's still work and I've got bills, but I'm not netting six figures doing highly technical work (embedded development, electromechanical development, board layout and design, etc.). In the last five years I've had one in which I grossed six figures. I'd figure I just suck and am an outlier but I keep hearing the same stories from friends who are also not at big shops.
And the problem comes when you have to cut back all that, you need a job that can support that lifestyle. I believe the best thing you can do if you have a fat paycheck is to exactly take the opposite approach: keep living simply, save as much as you can, yes give yourself a treat from time to time, but essentially keep an average lifestyle.
The day you need to go elsewhere and you find out that you are against the wall because you need that much money and you can't find a similar income is when you're basically screwed.
Reliable machinery always has a shop manual, diagrams and prints. Programming languages have tomes of documentation, computing infrastructure has man pages and volumes of commentary, scholarship and trouble shooting have been committed to characters.
Aside from the point and grunt visuals, solid presentations (viewed after the fact when the value of real time interaction is gone) work fine as text.
If you're dyslexic, I get it but TTS systems are extremely solid these days.
What is the point?
I very much doubt author himself believes that.
I feel like they could do better, but on the whole, I'm happy with what they provide to everyone for free.
Altruism is not a default position, and is unusual in the real world.
I'm not saying that's how it should be, or that people shouldn't work to make it otherwise. But you say why don't all those people walk away from that? How far would you go? What if you had children depending on you? It's very easy to condemn other people as "greedy" but you show a lack of understanding, of empathy, perhaps, for how people in general function in the world if you assume they should just do what you say because "obviously, my moral stance trumps their concerns."
Edit: I upvoted your other comment, by the way, where you lay out the very scenario I speak of. Many people are "screwed" because their lifestyle has expanded to their current circumstance. Few people realize that progress in some dimension rarely rules out regress back along the same path. Liberty requires maintenance, because there will always be societal forces aimed at eroding it.
[0] https://www.snellman.net/blog/archive/2023-07-25-web-integri...
US:
- https://www.ftc.gov/enforcement/report-antitrust-violation
- antitrust@ftc.gov
EU:
- https://competition-policy.ec.europa.eu/antitrust/contact_en
- comp-greffe-antitrust@ec.europa.eu
UK:
- https://www.gov.uk/guidance/tell-the-cma-about-a-competition...
- general.enquiries@cma.gov.uk
India:
- https://www.cci.gov.in/antitrust/
- https://www.cci.gov.in/filing/atd
Canada:
- https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/frm-e...
Bonus points if a search engine like Kagi automatically filters out sites for me that block ad-blockers.
Google engineers are not special. Everyone has a situation, and family, and bills. Everyone has a parent who will die one day. Everyone hits hard times. Everyone faces tests of character at inopportune times. Very few of those people are making $300k a year tho, and nonetheless making the rightethical choices every day. Why can't Google engineers?
That's why I said standing up for your principles is difficult. If it were easy, everyone would do it.
I do not want those companies (or anyone, really) to be able to decide what is or is not an allowed hardware/software setup to access anything.
I think that if they cut back on some of the other projects in the short-term, they could ensure the foundation was funded for the long-term - to support Firefox and anything else they deem valuable.
The best kind of truth in my book. I have lots of ideas about poverty but I was actually responding to the trap of high-earners. Careful spending is more critical in impoverished situations.
I mean, we are in a climate crisis and massive worldwide inequality and some really competent people both made this happen and prevented the general public from being able to avoid this - because that happens to profit the few.
Most of the worldwide economy is predicated on this (capitalism). It's a logical outcome.
Wages for developer work are not consistent, though. I was making around $45K out of college in upstate NY in 2011 or so. I left that job around $55K in 2015 when we moved from the area. Those were entirely normal salaries in the NY capital district for developers with a four-year degree and proven skills in a given language.
I'm now in central VA and am friends with the owner of a local media/web development shop. Their average pay is around $20/hour. Remote work levels the field a bit now, but that's what folks who want to work locally at a desk are offered. They have people actually working there, so I guess folks think that's a reasonable pay "for the area."
I mean "order of magnitude" in the sense that a 6-figure salary is an order of magnitude more than a 5-figure salary.
We never convert, making online advertising pointless.
People pay for Netflix because they want to watch the specific content, for which the platform has already invested money. It feels natural and fair to pay them. For the same reason, if they had a perhaps limited in content, but not obnoxiously annoying ad-supported options, people would be more likely to respect it.
On the other hand, YouTube wants you to pay to get rid of the annoyance they intentionally planted in their platform, while they have invested 0 of their money on content. Also, most creators don't seem to be paid enough from YouTube, and appear to make their living off of 3rd party sponsors, sales, referrals, etc. With this model, it is not surprising that people aren't very keen in having a YouTube subscription.
You don't need to believe me, info on the authenticity of their effort is priced into the markets.
Or, you can believe those lined up to fight Apple on these capabilities.
This is really outdated: https://images.apple.com/safari/docs/Safari_White_Paper_Nov_...
But boy did it get Meta mad:
https://www.cnbc.com/2019/09/09/facebook-warns-about-apple-i...
But they did more:
https://appleinsider.com/articles/21/06/07/apple-beefing-up-...
And now more:
https://www.tomsguide.com/news/ios-17-will-stop-websites-fro...
Every time generating letters to Washington and Brussels how Apple's taking food out of the mouths of data and ad brokers.
I'd have run out of tiny violins if I didn't have GarageBand to make me a loop.
There are a lot of banks, and jumping ships and reopening my account elsewhere is always a choice.
Maybe if I donate to NRA-ILA I can tilt their agenda towards gun control.
you’re not going to tilt a think tank against its master, and the point of Mozilla is controlled opposition so google can point out they’re not quite a monopoly.
Sweet sweet advertisement money.
The problems I experienced that can be fixed in Firefox itself probably already got fixed.
My (personal) problem with Firefox is that functionally it's not Chrome and doesn't look/feel like it. The claimed non-functional improvements (privacy, freedom, ...) DON'T make up for the difference for me personally.
If Firefox looked and felt more or less exactly like Chrome for the functional parts then I would not have any problem switching for good. It's not at the moment, so this is what stops me from adoption.
I don't propose to change anything (you did). I was merely stating why I'm not on Firefox yet as a data point.
I see your point and it is absolutely within your right to stay on Chrome if you don't want to change. I've found it pretty much identical in terms of functionality and UX for the past decade though. Do you have any particular functional improvements in mind that you're missing in Firefox?
> In August 2005,[11] the GNUzilla project adopted the GNU IceWeasel name for a rebranded distribution of Firefox that made no references to nonfree plugins.
> [...]
> The GNU LibreJS extension detects and blocks non-free non-trivial JavaScript.
Even after you manage to turn it on, it only verifies the kernel and cannot do anything about malware hiding in /usr. There is no Linux distro AFIAK that has verification of the entire system like ChromeOS, MacOS, iOS, Android and Windows have.
> Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.
Running your own secure boot CA is not enabled out of the box (for obvious reasons), but that does not pose a problem on most systems. Secure boot only needs special care if you need to load unsigned kernel modules (DKMS, Nvidia) or if you run on a super duper special Microsoft device that doesn't have the third party CA certificate by default.
[1]: https://docs.fedoraproject.org/en-US/fedora/latest/system-ad...
And, again, it is complicated to get it turned on. How complicated? Take a look:
https://nwildner.com/posts/2021-04-10-secureboot-fedora/
>The kind of Linux 99% of Linux users are running today.
I severely doubt that even 5% of Linux installs have secure boot turned on because of how complicated it is to get it working. Specifically I imagine that the complicated instructions on the page I just linked will need to be modified depending on the specific secure-boot firmware.
> https://nwildner.com/posts/2021-04-10-secureboot-fedora/
Most motherboards ship with secure boot enabled out of the box. Fedora will install and boot in that configuration without any changes to your system or motherboard settings. You actually have to go out of your way to disable it. The manual (https://docs.fedoraproject.org/en-US/fedora/f36/install-guid...) does not mention any such setting changes.
The page you link goes into custom secure boot keys, which are usually unnecessary. They're arguably more secure, but it's an entirely optional step unless you decide to load unsigned kernel modules.
For instance, initrd is not verified: >>36717975
>The page you link goes into custom secure boot keys, which are usually unnecessary.
You might be right about that.
To use secure boot without calls to mokutil and friends, Unified Kernel Images are introduced in Fedora 38. These images contain everything (kernel, initrd, and so on) in one, published package. If https://bugzilla.redhat.com/show_bug.cgi?id=2159490 is to be believed, UKIs are live already in Fedora 38.
I can only find pregenerated UKIs for virtual machines in the Fedora repositories and I can't tell if they're properly signed or not, but support is being extended and this problem is being solved.
As for providing security: Linux really needs an easy, user-friendly GUI application for setting up proper secure boot. Of course at least one step is out of the control of Linux developers (configuring the firmware to load new keys) but right now "I want to load my system keys (and also the keys for my Linux dual boot)" is awful on any Linux distro. Every guide presents scripts to call scripts to call automated tools but none of them seem to make the process any easier or friendlier.
In my search I focused on the "immutable" distros like Silverblue because it seems to me that the immutability would make the implementation easier.
In contrast, all the other mainstream OSes can detect an alteration in something like the C library during boot.
Or what is wrong with meeting politicians what have always a very good brief in their hands telling them what words have maximum impact on the small group before them? It seems to work looking at the increasing number of spineless chameleons.
I think that personally I'm a lost cause. Either give me Firefox in a Chrome's pelt or I stay with Chrome. And maybe that's good this way: Firefox should just focus on new users and make the best browser for "them".
So many people genuinely don't understand what would be wrong with this scenario, and that's why I'm afraid.
There's also the venerable lynx, and elinks (which I reluctantly admit is better than lynx, even if I don't use it much), and Dillo+ [1] (a fork / continuation of Dillo that supports Gopher and Gemini). And could I forget NetSurf, with its graph-y history navigation? And of course, Ladybird, [2] probably the best-funded of the lot.
These are just the ones I've heard of. There are surely dozens more you'd be interested in, and thousands of little hobby projects. Why not try making your own web browser?
[0]: https://argonaut-constellation.org/
So? They can force you to pick between running old software or running new software. This is hardly new if you look at the broader "compatibility" scene. Old hardware and software are being dropped all the time. (Remember when MacOS dropped 32-bit support and wiped out a huge chunk of older games?)
If you want to stay in the old chain, you're free to do so, just like how you can still pick up a word processor made a couple decades ago and make documents on it. It only affects you if you want to use the Internet as that keeps evolving. (If you load up some '00s or '10s era browsers you'll see that many of them do not work at all for the popular Internet sites, which have all adopted things like newer TLS implementations and HTTP/3 or whatever the latest one is...