zlacker

It isn't just "make ad-blocking (near) impossible" as the current title of the submission suggests. It is:

Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers.

Make browsing the internet possible only on macOS, Windows, Android or iOS (no custom Android distributions, definitely no LineageOS or GrapheneOS or whatever). No competition allowed in Operating Systems, especially no open source operating systems.

Make crawling the internet possible only to Google. No private crawling and no competing search engines.

Let me know if I've missed anything...

>>Adverb+(OP)
If successful, that would make the anti-trust suites against MS seem like childs play.

>>Adverb+(OP)
iirc remote attestation is reliant on hardware attestation, which means these websites will only run on authorized DRM-enforcing hardware and architectures. Only Intel, AMD, Qualcomm and the like. No open-source firmwares, architectures or hardware.

>>Adverb+(OP)
Definitely seems like we will have a commercial internet run to satisfy corporations and an adjunct internet that is federated and open for free thinkers. I think focusing on federated publishing tools is the best route around these ideas.

Remember the corporations will need to be more disruptive than a nuclear war to break the internet. We can always route around them ourselves.

>>Adverb+(OP)
As someone who has built a business on browsing certain website using Chrome in headless mode this proposal worries me, and it has the potential to destroy large commercial segments of other similar companies.

>>mozbal+Z2
It's important to remember they are only commercial efforts. If you can value something other than money it doesn't matter what the corporate web is doing compared to human ingenuity and the internet. Let them waste their time and money write their specs.

>>Adverb+(OP)
Make browsing the internet possible only on CPUs allowed by Apple, Microsoft, Google. So no RISC-V just yet, and even when RISC-V will be supported by them: No competition allowed in CPU.

Make browsing the internet possible only on SoCs allowed by Apple, Microsoft, Google. No competition allowed in SoC. [0]

Make browsing the internet possible only on form factors approved by Apple, Microsoft, Google. So no calculator with a web browser [1]. No competition allowed in form factor.

Make browsing the internet possible only on UX approved by Apple, Microsoft, Google. So backtracking 10 years ago, when Android made documents-oriented web browser (= each tab appears just like a standalone app in recent apps), that would have been abuse of that position. No competition allowed in UX. [2]

PS: I come from Android OS world, all those examples already apply to Google/Android.

[0] Well this one will depend on whether their Web Environment Integrity implementation will enforce full secure boot approved by them. Considering how it went for Android, I'd say it will, but can't say for sure.

[1] Yes you can find calculators running Android (but can't run Google/Android so no Chrome). Amongst a lot of other weird Android devices. You can find walking robots, toothbrushes, urinals running Android.

[2] You'll probably find a better example. Arguably it's the same as "competition allowed in browsers", but that was an OS-wide change, but saying it's "OS" IMO largely reduces it.

>>detour+N3
As an example, Can you recommend a good tech/hacker video channel that is available somewhere else other than Youtube?

>>mozbal+Z2
What attestation the website accepts entirely depends on the configuration. There's nothing in the spec that will prevent attestations for Linux computers. Linux already works perfectly fine with secure boot and such, I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.

It'll kill open platforms like the rare open source RISC-V implementations, but for almost any platform in use today this can be implemented.

The real question is "but will it", and in practice websites will probably only whitelist Chrome, Edge, and (reluctantly) Safari.

>>detour+N3
Normal people interact with the “corporate web,” because they feel compelled to do things like banking, buying stuff, etc.

>>Adverb+(OP)
Seems more than just a bit ironic to block the web from being used on the very same open source that it actually runs on...

>>hef198+y2
There won't be an anti-trust suit. The implicit deal will be we will prevent "misinformation" (favor news sources you support and censor anything you request with our algorithm) and you will allow us to monopolize the internet.

>>meepmo+X7
Those normal activities like banking is a corporate service and I'm happy with it's regulation and it makes sense to be regulated.

Buying stuff is on a spectrum and I think a consumer should be able to chose a tightly regulated system for exchanging currency.

Most everything else should be free to choose.

>>fallin+G8
Other countries can do anti-trust as well.

>>Adverb+(OP)
How would they achieve that?

>>detour+N3
Unfortunately, the corporate Web has managed to monopolise how we communicate and learn about things (Facebook, reddit, twitter, YouTube, news sites, etc).

>>Adverb+(OP)
So, it's Secure Boot to the web.

>>mozbal+n6
That is why I call for federated publishing tools. Believe it or not I plan on launching such a channel and it will be self-hosted in the 90's meaning of the term. They only way the channel will grow an audience is if it is passed by word of mouth.

The amount of effort that goes in to playing advertising metric games of YouTube is ridiculous to me. Anyone that says well people have to get paid I say maybe.

Real creators create and don't need the like, subscribe, patreon, mantra. Most of the gunsmithing sights on YouTube are moving towards this idea.

I don't believe in the discovery myth so many talk about as essential. It is only essential if you need inorganic growth.

I would say it's an emerging trend and that the more they tighten their grip the more creators will slip through their fingers.

>>mozbal+n6
Arent everyday astronaught, practical engineering and tom Scott available on their own websites?

>>fallin+G8
That's far fetched. Mozilla still breathes and they have enough cash to start an anti-trust lawsuit in Europe.

>>epolan+J9
They won't. Their corporate overlords are looking at their empire of dirt and trying to figure out a new newness.

>>awesom+ja
Cash that comes from Google. The EFF might start an anti-trust lawsuit, but I don't see Mozilla doing anything of the sort.

>>concor+ba
This is a mistaken view. The closest thing I have to social media is HN. I did get a twitter account in the beginning and I was waiting for the right moment to tweet but it seems to have passed.

The above is true only to the extent that you believe it. I don't believe it at all so I'm not part of the "you" I'm an "other".

The "News" is a whole other problem closer to truth. So not technical entirely. Individuals started newspapers and individual will deliver the news.

A big issue corporations currently face is that everything has become so cheap that their scale of effort is a hindrance.

If a corporation is not acting ruthlessly efficient the economy of scale breaks down quickly. The crux of this will cause the success of many smaller scale efforts that don't hold the overhead of a corporation.

The original promise of the public internet was the idea that broadcasting was dead and narrowcasting was the wave of the future. This was true up until ads became legal/common on the internet.

Take away the commercial interest and you are left with passionate publishers and audiences.

>>Adverb+(OP)
> Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers

Forgive my stupidity, but isn't this only going to be the case for websites that will opt into the use of this api? Currently, websites can already do user agent sniffing, or hide their content behind a login wall; but we are not complaining that this is the end of the web. Or are we?

>>mozbal+n6
Do Channels on Nebula count? Since Nebula is paid only, ads free and creator owned (as far as I understand), it might be the one prime example of a video platform not incentivized to restrict access to only consumers using proprietary, big tech OSes.

>>concor+ia
I visited Practical engineering and tom scott's websites and AFAI seen they embed youtube videos in their websites. I couldn't find astronaught's website. Its not even linked to in his youtube channel.

>>meepmo+X7
I don't mind in these cases. Because I already have to present my ID card or my driver's license, when I'm doing most of this. I'd buy a cheap laptop, label it as a banking and ecommerce laptop/tablet, and use it to browse the corporate web. More friction, yes, but I'd welcome it as it would make me reluctant to interact with them. Any other sites that try would just end on my blacklist.

>>jeroen+S7
> I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.

Do you mean a kind of Linux where root cannot do anything he wants? Like Android?

>>Stammo+lb
I would say so.

>>phh+F4
Make it impossible to browse the Internet from urinals. Needs to be added to the list :)

>>azangr+8b
> isn't this only going to be the case for websites that will opt into the use of this?

How many web sites still serve you http:// instead of https:// ?

The transition was (is) entirely voluntary. Transition happened more slowly until browsers made the lack of https:// look scary.

https://blog.mozilla.org/security/2017/01/20/communicating-t...

>>jeroen+S7
Linux computers with an approved boot chain and software environment. Gentoo users are out, as is anyone making a custom kernel.

>>hef198+y2
> “We (Microsoft) are in a very unique position to be able to go spend Sony out of business,” said Booty in a December 2019 email, referencing spending $2 billion or $3 billion in 2020 to avoid competitors getting ahead in content at a later date.

https://www.theverge.com/2023/6/26/23774547/microsoft-sony-x...

The FTC lost that case.

I think at this point, if a big tech executive avoids doing something due to the threat of antitrust lawsuits, they're just incompetent.

>>pjc50+h9
What I am getting at is this is fundamentally a pro-government proposal. Governments like the open web even less than Google.

>>Adverb+(OP)
If that would be the case, then countries with bad relationship with the USA will end up having the real free internet because these tech services and products would be undesirable or inaccessible to them. They might risk political persecution for their online activities but so do people in the "West". The 3rd world will be forced to use homegrown solutions and there's a possibility that they might end up much more innovative when not everything is about advertisements.

>>jasonj+ud
I imagine also anyone who, despite being on an approved distro, has had to enroll their own key to build and sign drivers as well.

>>codedo+Lb
Yes, a kind of Linux like Ubuntu or Fedora that already boots with secure boot enabled with full support of TPMs and similar technologies. The kind of Linux 99% of Linux users are running today.

More secure variants like Android, leveraging SELinux and such, help with sandboxing but I don't think that SELinux is a struct requirement.

>>jasonj+ud
Gentoo users and people running Nvidia drivers and the like will be out, that's true. That's very different from "only certain architectures allowed", though.

Even still, there are ways to implement this using an open source, signed, reproducibly built daemon that gets loaded early in the boot process. Altering the daemon would've out of the question but it would solve the more immediate problem of "Netflix doesn't work" that most people would actually care about.

>>mozbal+Bb
He has article versions of his videos which you can find linked in the description of his YouTube videos. The videos on his website are just linked to YouTube however.

>>detour+I8
E.g. McDonald's android app, at this moment. It doesn't launch on devices which fail Safety Net checks, i.e. modified firmware

>>Terret+5c
It did help that everyone was in agreement that https is a good thing (TM) though. Browser vendors as well as web developers.

>>Adverb+(OP)
And of course you can also charge for access depending on client. There is not a single advantage for the user in the long run.

>>out_of+8i
I have been in the tank for Apple since the 80's. So no doubt I'm distorted but content.

Financial transactions could become so streamlined that a "commerce fob" is likely to emerge. That would be a credit card with a screen and buttons.

Think about how streamlined all these tasks have become. Putting those in a single ROM that has a screen and is tied into some legitimate network will emerge.

It is only out of convenience that these services are currently tied to a "phone".

>>jeroen+S7
This is exactly why people criticized secure boot. To not allow such system to establish themselves is the best defense. True for secure boot as well. Security is not the argument anymore, it is market domination.

>>jeroen+6h
They are not more secure at all.

>>jeroen+Wh
Netflix can only discriminate because we have attestation in the first place. This is not a security mechanism anymore.

>>jeroen+6h
I mean if root can do anything then such system is not "trusted" from corporations point of view. Therefore, it won't be able to pass the attestation or play DRM content.

>>wizzwi+Ia
Time to start donating to Mozilla.

>>mozbal+n6
Not an answer but your question has me curious now. I'm not old but I've got a particular worldview that could use an update. Why video? Aside from entertainment or live collaboration, I've never found video compelling for productivity.

Reliable machinery always has a shop manual, diagrams and prints. Programming languages have tomes of documentation, computing infrastructure has man pages and volumes of commentary, scholarship and trouble shooting have been committed to characters.

Aside from the point and grunt visuals, solid presentations (viewed after the fact when the value of real time interaction is gone) work fine as text.

If you're dyslexic, I get it but TTS systems are extremely solid these days.

What is the point?

>>mozbal+Z2
Remote attestation, including hardware attestation, is absolutely compatible with open source.

>>nequo+oJ
Maybe if I donate to American Petroleum Institute I can help tilt their agenda in a more green direction.

Maybe if I donate to NRA-ILA I can tilt their agenda towards gun control.

you’re not going to tilt a think tank against its master, and the point of Mozilla is controlled opposition so google can point out they’re not quite a monopoly.

>>phh+F4
You don't need this is stop innovations in CPUs, any new CPU will be for non-computers or for servers - for the same reason that Linux is not yet king of the desktops, which is that people need their computers to run old software.

>>korse+MW
Unfortunately we live in a time where the majority of people are practicing illiteracy.

>>tomjen+z84
Apple managed to switch to ARM without too much fuss.

>>jeroen+6h
Huh? Fedora defaults to secure boot's being off and it is complicated to get it turned on.

Even after you manage to turn it on, it only verifies the kernel and cannot do anything about malware hiding in /usr. There is no Linux distro AFIAK that has verification of the entire system like ChromeOS, MacOS, iOS, Android and Windows have.

>>holler+YP5
Fedora's own website [1] states:

> Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.

Running your own secure boot CA is not enabled out of the box (for obvious reasons), but that does not pose a problem on most systems. Secure boot only needs special care if you need to load unsigned kernel modules (DKMS, Nvidia) or if you run on a super duper special Microsoft device that doesn't have the third party CA certificate by default.

[1]: https://docs.fedoraproject.org/en-US/fedora/latest/system-ad...

>>paulmd+QC3
What do you propose as an alternative? Safari?

>>jeroen+vX5
Nothing you wrote contradicts anything I wrote. Specifically, although Fedora support secure boot, if you follow the standard install process, you will get a system with secure boot turned off. I know because I've installed Fedora on a system capable of secure boot.

And, again, it is complicated to get it turned on. How complicated? Take a look:

https://nwildner.com/posts/2021-04-10-secureboot-fedora/

>The kind of Linux 99% of Linux users are running today.

I severely doubt that even 5% of Linux installs have secure boot turned on because of how complicated it is to get it working. Specifically I imagine that the complicated instructions on the page I just linked will need to be modified depending on the specific secure-boot firmware.

>>holler+G06
> Earlier I wrote, "it is complicated to get it turned on". How complicated? Take a look:

> https://nwildner.com/posts/2021-04-10-secureboot-fedora/

Most motherboards ship with secure boot enabled out of the box. Fedora will install and boot in that configuration without any changes to your system or motherboard settings. You actually have to go out of your way to disable it. The manual (https://docs.fedoraproject.org/en-US/fedora/f36/install-guid...) does not mention any such setting changes.

The page you link goes into custom secure boot keys, which are usually unnecessary. They're arguably more secure, but it's an entirely optional step unless you decide to load unsigned kernel modules.

>>jeroen+Jp6
If secure boot is enabled on the motherboard, Fedora can be installed and used without going into the motherboard firmware and turning it off, but that is different from secure boot's providing to the Fedora install the kind of security assurances that secure boot provides to the other mainstream operating systems (Windows, MacOS, iOS, Android and ChromeOS).

For instance, initrd is not verified: >>36717975

>The page you link goes into custom secure boot keys, which are usually unnecessary.

You might be right about that.

>>holler+sD6
It's true initrd is not verified; the system boots but the security secure boot is supposed to provide is not available by default. I don't think many Fedora users care, but that can be an issue.

To use secure boot without calls to mokutil and friends, Unified Kernel Images are introduced in Fedora 38. These images contain everything (kernel, initrd, and so on) in one, published package. If https://bugzilla.redhat.com/show_bug.cgi?id=2159490 is to be believed, UKIs are live already in Fedora 38.

I can only find pregenerated UKIs for virtual machines in the Fedora repositories and I can't tell if they're properly signed or not, but support is being extended and this problem is being solved.

As for providing security: Linux really needs an easy, user-friendly GUI application for setting up proper secure boot. Of course at least one step is out of the control of Linux developers (configuring the firmware to load new keys) but right now "I want to load my system keys (and also the keys for my Linux dual boot)" is awful on any Linux distro. Every guide presents scripts to call scripts to call automated tools but none of them seem to make the process any easier or friendlier.

>>jeroen+nJ6
Unified Kernel Images sounds like a useful improvement. I imagine that when combined with whole-disk encryption it provides useful protection against evil-maid attacks, but I haven't been able to find any signs that there is any Linux install in existence anywhere--except for Android and ChromeOS--where the boot process can detect an alteration to a file in /usr/ (e.g., the system's C library) and refuse to boot or at least warn the user. Unlike an evil maid, malware that has succeeded in its goal of running in a privileged process can alter any file in the unencrypted root filesystem.

In my search I focused on the "immutable" distros like Silverblue because it seems to me that the immutability would make the implementation easier.

In contrast, all the other mainstream OSes can detect an alteration in something like the C library during boot.

>>nequo+VX5
There are many, many, many web browsers that are not corporate-controlled. Some of my favourites lately are the Argonaut Constellation [0] – mostly because of the interesting technical decisions going in the development (particularly the CSS and the Haskell), but also because Rhapsode is already better than eSpeakNG + AT-SPI2 + Firefox.

There's also the venerable lynx, and elinks (which I reluctantly admit is better than lynx, even if I don't use it much), and Dillo+ [1] (a fork / continuation of Dillo that supports Gopher and Gemini). And could I forget NetSurf, with its graph-y history navigation? And of course, Ladybird, [2] probably the best-funded of the lot.

These are just the ones I've heard of. There are surely dozens more you'd be interested in, and thousands of little hobby projects. Why not try making your own web browser?

[0]: https://argonaut-constellation.org/

[1]: https://github.com/crossbowerbt/dillo-plus

[2]: https://ladybird.dev/

>>tomjen+z84
> people need their computers to run old software

So? They can force you to pick between running old software or running new software. This is hardly new if you look at the broader "compatibility" scene. Old hardware and software are being dropped all the time. (Remember when MacOS dropped 32-bit support and wiped out a huge chunk of older games?)

If you want to stay in the old chain, you're free to do so, just like how you can still pick up a word processor made a couple decades ago and make documents on it. It only affects you if you want to use the Internet as that keeps evolving. (If you load up some '00s or '10s era browsers you'll see that many of them do not work at all for the popular Internet sites, which have all adopted things like newer TLS implementations and HTTP/3 or whatever the latest one is...