I'm recommending Mozilla Firefox to all friends and family.
The only way around the dystopia this will lead to is to constantly and relentlessly shame and even harass all those involved in helping create it. The scolding in the issue tracker of that wretched "project" shall flow like a river, until the spirit of those pursuing it breaks, and the effort is disbanded.
And once the corporate hydra has regrown its head, repeat. Hopefully, enough practise makes those fighting the dystopia effective enough to one day topple over sponsoring and enabling organisations as a whole, instead of only their little initiatives leading down that path.
Not a pretty thing, but necessary.
In general Google engineers don't tend to work on branches, especially long-running ones. Incremental small code reviews are the expectation. The general process would be to stick things securely behind flags and continue development without turning it on, even if it never ever launches.
Not saying this work should be done -- it shouldn't -- but code being pushed is not the same as "we're going to make this happen tomorrow, no matter what."
This implements device level verification of the code running your browser. If the device identifies as something Google, or other implementing websites, don't approve, you'll get an error similar to how you see 404 errors for missing/wrong links.
I wish Google could and would make Chrome closed source. It would at least give all those rebranded Chromiums (Opera, Vivaldi, Brave) a strong reason to reconsider their choice of engine, or at least maybe work together on a more divergent fork of it that stays away from Google's evil stuff.
https://www.theregister.com/2023/07/25/google_web_environmen...
Despite the spec's half-baked state, the blowback last week was swift – in the form of a flood of largely critical comments posted to the WEI GitHub repository, and abuse directed at the authors of the proposal. The Google devs' response was to limit comment posting to those who had previously contributed to the repo and to post a Code of Conduct document as a reminder to be civil.
The usual way to deal with opposition these days.
"Don't mind me guys, I'm barely boiling the frog."
Yes, because that's a such anti-consumer issue. It shouldn't exist in the first place, it should never be merged to master. There's no reason to not keep it on a separate branch if you don't intend to use it.
Google needs to be broken up.
They own the browser market. They own the web (through Adwords). They own Search. They own mobile. They own most of the video sharing market with 2.5 billion monthly annual users. They own a good chunk of email with 1.2 billion monthly annual users.
They have amassed an incomprehensible amount of power and influence over humanity and they have proven repeatedly that they are willing to use that power to the detriment of humanity and to entrench themselves further.
Google needs to be broken up.
Google is an ad company. They're not a browser company.
Now it's almost impossible to access websites in an automated way -- the CTO posted you can just email him (>>34639212 ) and he'll sort it. Because that scales.
edit: Mispoke about the CTO, said he would approve you, I was wrong. Apologies.
Their DNS is "privacy focused", but they provide "aggregated results" of domains. How is that privacy focused?
Cloudflare came from the approach of being a developers friend ("Look! SSL is now free!") but was given the internet on a silver platter.
It's permanently blocked to prevent piracy, or something, mumble, mumble...
We are capable of going to elsewhere to free and open access to information, and we would be better off spending our energy on positively influencing others to follow us in that direction. They can’t take away tcp, http, ftp, irc and all the other protocols that these megaliths have built their empires on, and we can still use those tools even if it’s a demoralizing regression to move back to the basics. Giants like google, Amazon and others depend on our unwillingness to rebuild. Let’s use our efforts and our ingenuity to show them that they’ve underestimated us.
We have the tools, we have the knowledge. Let’s be builders instead of petty complainers.
I imagine it's hard to push back against it even internally. Not to be jaded, but one or two people raising a stink about it will only achieve them screwing up their career prospects within Google.
"An owner of this repository has limited the ability to comment to users that have contributed to this repository in the past."
The last time I checked, multiple profiles support is somehow half-baked.
Ben Wiser ( https://benwiser.com ) turned off comments altogether.
Chrome and Android are open source, and there are several forks of both thriving in the ecosystem. Yeah it would be cool if there was a decent open source alternative to GMail and Drive, but no one else seems to have figured out how to get the incentives right for something like that.
Apple and Google only just now implemented this kind of web DRM, which absolutely can have further restrictions added to it. Careful with your absolutes.
Having open source implementions does not make a difference, because a Google, or implementing website, server will control whether the content is served. Having the mechanism of access open sourced makes no difference in this situation.
It is the same situation with the "latent" passkey attestation mechanism. Apple and Google have general guidelines that the feature will not be used, but that only true currently. This should not be part of the browser for the same as with passkeys, it gives corporations final say in what you are allowed to use.
We developers are so gullible. Just give us some shiny things and we don't even realize they're heating up the pan.
Ie. on a given device, for 10% of websites, WEI pretends to be unsupported.
That means websites can't deny service where WEI is unsupported. Yet it still allows statistical analysis across bulk user accounts.
If WEI was implemented like this, I would support it as being good for the web ecosystem.
And what do we have to show for it? Our tools power their botnets and they flaunt the CoCs in our faces when we try to do something about it as “not constructive”.
Google's open source projects are open in name only.
The same technology could easily be applied to simply blocking anyone who isn't verified (in the name of stopping spam, DDoS, bank security, you name it), meaning anyone not using an approved install of Windows/macOS/Android/iOS is shut out from the internet.
In the long term, in the name of "banking security", they're likely to add a mode that also lets you ensure your pages aren't tampered with by extensions, and there go all the ad blockers.
Whatever you may think of Kiwifarms, we all saw how that narrative unfolded from a technical perspective.
Edit: the Register article linked elsewhere looks as good as it gets for now https://www.theregister.com/2023/07/25/google_web_environmen...
I'm a FF user since the early 00's and Firefox will mostly not go away because Google has an interest in using it against monopoly accusations but the reality is bleak..
And the reality is these people ( Google in this case ) are so far removed from any moral compass about the Web ( at least what most people here think of "the Web" ) that it's near impossible to do anything about it. These companies are huge and from top to bottom there are certain groups that are hired guns to do a job, no matter what "job" it is, they'll do it, achieve those KPIs, get promoted, get paid. Even for their own detriment in the future, it doesn't matter. Big money now, screw the rest.
Btw, this is how every big company operated since forever, the only "news" here is the disproportionate impact their acts do to the World due to their huge size and influence.
No, it didn't, it restructured itself into Alphabet, with many subsidiaries. But, all the core businesses are still under that umbrella organization, with most web-related businesses remaining inside the current Google entity.
A forced divestment of the browser business might help. Same for the productivity products.
The Open Web. Creators: TBL et al, Destroyed-By: Google et al.
Reddit wanted to control how users consumed content on their site. To control the experience (i.e. monetize with ads), they had to shut down third-party clients, since those could remove ads.
Google appears to be doing the same thing, but for the entire web. WEI is a way for sites that want to monetize with Google ads to prevent folks from accessing their site unless they can cryptographically assure that the user's browser will follow all the rules Google sets. We don't yet know exactly what all those rules will be, but it isn't hard to guess that they'll be along the lines of whatever makes Google the most money.
This applies to desktop browsers, but also affects automated tools like wget and curl. It could kill web scraping altogether.
[1]https://arstechnica.com/gadgets/2023/07/googles-web-integrit...
Nested CSS is supported in the latest version of all major browsers.
The link at the top of the page is pointing to the GitHub repo, where you can see literally over a million contributions from thousands of people working at hundreds of companies: https://github.com/chromium/chromium/commits/main
I've worked on both Chrome and Android (Chromium and AOSP) professionally, and never worked at Google.
No one has paid for a browser in almost 3 decades and even then few did.
Wherever you live, you should contact your government representatives and regulators and put a spotlight on this issue for what it is--monopoly abuse of power.
Grassroots efforts are great and it is good to let your friends, family, and associates know what they are doing and why it is wrong. However, government regulation of this abuse is needed to stop it by force of law.
The temporary nature of any licensing deals behind these services and the resulting lack of reliable long-term access to content have become more and more obvious.
Increasingly the streaming services seem to be so paranoid about piracy that they are blocking "unapproved" players from getting the highest quality versions of the content - as if anyone who wants to pirate any blockbuster movie can't already find a way to get it in 4K somewhere else if they really want to. Meanwhile you can't watch your 4K movie on a service you're literally paying to provide that movie. IIRC Amazon Prime Video still won't even let you have HD content if you're on Linux.
It feels like the commercial incentives for tech firms to create walled gardens and a culture of never owning anything permanently are going largely unchecked and by now the governments who are supposed to act in the interests of their people should really be stepping in with regulation to counter those negative trends.
Except for Google's pinky swear, I mean.
The only pressure that Google has been shown to consistently respond to is political. Get a couple of senators (... of the right party) to send them a mild rebuke and they will indeed retreat a little (... and try something else later). But that's a lot harder than posting angry comments until the next piece of outrageous news comes along, isn't it?
Is EFF still the place to send money?
Soon the percentage of people supporting it will be high enough to make it mandatory - the last 5% can just get a new device or something like that. They'll do it when their bank website tells them so.
The day Cloudflare flips the switch to require it for all connections is the day the open web dies.
Considering NCSA Mosaic’s initial release was just 30 years ago this year and it’s considered the first browser, think you might be using a bit of hyperbole there? Twenty years would’ve been more accurate.
On a separate note, for journalists and others who wish to communicate with the spec's author directly, his public website (which lists a personal email) is one of the other repos on the Github profile under which the specification was published. It's painfully absurd that he wrote this sentence in 2022 [0]:
> I decided to make this an app in the end. This is where my costs started wracking up. I had to pay for a second hand macbook pro to build an iOS app. Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app.
[0] https://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-...
If you want to help, push back on all the anti-Firefox rhetoric that amplifies every little misstep that they take. Firefox is so much better from a user-respect perspective and the vitriol over little things (a couple of anonymous, tracking-free sponsored links on a new tab page?) are losing the plot.
Both users can keep Chrome installed as a fallback - that will help with convincing too.
To make it explicit: the only way this happens is by Americans voting for it. The FTC has been more active on anti-trust issues in the past two years than at any time in the past 30. That's a direct result of the 2020 election. Elections matter.
Will it though? Googles main reason for WEI I assume is to combat ad-fraud. Ie. to prevent someone making a bot farm to click ads to earn money from advertising or exhaust competitors ad budgets or manipulate search engine user ranking signals.
With WEI, all ad clicks without WEI could just be ignored (ie. not billed to advertisers, ignored when calculating statistics and signals). If 10% of clients have WEI 'cloaking', you just inflate the final advertising bill by 10% to account for those users - the end result is the same as billing for all real users and no bots.
WEI still achieves all of Googles goals even with cloaking.
Add to Mozilla's perceived not-very-good management and you have a death spiral on your hands, and more power to Google and Apple to shape the Web towards their interests.
FWIW, first-class profiles support matters a lot: https://medium.com/sort-of-like-a-tech-diary/profiles-the-on...
When the usage metrics drop for Chrome based browsers they would need to start respecting other users, instead of just ignoring them.
Currently they can just ignore the users and continue as they do. As the rest would not hint a dent on their bottom line.
Most websites aren’t bank websites. If a website doesn’t support Firefox, leave. If a website doesn’t support good old HTML, it is probably made by some kind of dummy who is trying to replace lack of content with glitz, this sort of person shouldn’t be listened to.
I don't see how this matters, it's an open source project, if people find enough value, it will be forked and improved by community or a new organization will form around it. This is the beauty of open source, you must embrace.
Sounds like a great way to enforce censorship:
- websites can deny access to unverified web browsers / web clients
- WEI-enforcing web browsers / web clients can refuse to go to unverified websites (not a stated goal, but it is a logical next step to boost website adoption of WEI APIs once a critical mass of clients is reached)
Google wants to build a wall around the Web and have their own walled garden:
Surveillance is possibly the worst of the bunch. They say it’s just to do a better job of serving ads, but that’s only the tip of the iceberg. Governments could easily use it to know and track everything you do online. Just wait till the next elected nut job wants a list of everybody that has ever looked at or searched for a certain type of information, maybe they don’t like that you looked up info on abortions or lgbt info, now they can know the full extent of what you saw and when.
Ads will be worse. You think YouTube ads are bad now, just wait till you can’t visit any page without the mandatory viewing of their ads. They can require a cam installed to make sure your eyes are on the ad, helpfully pausing the video when you look away.
- stop using Chrome
- do not implement web DRM on your personal site
- do not use providers like Cloudflare if they will support web DRM
- maybe add a warning on your personal site for Chrome users
Maybe something else?
It was this thread, where you mentioned emailing: >>34639212
From the "explainer": "we are evaluating whether attestation signals must sometimes be held back [...] However, a holdback also has significant drawbacks [...] a deterministic but limited-entropy attestation [i.e. no holdback] would obviate the need for invasive fingerprinting".
From the Google worker's most recent comment on the issue: 'WEI prevents ecosystem lock-in through hold-backs [...] This is designed to prevent WEI from becoming “DRM for the web”'
So, in other words, WEI could be used to prevent fingerprinting, but won't be able to if holdback is introduced -- 5-10% of clients would still get fingerprinted.
Looking at the list of "scenarios where users depend on client trust", all of them would be impacted by a holdback mechanism:
- Preventing ad fraud: not for the holdback group
- Bot and sockpuppet accounts on social media: not for the holdback group
- Preventing cheating in games: not for the holdback group -- and thus not for anyone playing against someone in the holdback group
- Preventing malicious software that imitates a banking app: not for the holdback group
In other words, if there was holdback, WEI would require places which currently fingerprint to retain and maintain the fingerprinting code and apply it to fewer users, in the best case, or would be completely useless in the worst case (for things like games).
However, it's also quite interesting to look at the implications of successfully attesting a browser which supports arbitrary extensions:
- Preventing ad fraud: install an automation extension
- Bot and sockpuppet accounts: as above
- Cheating in games: install an extension which allows cheating
- Malicious software which imitates a banking app: a malicious browser extension could do this easily.
In other words, unless you attest the browser with its extensions, none of the trust scenarios outlined in the explainer are actually helped by WEI. It's not obvious whether the Google employee who wrote this deliberately didn't think about these things, or whether the 'explainer' is just a collection of unconnected ideas, but it doesn't appear to hold together.
It is not surprising that the first target of WEI -- Chrome on Android -- does not support extensions.
> I decided to make this an app in the end. This is where my costs started wracking up. I had to pay for a second hand macbook pro to build an iOS app. Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app.
The double-think is absolutely astounding.
[0] https://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-...
It’s very likely governments will make this mandatory if they have the chance to regulate over this.
Ignore Google and educate your friends and family about the alternatives. Make it your mission to save the Internet.
WEI randomly fails, website sees it, has never implemented any error checking (or fails on purpose without WEI), WEI becomes effectively mandatory.
Google is a gun manufacturer telling people on the other end of it "don't worry, every one in 20 bullets doesn't fire".
> They'll do it when their bank website tells them so.
Right.
> The day Cloudflare flips the switch to require it for all connections is the day the open web dies.
Makes sense and unfortunately seems realistic.
Have seen FTC going against Amazon because the FTC chair had published prior work against Amazon's practices. Not defending Amazon but FB/Google are a much bigger threat than Amazon.
The only way this has a slightest chance of working is in connection with trusted hardware. Microsoft has been trying hard to push tpm on everyone and failed. What makes them think they'll succeed?
We can add www to the list.
"The proposal suggests that websites should be able to request an attestation from the browser about its “integrity”. Such attestations are to be provided by external agents, which – presumably – examine the browser and its plugins, and issue an approval only if those checks pass.
The attestation is sent back to the website, which can now decide to deny service if the agent did not give approval." [1]
1. https://interpeer.io/blog/2023/07/google-vs-the-open-web
In other words, websites can now force you to comply with their shitty behaviour in order to allow you access, otherwise you get denided access.
Also check out firefox containers which is to profiles what docker is to virtual machines.
Firefox.
No, not Firefox of today; I'm talking about Firefox 20 years ago that defeated IE6 by sheer force of nerds alone.
Of course, the landscape is vastly different now and Firefox today is about the most not-nerd thing next to Chrome. If there's a a browser here to save us anywhere, I'm not seeing it.
Put a gentle "Use Firefox" (or any other non-Chromium-based browser) message on your website. It doesn't have to be in-your-face, just something small.
I've taken my own advice and added it to my own website: https://geeklaunch.io/
(It only appears on Chromium-based browsers.)
We can slowly turn the tide, little by little.
And, I don’t think we (somewhat loosely defined group of people who like free software and information and have a user-friendly computing environment) can and should work against this. Probably, we should give the corporate web some sandbox where they can play their games, while we develop alternatives.
For example, Gemini is becoming more popular. People are talking about search engines that exclude the corporate web and favor personal websites. IPFS or just switching to FF again.
What I should've written is that: yes, they are open source, but there's no way to influence the direction they are going. These projects are 100% Google-run, and very few (if any) decisions are public.
For most projects there's also a significant proprietary part in the actual final product
let it burn
focus on building something new, new protocols, new networks, new browsers
It is unbelievable that over the course of 3 days, the potential future of the web has been put in such dire straits. There's already an existing, far less troubling (while still bad), proposal in the form of Private Access Tokens going through a standards committee that Google chose to ignore. They presented this proposal in the shadiest way possible through a personal GitHub account. They immediately shut down outside contribution and comments. And despite the blowback they are already shoving a full implementation into Chromium.
What we need is real action, and this is the role Mozilla has always presented itself as serving. A "true" disinterested defender of the ideals of the web. Now is the time to prove it. Simply opposing this proposal isn't enough. This is about as clear and basic an attack on what fundamentally differentiates the web from every walled garden as possible. If someone drafted a proposal to the W3C that stated that only existing browsers should be allowed to render web pages, the correct response would not be to "take the stance that you oppose that proposal," it would be to seriously question whether the submitting party should even participate in the group. Make no mistake, that is what is happening now.
Is that a realistic goal? I don't know, maybe not, but it seems like there's little will even in tech to try.
There was a time when tech was the biggest driver of alternate browser adoption, and even managed to make serious inroads into the mainstream. It's a huge shame that this attitude seems long gone.
https://www.opensecrets.org/orgs/alphabet-inc/recipients?id=...
Here is them lobbying specifically around antitrust reform legislation: https://www.opensecrets.org/federal-lobbying/bills/specific_...
> Private equity deals and transactions in the healthcare and technology sectors continue to attract heightened antitrust scrutiny...
> The US agencies have also demonstrated an increased interest in challenging vertical transactions.
> In January 2022, for example, the FTC sued to block Lockheed Martin's US$4.4 billion proposed acquisition of Aerojet, which the parties subsequently abandoned.
> Increased enforcement, combined with the agencies' reluctance to approve remedies, has created an uncertain environment where commercial parties should be increasingly prepared to litigate mergers.
> The ramping up of antitrust enforcement in 2022...
https://www.whitecase.com/insight-our-thinking/us-ma-fy-2022...
Here's another:
> Since 2020, the Federal Trade Commission (FTC) and U.S. Department of Justice (DOJ) have filed multiple lawsuits against major tech companies...
> "The agencies have started laying the foundations for a more interventionist stance over the last two years, and this year is when we'll start to see some of those efforts come to fruition -- or be stopped in their tracks by the courts," Kass said.
https://www.techtarget.com/searchcio/news/252528606/FTC-push...
I'm sure you can find more.
- Attestation does not work as an antifraud signal unless it is mandatory - fraudsters will just pretend to be a browser doing random holdout otherwise.
- The banks that want attestation do not want you using niche browsers to login to their services.
[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
Seriously, how is this a question? (Unless you want to go with another independent option, then sure)
No that ship has sailed.
It would mean focusing on developing the best browser and spending money on marketing so people download and install the best browser. Cut every other expense. Take FF from the politics of Mozilla and make it a real open source project.
If I look at Opera marketing, they seem to aim for young people with themes and video integration.
I do think FF has no vision and no clear strategy to get back market share, even it this is the only way to save the web. Perhaps market share isn't even their goal, I have no clue what they want.
Active against Google though? Remember, Google can help a certain political party in tough times (e.g. rollout of healthcare.gov).
The second best time is today.
Maybe it's too late, maybe it's not, but it's literally the only option we have if we want an open web.
At this point, anybody who runs Chromium is just enabling Google and has become part of the problem.
Excuse my french but Google can fuck off with their censorship and "reminder to be civil". They have truly gone mask off, with the Code of Conducts not reinforcing good practice and a welcoming environment, but just a tool used to suppress dissent.
I've switched to Firefox and I'd recommend everyone else to do so.
Cory Doctorow came up with the phrase "The War on General-Purpose Computing", which describes the situation perfectly.
https://www.opensecrets.org/orgs/amazon-com/recipients?id=D0...
and Microsoft:
https://www.opensecrets.org/orgs/microsoft-inc/recipients?id...
And yet we see high profile activity against them from the current FTC.
If you want a penny from Google adtech, you're subject to their stringently filtered portal, you're inaccessible from non-WEI enabled browsing, and circumventing WEI policies gets you demonetized. It'll be the Great Firewall of Adtech, gated access via an app to a filtered corporate paradise - a bit like Facebook tried in India, unsuccessfully.
If you want to be part of the free, non-commercial web, WEI doesn't apply, access is open. You are able to be indexed as such. The healing can begin.
This will provide a true choice: commercial xor non-commercial. Confine all the SEO garbage to ghettos that think they're kibbutzim, forcing the big commercial entities to either fight over the noise or exert their influence, and leaving the rest of us out.
Google Meet does have some key features missing on Firefox such as blurring / changing video background.
Because to me it just feels like it might be legally separated, but still owned and directed by the same handful of people. And it being separated makes it safer, in that they can't forward e.g. large fines to the parent company.
Disclaimer: I don't know anything about large corporations. or economy. or governments.
One way i could imagine to circumvent WEI would be to let WEI enabled Chrome do it's thing, while proxying the decrypted HTTP traffic to a free browser with plugins activated, potentially on another machine.
Firefox was significantly better than IE though: it was faster, had more features, and things like that. This is what made Firefox popular, not "sheer force of nerds".
Chrome, when released, also had some significant improvements to Firefox. In particular, it was loads faster. This changed with "Firefox Quantum" (59 IIRC), but "too little, too late" I guess.
If Google wants more control and closure of the web, they shouldn’t benefit as easily from its current openness.
Just because they don't sell floppies in a box like it's 1994 doesn't mean these aren't businesses.
Firefox does some things better (like PiP video playback on most websites, like YouTube!) but others are so poorly done (like Profiles) compared to Chrome that it overall makes Chrome my first choice browser.
What we really need is for the collective browser vendors to refuse to implement this and, if Chrome pushes forward, to bring Google to court over it. Nothing short of legal intervention is going to help here.
Firefox performs way better and is a more pleasant experience. (This is a fair comparison because my ad-laden Chrome experience is internet as Google intends!)
If this ever helped, we wouldn't have absolutely unethical products created. Turns out people's morals have a price tag, that Google and others are willing to pay their employees.
The center row of versions with the gold border is how caniuse indicates the current release.
And I'm not American so it's not even some sort of patriotic comment. If Europe , or anywhere else, had a Google sized Behemoth, they wouldn't mess with it no matter how "anti tech" they might seem now. If anything they are anti tech because they don't want foreign big tech to have massive influence over them. You'd bet they wouldn't cripple big tech if they were European. On the other hand, as long as they are American that massive power is a feature, not a bug for the US government.
The reaction to Tiktok is a good example of how nationalism/geopolitics shape the reaction to big tech, which is why google is probably safe.
Are you okay with buying a new computer running the operating system and browser someone else wants to access your bank's web site?
You can still use you current computer and bowser to access HN.
"FTC rewrites rules on Big Tech mergers with aim to ease monopoly-busting"
https://arstechnica.com/tech-policy/2023/07/ftc-rewrites-rul...
"FTC prepares “the big one,” a major lawsuit targeting Amazon’s core business"
https://arstechnica.com/tech-policy/2023/06/ftc-prepares-the...
"The Federal Trade Commission sued Amazon today, claiming the online giant violated US law by tricking consumers into signing up for the $14.99-per-month Amazon Prime subscription service and making it annoyingly difficult to cancel."
https://arstechnica.com/tech-policy/2023/06/ftc-sues-amazon-...
"FTC files to block Microsoft’s $69B Activision Blizzard acquisition"
https://arstechnica.com/gaming/2023/06/report-ftc-will-file-...
"A Federal Trade Commission lawsuit filed yesterday accused Ring, the home security camera company owned by Amazon, of invading users' privacy"
https://arstechnica.com/tech-policy/2023/06/ftc-amazon-ring-...
"Microsoft will pay $20 million to settle an FTC complaint that its Xbox platform illegally collected and retained information about children without their parents' consent"
https://arstechnica.com/gaming/2023/06/xbox-coppa-violations...
And that's all just from one news source, in the last three months.
In practice, this will make it harder, but not impossible, to run ad blockers. Now instead of just finding and installing a plugin, you'll have to first find and install a forked browser that implements the attestation as something like 'return true'. This will predictably decrease the number of people blocking ads.
Personally, I don't object to this. The easy solution for most people is simply: don't consume the content. Or pay money instead of watching ads. Content creators, it must be said, also have the option of self-hosting and/or creating content as a hobby rather than a career. As someone who has grown more and more despairing of any paid-for speech, especially by ads, I welcome this change.
Far more troubling is the possibility of attestation for "important apps" like banking or government. In general this mechanism gives the org a way to prevent you from doing what you want with your data. For example, they can prevent you from scraping data and automating end-user tasks. This takes away your degrees-of-freedom, and using a modified browser will certainly become an actionable offense. In my view this is by far the more troubling aspect of this change, since it take away significant aspects of user autonomy in a context where it matters most.
Technically sophisticated users will note that it's not possible to secure a client, and foolish to try. This misses the point. These changes stochastically change behaviors "in the large", like a shopping center that offers two lanes in and one lane out, or two escalators in and one out. This represents a net transfer of power from the less powerful to the more powerful, and therefore deserves to be opposed.
EDIT: please don't downvote, but rather reply with your objection.
This will not increase security for the user either, it's just a new barrier at the risk of higher fingerprinting. Why should you care how your bank handles security? It's their responsibility, not yours to handle.
You'll have no choice and your love will be mandatory.
This won't stop malware of course. However a skull clamp will be installed to monitor your thoughts and you will be zapped if undesirable thoughts are detected.
Note: it's a hyperbole but if you want another OS, Browser or hardware you'll be forced to Homebrew it. Or use a compromised app.
Also, if you're a distro mantainer, configure apache and nginx defaults to make this is the default behaviour.
Even better: instead of redirecting to any wall of text with a long explanation of the political and technical reasons of this choice, just display a big, loud "ERROR" message stating that their browser is unsupported due to the presence of this module, and a small tutorial on how to deactivate it from the about:config page, if available.
A lot. Here's a link where you can read about some recent activity in the tech industry (change it to sort by Date, I couldn't figure out how to do that in the URL): https://arstechnica.com/search/?ie=UTF-8&q=ftc You can probably find more on Google (or perhaps Duck Duck Go? :) ).
Ironically, WEI is one letter off from WEF... but I doubt that was intentional.
Making FF more prominent will not give Google more power, it will give Mozilla more power to negotiate better deals with Google and Bing to become the default search engine, because in the world of browsers, that's what pays the bills.
Giving more power to Mozilla hinges on them having a larger user-base so their voice is heard on these technical issues.
I'm tired of people complaining about how much better they could do "if only" this, or that FF was % slower on some tasks 10 years ago.
Firefox is a better alternative. It's the only alternative, and we can make more demand on its direction if we actually use it.
It doesn't mean that we shouldn't hold Mozilla to higher standards, but if we keep waiting for them to be perfect before we will consider using and pushing FF, we're just going to lose the only alternative not controlled by Google or Microsoft.
It's Firefox here and now. There probably won't be a tomorrow otherwise. Google is making that very clear.
With profiles I can have different bookmarks, extensions, and even a different theme so I'm aware I'm on my personal profile, not on a work profile. Since switching profiles on Firefox + macOS is a pain in the butt, I use 2 different Firefox channels (stable + dev).
Anyway, containers are nice, but they're not a replacement for profiles.
It's just the latest Firefox release, recompiled without all the Mozilla telemetry, and with all the settings flipped to more secure/private defaults so all the tracking features are opt-in instead of opt-out.
https://www.reuters.com/legal/us-appeals-court-opens-docket-...
Or Judges fast-tracking lawsuits to allow those being prosecuted by the FTC to get things over quicker, ex: https://www.reuters.com/legal/illumina-wins-fast-track-appea...
And I think the biggest blow may actually come about because of the SEC lawsuit that will be heard this upcoming term at SCOTUS: https://www.reuters.com/legal/us-supreme-court-decide-legali..., which will likely heavily reign in the power of administrator judges and the ability for an agency to keep initial fights in-house (blocking litigants from taking fights to the normal courts).
My business is off any paid Google crap.
I will never prepare a computer without uBlock Orgin for any customer of colleague.
I think it's time to establish a successor to the web that we can once again call home. This doesn't mean we need to give up on the web or stop using it—it can run in parallel to the mainstream, a niche home for hackers and techies and people who care about freedom. It needs to be simple, like Gemini [0], but also have enough interactive features to enable old-school social apps like HN or the old Reddit. It should have a spec and a governance process that discourages rapid changes—we've learned from hard experience that more features does not mean better.
I realize this sounds like a cop out, and that getting people to use such a thing in sufficient numbers would be extremely difficult. But I'm pretty convinced at this point that the web as we knew it will never come back unless there's a reset—unless we create a new niche tech that isn't big enough for corporations to want to take over.
The infrastructure to do signed OS loading is already in place, and on some operating systems (e.g. Android), the OS attestation service is already in place. So everything is mostly in place already to have your browser attest that it is official Google chrome on Google Android on an approved device with a hardware chip that verifies a Google approved boot signature. That hardware chip contains a Google approved private key (a key that's signed by a manufacturer that Google has in turn approved/signed) that can't be extracted, and that's the key that makes the attestation. Replace the hardware boot verify chip with one that will verify software you want, and you lose your attestation key.
They could also make the OS service reach out to a web service to get an attestation that the attestation key hasn't been revoked, so even if someone did physically extract the key from hardware and share it, it could be revoked (assuming each device gets its own key).
In effect, wide use of this kind of thing means that open source software is no longer free since even if you can look at the code, you must be part of the anointed class (i.e. working within our approved by a major corporation) to edit it and run your edits.
WEI tries to shortcut that process by creating a secured sign-off system that would allow the server to only respond to queries from a blessed hardware and software configuration. This wildly constrains the user agents that would be possible. The pro for web developers is that they wouldn't have to concern themselves with whether their server or the HTML they are. Emitting is broadly standards compliant and compatible; they can just make sure it works with the target platforms they care about and rest easy knowing no other platforms can touch their system. But this is bad for anybody who, for whatever reason, can't use the blessed platforms (user agent and hardware combinations).
Immediate practical consequences are that a lot of the screen reader solutions people use would probably break (because the screen readers wouldn't be certified user agents), a lot of clever hacks would be far less feasible (the website somebody hacked together to track whether the ice cream machine was broken at McDonald's restaurants relied upon being able to pretend it was the McDonald's smartphone app well enough to attempt to put ice cream in the shopping bag), and it would basically become impossible to build a new browser or operating system from scratch compatible with the web (they wouldn't work with the websites people wanted to use because they wouldn't be certified as authentic on any of those sites).
This proposal grossly changes the balance of power on how the web works and places most of it in the hands of the incumbent browser and computer hardware vendors.
I did have issues during an interview in Microsoft Teams refusing to play my video. "Your browser is not supported", yeah fuck you it's not supported. I explain why, ask if we can switch to Hangouts and send a link.
Works fine, if more people had the balls to do the same we wouldn't be in this situation today. It's our duty to educate people instead of conforming to the path of least resistance.
About the only use case I still need Chrome for is for sites requiring experimental web APIs not supported by Firefox, such as Web USB or Web Bluetooth. Site compatibility for everything else, including very heavy web apps, is just fine.
History sync is encrypted, which is what made me switch over in the first place (Chrome deactivates history sync when activating end-to-end encryption – go figure…)
Remember that moderators can be abusive not just in terms of removing content that shouldn't be removed, but also by forcing you to accept things that harm you. Moderation is a trust relationship because I'm delegating my own personal decision to accept or block traffic/content/etc to someone else. Cloudflare is not trustworthy.
Cloudflare also used to be a big pain in the ass for Tor/VPN users because competent DDoS protection requires some kind of traceable identity. Their solution was Privacy Pass - an extension that let you pre-solve their CAPTCHAs. However, this wasn't good enough, so their next solution... was to literally partner with Apple to implement Web Environment Integrity, years before Google even proposed it. Nobody noticed this - not even me - because it was sold as a way to make CAPTCHAs less annoying. It was literally the trojan horse Google could only dream of building.
[0] https://forums.malwarebytes.com/topic/108447-my-site-using-c...
Which sort of underscores the monopoly point. There’s no universal free/cheap alternative to Meet, further entrenching Chromium.
The internets of old were just that - a place where nerds, freaks, outcasts, and other antisocial personalities congregated. Everything was permitted and everything was possible. Many, myself included, hoped that it would change the world. It didn't - the world is winning again, as everyone can clearly see. Still, I hope that the normalisation of the web might as well create a critical mass of those who just want something more than just a corporate safe space.
I sincerely wish that there is a future where protocols like gemini - stripped from all the visual noise and 'dynamic' features - get a critical mass of useres. If that doesn't happen - as someone who doesn't use any mainstream social media, google and microsoft services, llms and other modern (and some might add - dystopian) stuff - I don't really loose much. There are enough great books for a hundred lifetimes, enough hikes to walk and friends to get blasted with. Maybe it'd even be for the better.
for a personal blog it has quite a lot of PR speak
Companies give google $X, and hopefully sell Y extra products. X/Y is the cost per sale. Google competes with other advert forms (eg. TV/radio/newspaper ads) on that X/Y number.
If there is ad fraud, that Y number gets decreased (budget is used up on fraud that doesn't translate to sales), and their revenue decreases as advertisers spend their ad budget on other mediums.
https://www.nytimes.com/2023/01/24/technology/google-ads-law...
n.b. I've found a lot of comfort by conciously rolling away from any subject that leads me to do "They"-ing, i.e. name an enormously large group, then talk about them as a unit. The more I avoid it, the more I realize how prevalent it became and drives how a lot of us feel society shifted.
They had enough weight at the time to say "The Web is XHTML2, you can make your own internet if you want " compared to what they can bargain for these days.
Maybe at the time it was a somewhat reasonable decision to abdicate their responsibility over to big internet companies, but that's what brought us to the current state where we're basically going back to original version of The Microsoft Network[1].
And Intuit: https://www.opensecrets.org/orgs/intuit-inc/recipients?id=D0..., https://www.ftc.gov/legal-library/browse/cases-proceedings/1...
And Epic: https://www.opensecrets.org/orgs/epic-systems/recipients?id=..., https://www.ftc.gov/legal-library/browse/cases-proceedings/1...
etc. etc.
There's just no such thing as verifying a "secure environment" outside of extremely narrow, controlled scenarios.
I'm also European and I think almost pretty much 100% as you think on this, but to play devil's advocate, and how I think this should have worked in theory in a free-market economy, is that the US, by allowing companies like Google to do their nefarious and frankly evil things right now and in the near future is also, at the same time, not allowing future potential companies, more innovative than Google is now, to take Google's place.
But what happens is that the US is focusing on having a strong and national security-enhancing company (Google) on its side now and in the near future, versus having an even stronger and, potentially, even more national-security enhancing company (the one that would have taken Google's place had the free market been allowed to do its thing) in the medium to long future.
On the face of it this compromise of security now and in the near future vs security in the medium to long future looks like a decent bet, the problem is that evil colossuses like Google are actively getting rotten from the inside, and at some point in the medium to long future they'll fall almost in an instant, with no company to take their place. That will leave the US highly vulnerable at that point in the future.
https://vivaldi.com/blog/googles-new-dangerous-web-environme...
It's pretty generally accepted that the correct way to do web standardization is for proponents of some new thing to implement that thing and deploy it and then once it has been shown to actually work bring a spec to the the standards folks for standardization.
That usually works fairly well, although sometimes if that first pre-standard implementation does too well the original implementor may have trouble replacing theirs with something that follows whatever standard is eventually approved, because there are often significant changes made during the standardization process.
An example of that would be CSS grid layout. That was a Microsoft addition to IE 10, behind a vendor prefix of -ms-. Nearly everyone else liked it and it was standardized but with enough differences from Microsoft's original that you couldn't just remove the -ms- prefixes from your CSS and have it work great with the now standard CSS grid.
It was 4.5 years between the time Microsoft first deployed it in IE 10 and it appearing in other browsers by default (Chrome had it within a year of Microsoft, and Firefox had it about two years after that, but both as an experimental feature the user had the specifically enable). In that 4.5 years enough sites that only cared about IE were using the -ms- form that Microsoft ended up stuck with that on IE 10 and 11 instead of the standard.
The US did this with Standard Oil in 1911, Bell/AT&T in 1983. And the same laws were used against Microsoft in 2001, though the company was able to avoid a break-up.
Breaking up Google might not be the best option. Perhaps more rigorous regulation by the government would be better, similar to Microsoft. But a break up should be an option.
Shame on Rayan Kanso <rayankans@chromium.org>
Shame on Peter Pakkenberg <pbirk@chromium.org>
Shame on Dmitry Gozman <dgozman@chromium.org>
Shame on Richard Coles <torne@chromium.org>
Shame on Kinuko Yasuda <kinuko@chromium.org>
Shame on Rupert Ben Wiser: https://github.com/RupertBenWiser/Web-Environment-Integrity
Google needs to be broken up.
But it's absolutely fair to argue that the web operates on a different set of expectations than the Play Store/App Store, and I think the concerns that this will create a second-class citizen status for browsers are totally valid. There's a huge difference in character between "in order to prevent piracy and ensure ad revenue we are only releasing our app on the Play Store" and "we are only releasing our web app for Chrome".
Normies can f&$% off and enjoy the data-mined, DRM'd, ad-infested, CCP-propagandized, upload-your-photo-ID-to-post-here, privacy-free dump their illiteracy, careless disregard for harm, and data exhibitionism fetish has allowed the clearnet to turn into.
The problem was that if you used a third-party client, Reddit would have to coordinate with them to launch whatever new stupid cryptocurrency scam they wanted to push that week. On a web browser they can just push new code into it[0], and their first-party mobile clients can be updated ahead-of-time with support for the feature. But third-party clients would have to spend their own development time adding stupid "click here to get your Snoovatar[1]" links. They could slow-walk that, or just not implement that, and Reddit would have to spend time and money kicking users off that third-party app.
This, incidentally, is why every other major social media platform bans third-party clients. Third-party clients are user agents, not platform agents.
[0] Which, incidentally, makes web browsers not user agents
[1] An NFT scam Reddit tried to pull
Meet the new boss…
This is bad as a user story if you are not blessed and get likely locked out because the web operator doesn’t recognize you as valid
This is worse in the second order effects in that it can be leveraged to fight against ad blockers, paywall bypassers, YouTube video downloaders, and so on, by forcing all those user-friendly software under the umbrella of being unblessed. Hence the moniker of “web DRM”
It is, as always, for your protection. They will shake hands, implement whatever they like.
The road is clear. Chat control, Earn IT act, TPMs, Secure Boots, Cyber Resilience act, Online Safety Bill, Crypto Wars.
Most of the users decide what can happen. Most of the users are blind. The network effect will eventually force everybody to follow.
As for other browsers: I guess that you'd still be able to access my website, but YouTube and GMail will just show you a generic "This browser is not supported" or, at best, "Your browser had been deemed insecure. Please use a secure browser".
If we go full Nostradamus the most likely result is that Safari will play ball (because they are already doing something similar), Firefox will play ball (because they no longer have a spine), they'll implement whatever Google says, and yet another portion of the web will be closed to those who don't dance to Google's tune. I hope you're not too attached to youtube-dl or your adblocker.
Don't underestimate how much money they have to burn and how incompetent upper management is at making hard decisions and planning.
Multiple US states, France, Germany and the UK are going to make the web unnavigable unless you type your credit card number or scan your face for age verification in two out of every three sites.
We are going to need to at least try to create ways to secure those credentials in as zero trust model as possible.
(Note that the legislation is a disaster, but it is done. Nobody paid enough attention. It has passed or will pass in weeks.)
If certain publishers want to require ads to view their content, that seems like their prerogative.
<span id='browser' class='hidden'>
This website is designed for <a target="_blank" rel="noopener noreferrer" href="https://firefox.com/">Firefox</a>, a web browser that respects your privacy.
</span>
<script>
if (window.chrome) {
document.getElementById('browser').className = '';
}
</script>
.hidden { display: none; }[0] An ARM exception level that sits above hypervisors and is specifically intended to support trusted execution modes for isolated mini-operating-systems that do this sort of shit
i think if people see websites constantly being broken in chrome, instead they'll pick another browser, that's most people's first instincts when a site doesn't work.
just a take i guess, will it divide the web in 2?
My point is that at some other company (e.g. Apple) it would be done in secret on a branch somewhere, then big-bang merged later.
Google's process doesn't tend to work that way.
Firefox is actually a pretty good example of good branding. It’s short, rolls off the tongue, has pleasant alliteration, and evokes mental imagery.
Anti-communism and fascism are historically in lock-step. No one is going to use the services if you basically create web4 stormfront.
It is quite incredible actually, because it was not many years ago that working at Google had this coolness factor to it. Hopefully, it is a broader change of view, other than mine?
I'm having trouble grasping how WEI works, providing examples of what would and could happen and what to ask/tell the EU specifically.
From my limited understanding it would mean the lockout of people with non-compliant hardware/software, greatly increase the fingerprinting of web browser users and further vendor lock in to Google as a company?
- Sergey Brin and Lawrence Page, The Anatomy of a Large-Scale Hypertextual Web Search Engine
Ockham's Razor doesn't apply in an adversarial situation.
The road to hell is paved with good intentions.
The problem is given the number of Google's services, it can easily "nudge" site owners into implementing it.
They can make it mandatory for adwords or analytics or any other service that they have for webmasters and everyone will have to jump in while it is still technically voluntary.
If your $bank choses to implement it, then it can very well mandate only windows or osx clients. Then you can't use firefox on linux.
This may sound like conspiracy theory but we already have examples of similar restrictions on android apps with safetynet. Bank apps already refuse to run on custom roms. It will not be limited to banks. Someone mentioned that McDonald's app doesn't work unless you pass safetynet.
That is how ridiculous it can become.
Edit: fixed typos
Because that thing basically describes a proprietary plugin like Activex, Silverlight or Flash before it, so a third party browser which doesn't have that proprietary tech can't fake it, under pretense of "standard". The code of that plugin will not be open source, worse, it will act as a spyware on people's computers at the OS level.
It's like EME before and these proprietary techs have no place in a open standard spec.
The only site I have compatibility issues with on desktop is MS Teams and even then it's only for voice/video calls, everything else works fine.
Firefox Android is a slightly less happy place. The password manager doesn't work very well (am moving away from the built-in one) and I can't log in on Amazon (which is important because I can't buy Kindle books in the app because of the Play Store).
I hovered over the green box for Firefox 117 and it said “Released”. I see now that for browser versions that have actually been released, it says “Released <release date>” and it’s just a very misleading bug because all unreleased browser versions will just say “Released”.
Therefore, one of the most efficient ways to kill a dangerous new standard is to endlessly harass anyone who works on it.
Sorry, the poor individual can not hide from their responsibility.
Go to Settings, and search for Autoplay (or in the left navigation, select Privacy and Security and scroll to Permissions).
Click the Settings button next to Autoplay, and set the default to whatever you like (amongst them "Block Audio").
It is not technically impossible, it's just going to arduous.
WEI is part of a broader movement to make this false - more generally to make an internet where we know you are a human staring at a screen
It turns out having dogs (or more commonly programs and scripts) on the internet is not profitable and not good for business, so corporations want to take dogs off their websites by finding clever ways to attest that a real human with eyeballs is clicking with hands and staring at ads.
Support dog rights. Don’t allow for a WEI-dominated web.
AI is going to completely change search if it hasn't already, and google is not even close to compete in this space.
Video has some massive competition from the likes of TikTok. Anyway, YouTube isn't the only option on the market.
Gmail is still popular but since google has been pressuring users to pay, it's been easier than ever to find a reason to try another service.
Chromium can always be forked and have some parts removed or added, and as we all know quite a few browsers do this, some are quite popular.
Is google also losing IOS ads like Meta? If they do, that's another reason for alarm for them.
I'm not sure google is in the best position for the future and WEI is not going to be their golden ticket either.
And, if your prediction that web will change actually comes to pass, well then it'll be just another cycle for this space that has changed countless times since the age of dialup. The web is going to change, again and again, but as long as people are still free to set up a server and let the world access it, we can still do what we like with it.
A chrome browser on the same device has maps behave almost instantaneously.
If websites implement this, it will effectively make building a web search engine impossible for new entrants. The current players can whitelist/attest their own clients while categorizing every other scraping clients as bots.
If not for other reasons, I can't see how Google a search company can be allowed to push something that can kill competition using its market dominance in other areas like browsers.
But we / this site only represents a small percentage. 85% market share means there are hundreds of millions, if not billions of users that would have to switch to make any kind of impact.
And you can't do that without being a very large company with an operating system or the most popular search engine or other ways to constantly tell people to use your browser, no matter how good or privacy conscious or whatever your own is.
Public information on the 'world wide web' should by nature be open and accessible to any agent in a neutral way. (Of course this is implied in Google's (bullshit, cough) mission statement.) Making information about what the agent is invisible as a principle from the start would have helped with that.
In reality, that vision was lost in the early 90s when the web went from being a proposed hypertext/document/information retrieval system to being mostly a presentation system for what started as magazine/leaflet/poster analogues ("websites") to which were added dynamic client/server web applications.
The difference in model is stark: in the former, the browser, even the user, makes decisions about the presentation of the content based on mostly structural information declared in the document. In the latter, the 'document' is not a document, but a program executed on the users computer.
And once you've made that transition, the "developer" of the "program" now expects more and more of the kinds of controls they get when they truly control the platform.
And it doesn't help that in the midst of this, mobile applications came on the scene, undermined the web completely, and changed expectations of how content should be made available. From that point on it became even more expected by companies and product managers that they control the whole sandbox. e.g. Meta couldn't even be bothered to launch Threads on web, probably precisely because they don't like the restrictions there, and having full control is so much more profitable to them, and they're not the first.
In any case, this all sucks. I've already personally switched to Firefox in most places, but the very fact that Google feels emboldened to push this tact says a lot about the state of the web and how this 30 year trajectory has gone.
In a way, I just hope the "www" dies and all of us who helped create this thing in the first place birth something new and better. But this is also hopelessly naive.
And because of this, I don't believe that the US is able to break Google or the other flagship companies despite of reasons existing for such action.
Time to get everyone and their brother help everyone and their mother get on Firefox.
For shame.
"Sorry, this site requires a certified web browser.
Your browser does not meet the security requirements that this website requires.
Please upgrade to the lastest Google Chrome and remove any uncertified plugins."
Despite what some on the political spectrum try to say, the Internet has become a basic human right. It is required in schools in America. In many cases, it is required to even interact with certain government entities. Allowing governments and corporations to force users to a specific browser on a specific operating system just to interact with their site goes against everything the web is supposed to be -- an open platform for the free exchange of ideas.
This proposal is a slap in the face to all of that and basically allows governments and corporations to force users to use what those governments and corporations choose.
This is net neutrality all over again, just in a different vein.
I, for one, will continue supporting Mozilla and Firefox and will never again use Chromium-based browsers, or any browser which supports this. I just hope I can keep browsing the sites I need to.
There is no option to "implements the attestation as something like 'return true'". There is a chain of verification from the hardware manufacturers building in software surveillance, through OS developers treating the device owner as an attacker, this proposal of carrying the same user-hostile dynamic through browsers, and finally to the website that by verifying the signatures can force a user to only use software that enforces all of the above.
You should very much object to this! Today, "unsupported browser" is a CYA term that doesn't really mean much besides that the website has limited testing budget (and who doesn't?). With this proposal it would become a hard blocker. Goodbye Linux/BSDs/etc. Goodbye `make install`. Goodbye virtual machines. Goodbye computers that last longer than the rapid e-waste treadmill of mobile phone land. You will of course be able to keep running user-representing operating systems, old computers, "jail" breaking them, etc. You just won't be able to access banking websites, followed by web stores, then general sites. Basically anywhere today that hassles users with CAPTCHAs will be looking to implement these restrictions eventually (which is basically everywhere).
It's free and open source, works everywhere, has stuff like background replacement, and doesn't require signup at all.
Web is an open protocol. It is okay for both browser and server to support some third party extension, and Google owns 95% of browsers. But how can it be forced onto all the servers?
This itself is one issue; there are also all sorts of adventures they decide to go for little to not at all related to the browser development, and which are conducted to convince people all around the world that they're a good humane corporation that cares. Igh.
The Halloween memos called this "Embrace, Extend, Extinguish". Google didn't just ignore the moves that provided M$ dominance.
“What do you think the Russians talk about in their councils of state, Karl Marx? They get out their linear programming charts, statistical decision theories, minimax solutions, and compute the price-cost probabilities of their transactions and investments, just like we do. We no longer live in a world of nations and ideologies, Mr. Beale.” Network, 1976
Further, free speech must be defended despite the modern liberal tendency to cut off the majority’s noses to spite nazi faces. If you’re gonna fight nazis, fight nazis, don’t throw out fundamental human rights. They know they can taint principles, signs, and symbols with their stench. Don’t give up essential freedoms out of guilt by association. These charlatans have no political theory, no examined ideology. It’s a power struggle and we’ve already ceded too much power.
The only way to stop Google from treating the Web as their own OS is to take that power away from them, by switching to other browser engines.
Today, Google can provide Chrome as a loss-leader, making up for the "free" browser with ad revenue.
The new Chrome Company can't operate that way. It needs to make money on its own. Perhaps MS Bing offers more money. Or they build their own ad system. Or pivot into some other business area.
Anyway, I don't think anybody is arguing Google/Alphabet must be broken up, only that it's a tool that's available in the US, should we (society) decide other regulation is insufficient.
First:
- ban Google all together in your personal life. No chrome and no excuses. Stop your bullshit or leave this profession.
- develop with and for firefox and friends only, introduce usability problems for chrome
- employ the same tactics as google.
-> Bundle firefox with the software you are distributing.
-> Like google did, remove the competition altogether from the users device.
-> make your npm-module or your website slower in chrome
-> show a popup urging users to download firefox, provide a link.
Refer to their current chrome as malware.
-> use as many tricks as you can think of to spoil the well for google.
Destroy search results, fill their storage with /dev/random, whatever your imagination leads you too. You keep telling us you are so smart. Show it.
If you are not ready to do this, you are part of the problem. "Maybe later". No, people have warned for years. I wrote that using chrome is "less than smart" years ago, and some people took real offense when I wrote that. If you don't act now and update your projects like I wrote above, you will never do it.
Secondly, tweet, write to tech journalists. But only after you did the above.
Thirdly, Google is evil and they know it. They care only about money and they trust you to find excuses. There are already some people who talk to themselves "Well, I see both sides really". Don't be that one.
Fourthly, I am very worried that the window of opportunity is closing now rapidly. It is late to defend our values, rights and future all by ourselves while all political parties gladly take donations by the millions. I am not an anarchist (nor a libertarian), and I would rather sit on my lazy ass like you. However, the amalgamation of tech oligarchs and ruthless political factions is accelerating. They are happy to trade civil rights for something more tangible. Your legal rights are being eroded one after the other and you might lose the right (or means) to stand up for them.
If things go really wrong, keep in mind that while in theory one could burn the whole thing down, well, yes, a statement in public life would help for publicity. But PR is a hard thing if you don't have money. The easiest steps are outlined above.
Right. And so I ask this question: Why should I be forced to donate my data, CPU cycles, network bandwidth and privacy to one of the largest corporations in the world so they can address an issue (ad fraud) between them and their customers?
I'd note that I am not a customer of Google or their advertisers. Because advertisers are the only real customers of Google.
Edit: Clarified my point.
If the devs/Google's intentions are truly limited largely to trying to prevent bots, then I hope they realise their folly.
"IT people" live in a bubble and HN crowd even more so. There is nothing to stop this.
Because antitrust has been dead for a while. Chrome is a tool to drive people to Google and Google ads and nothing more.
I will say, I did appreciate Microsoft having a browser engine with IE and Edge, even if the former was notoriously a pain, it gave competition in the space. Unfortunately, that's not the case anymore and everything is either Chrome (Blink), Firefox (Gecko), or Safari (WebKit). And it's pretty clear what Chrome has done once that have amassed a dominant market share.
I'm sure there are Googlers who think they're legitimately making the web a safer place, but I think the real reason is pretty clear if you take a birds eye view.
Will this person's bank implement WEI in such a way that none of this person's devices (computer, phone) are supported and will this person not be willing or able to switch banks, only then buying a new computer comes into view. Without knowing anything about this person, assuming average, the chances for this must be low or the bank will have no happy customers left.
I fully agree with the underlying worries you and others in this thread have, but to extrapolate that without any nuance into a world where we all become privacy-less, ad consuming, eye tracked zombies on newly bought computers is not helping the case (in my view).
However.
Try opening any article from The Guardian on Firefox mobile. Even a good phone will start feeling sluggish and laggy and weird. An old phone will just go catatonic, get hot, and OOM the whole browser.
Surely this is partly The Guardian's fault. (Should it surprise me that the paper that poses "left" for the upper middle class is also incompatible with any but corporate software from Big Tech?)
But it's also definitely Firefox' fault too. Something is wrong with the implementation. If Chrome can render these sites smoothly, Firefox should be able to.
Firefox would only have an excuse if Google had some special APIs on Android, or were doing something to actively sabotage the Firefox experience. I'm not willing to get quite that paranoid yet.
There are some other browsers, but who the hell wrote them? How much of what you see in the app store is legitimate open source, and how much is OSS that some opportunist put their own trackers into? I'd love a good alternative, but I don't see a lot worth trusting.
So it's Firefox for most things, and Chrome when Firefox gets all slow and laggy. Or, Firefox for news articles, and Chrome for businesses' websites.
85 points by KoftaBob 1 day ago | flag | hide | past | favorite | 109 comments
Googlers tend to trust google, even when its readily apparent tool/system design obviously puts them in a control position above anyone else in matters that extend beyond their own walls. I've only met a few that will coyly admit they don't trust google, but maintain they have to keep up appearances.
I think it also explains their outspokenness on societal issues outside google's control. It's a distraction from thinking too hard about what societal bad google does have control over.
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
This is why I don't use FF (although I'm on Linux). It's unusably slow for me. My experience is not the most common one (indicating that there's something about my ecosystem that FF hates), but I haven't been able to make FF work in any of the releases starting a couple of years back, I think.
I don't browse on my phone at all, so I won't be using FF there purely for that reason.
Alternatives need to be built and advertised.
> Or they build their own ad system.
And we still are being tracked by BigTech with the same business model that people object when Google does it.
> Or pivot into some other business area.
And what other method do you suggest for funding besides ads or people paying for the browser? The second option has never been a long term successful business for browsers?
Your second paragraph, about chain of trust, gets a little more wobbly, but this is a matter of fact, not opinion. Will this change require a chain of trust from hardware up? That's startling. Do you have a link? I read the proposal but don't recall seeing that.
The third paragraph seems to articulate the worry that systems will now be closed with centralized gate keepers determining what we can do with our systems. Or at least, that will be the default unless you can get grandpa's old TPM-free linux laptop working again. And even if you do, you won't be able to connect it to the future internet to do anything real. That's not a good future. It's one which makes individuals passive and controlled by central authority - and even if you don't object to this morally, you must admit that an ignorant and disabled population is weak and susceptible to attack.
I'm not on board with harassing people (sad that I have to include this disclaimer).
That said, the people are not simply implementing this. They're actively and publicly justifying and defending it.
One thing about your comment above: Hulu can't start implementing attestation until Google turns the knob to 0 because they can't start randomly dropping 5% of Chrome users. So in your comment above it should be "and" not "or". If I understand correctly Hulu cannot act unilaterally with the currently planned implementation of this.
If let's say they did turn the knob for Chrome, wouldn't it take a while for websites to start implementing this? For me not knowing as much about this it feels like this is a step in an ambiguous direction which could be good or bad still. But since it's Google everyone is thinking ahead in the causal chain. Can you help me understand why this is such a big and clearly bad step against the open web? Thank you!
A fresh web doesn't exempt you from the legal requirements unfortunately.
This year has seen the biggest state attacks by legislators on any electronic distribution of speech across most Western states for fifty years, and by and large the technology community has completely failed to even engage with that never mind stop it. We are all going to have to live with the consequences for decades.
HN is full of people that are indirectly helping to push these changes forward. You're preaching to the choir, and the choir is too lazy to switch browsers or learn how to configure a web server, so they just shrug and carry on.
I don't doubt your experience, but it's clearly not universal.
Consider incentives from Google's standpoint. They want to provide users a safe and secure experience. They want to simplify maintenance of software and provide developers the ability to simplify maintenance of software (a problem simplified by chopping the unbounded set of possible user agents down to a blessed, vetted subset). They have the resources to make their site screen-reader compatible, so they're not concerned about damage that could be done to screen-readers because they'll just bless one and support it. And, of course, they implicitly trust themselves to do all this.
In that ecosystem, Weiss's viewpoint is completely reasonable. The old model of the web is old, and led to gestures broadly at all the bad things about the web today... fraud, users getting owned, CP, botnets, misinformation factories. I can definitely see the viewpoint where someone concludes "It's time for a new model, and this company has the resources to do it."
I don't agree with him (and in fact I think the idea will fail; I think Google actually overestimates its ability to provide an equivalently-good user experience to what we have now if they aren't leveraging the unpaid labor of other vendors putting the effort into making their own houses work with Google's house without Google even being aware of their work). But I think it's useful to wrap our heads around how one gets into that headspace without thinking oneself a monster.
It will be swiftly adopted by well meaning but clueless bank and government clerks who will accidentally use to lock all open hardware, open operating system, open browser users out and mandate you need to purchase at least one locked down corporate device to exist.
It's the trusted computing story all along. Eventually you will need permission to run your code on your own device and such "unlocked" device will be blocked from accessing any digital infrastructure because it might be otherwise used to breach ToS.
Not every Mozilla critic is a Chrome user; I'd even expect that the most vocal critics are Firefox fans and users.
It's like how all these "free" websites coasted along for years being quite user friendly, but have recently switched to extraction mode. Anybody who thought about the incentives knew what was coming down the line eventually.
Small anecdote: I am not sure how you're detecting the browser, but this note still appears in Orion (webkit-based browser) while it does not in Safari. Persists even when I change user agent explicitly to Firefox or Safari.
The other side to this issue is despite the scrutiny towards big tech, they can still lobby and make any regulatory actions seem effective, when in practice, they've already gotten their fingers into influencing policy in such a way that doesn't ultimately address the consumers' concerns.
The web was more open when to play those videos you had to use a proprietary Flash or Silverlight plugin?
The problem is that the proposal has not yet been brought to W3C.
> With the web environment integrity API, websites will be able to request a token that attests key facts about the environment their client code is running in. For example, this API will show that a user is operating a web client on a secure Android device. Tampering with the attestation will be prevented by signing the tokens cryptographically.
I don't see what else this could be referring to besides bringing TPM "remote attestation" up through the software stack to the level of a web browser. By "secure" Android it must mean one running a corporate Android distribution (see: SafetyNet), where Google has already been pushing this lockdown dynamic for a few years at least. Without tying it into the TPM, there would be literally no point to this specification as it could always be faked.
The insidious thing about this spec is that it's not an immediate prescriptive lockdown the way corporate "secure" boot is. Rather if it turns on tomorrow, Firefox, extensions, and community Linux distributions will all still work fine. But the long term dynamic is that each of these nonstandard things will be stamped out in the name of "security" - look at how the SafetyNet requirements on Android are getting incrementally harder to "pass".
Fundamentally this is entirely about consensual interactions. Right now, the demarcation point between user interests and website/server/company interests is the communications protocol itself. Your computer represents your interests, my computer represents my interests, and they possibly communicate with each other while still representing each of our interests. Remote parties that you're communicating with being able to verify what code you are running means they are then able to dictate what code you must run, even when it undermines your interests. Your only recourse becomes to not communicate, which doesn't work in our world of imbalanced power relationships. Computing's revolutionary spark of personal autonomy gets shoved back in the bottle as far as the Web is concerned.
> centralized gate keepers determining what we can do with our systems. Or at least, that will be the default unless you can get grandpa's old TPM-free linux laptop working again
There's some nuance here. Likely you will still be able to "jail break" new devices, or even root them in a supported way like Google's current Android devices. But doing so will make the device useless for accessing any website that insists on performing the verification. So sure, you can keep on using your nonstandard development environments just fine - most of the Web will be unavailable to it though.
You will just need a second WebTV like device for accessing banking websites, then shopping websites, then news websites. As I said, anywhere that currently pops up CAPTCHAs when browsing from less-surveillable IPs is a good indicator for the eventual adoption path. Said device will implement all the restrictions the website publishers can dream of - ads, lack of copy/paste, no screenshots, no access by VNC, no browser extensions, no protection from corporate surveillance, etc.
> And even if you do, you won't be able to connect it to the future internet to do anything real
That's a long way off and doesn't have any technical connection to this proposal. But one can imagine this proposal being one step in a chain of developments/legislation that brings us to that point.
The only choice is to boycott your favorite artist because their record label made a deal with the wrong company. That's too many layers of indirection, for many fans.
I have no way of knowing if they are honest or not and even if they are there's no guarantee that they won't change their mind later.I cannot take the risk and be on guard forever.
I would much prefer not to allow them into the house in the first place.
Google should not have brought this proposal but they did.So, I will not place my trust in Google doing the right thing irrespective of their claims and promises.
>The FTC has been more active on anti-trust issues in the past two years than at any time in the past 30
FTC being more active in past two years over previous 30 is a strong statement.
Thanks for pointing this out, but I won't fix this.
Because in the short term it would disrupt a major company (ala Standard Oil), but in the long term it would allow the US to remain competitive in the global market.
If we allow Google to continue abusing its monopoly power in the US, that guarantees that the US will not be the home of the future technologies of the world. Innovations will be sucked up and killed as acquisitions. Enormous energy will be focused on blatant moat-building like WEI instead of developments that benefit the world. etc.
note to self: hn is a great place to debug & review your site
The bigger picture is that Google et al are actually part of the control structure. The governance system wants deanonymised Internet. Corporate interests are how this is being promoted - government legislation would be a harder pill for the masses to accept.
But all the recent mega changes tell us (Elon buying twitter, etc) tell us that this is on the way. Apparent anonymous internet will be sandboxed. Knowing everything about everyone all the time, and having that data being crunched by ai's is an amazing, audacious goal, that seems close to being achieved.
Attestation bad. Chrome is just catching up to what Safari is already doing, with in fairness more open standard.
We need to kill both.
Will OS check if such python lib is installed or script running in the background? Then those that doing ad fraud will move to programmable board as BLE keyboard/mouse/hid. Even microbit can can be programmed as BLE HID device [1]. Add external camera on unattested device that will stare at attested device screen and you can automate lots of thing. Sure this is more complicated to pull off but will probably eventually happen anyway if this is a lucrative business.
In the end WEI wouldn't prevent ad fraud / fakes but would end up used for restricting other things.
Legislation around device ownership rights are already present, especially in the EU.
I hope, pragmatically, something similar might happen with this: say that Brave (my daily driver) disables WEI in their Chromium build, and a new Chromium-derived browser surges in popularity... like judo, using their own power against them.
I'd love to hear your thoughts on how they were being anti-communist or fascist in your eyes.
There are enough top voted people demanding harassment in this and other threads to say that well, maybe that's what HN is, actually.
I own a rooted Samsung device and have to jump through 100 hoops to be able to use my banking app or Netflix or some rando game (which I don't actually play). SafetyNet broken, hardware fuse blown, Magisk Hide + some other havks just to still be able to do online banking.
I just want to be able to ssh into my own device or install a real ad blocker, like Adaway without losing access to real world applications.
This is all very depressing.
I disagree. There is a point to making something more difficult but not impossible: you alter behavior at statistically significant scale in practice AND you get to point to the alternative as a reason why the change isn't "coercive". In practice, 99% of users won't know to download an altered Chrome - they have a shaky understanding of "browser" and "os" as it is. In fact, I can imagine Googlers rationalizing this as a kind of shibboleth that keeps hacker culture alive.
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
It's nakedly user-hostile. A blatant attempt to invert the "user agent" relationship such that the agent works for the advertiser/corporation/government to spy on the human behind the screen. The way the intro paragraph tries to disguise this as something users need or want is frankly disgusting:
> Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it. This trust is the backbone of the open internet, critical for the safety of user data and for the sustainability of the website’s business.
Ugh. Here's a fixed, honest version:
Corporations like Google often depend on advertisers knowing as much as possible about their users. Their revenue may depend on fingerprinting the client environment, tracking their behavior and history, and attesting that a human with sufficient disposable income is behind the keyboard. This personal data mining is the backbone of Google's business model, critical for their continued dominance of the web and for the sustainability of their enormous margins.
I hadn't really considered this. In a roundabout way, is there a process for this to be rejected on grounds of "fair use" limitations?
Given Microsoft's push to make their OS support hardware attestation as well as Google's push for technologies which use hardware attestation in broader and broader scopes (Android and iOS has supported this for apps for a long time), the technology to make this possible is increasingly becoming widespread.
Hardware which supports hardware attestation is expensive and some people who can't afford it would therefore be excluded. But I don't think this matters.
If Google forces you to see all their ads then they can sell the ad space for more money. This can make it increasingly profitable to sell devices at an ever increasing loss. Likewise for Microsoft.
As a side note, this will make it incredibly difficult for anyone to compete in the hardware space. Why would someone spend even £500 on a phone or computer from a non adtech company when the adtech company can sell the same device for £100 or £50 or maybe even give it away for free?
By making hardware attestation more mainstream, it will become increasingly difficult to argue that enabling it for things would cut off customers.
I think it's easy to argue in favor of requiring hardware attestation for internet connections from the point of view of a government or an ISP. After all, if your customers can only use a limited set of hardware which is known and tested for security, it decreases the chance of security problems. For a police state like the UK it also seems even easier to justify too.
Even if things don't go that far, in a few years you will become a second class citizen for refusing to allow this on your devices. I can easily imagine banks requiring WEI for their online banking portals (they already do it for all their apps). Likewise I can also imagine my water, gas and electricity companies, or really any company which handles payments, considering this technology.
The worst part is, I don't think most people will care as long as it keeps working seamlessly on their devices. Likewise I don't think governments or the EU will do anything about it. I am not even sure what I can do about it.
Regardless, I have Googled this for you: please return the favor by helping others learn to use search engines in the future before leaving comments insinuating that they are lying.
The tldr (as you'll probably insist on that also) is that Firefox finds Mozilla, not the other way around, as the latter is a non-profit while the former is a FOR-profit, so Mozilla actually can't directly fund Firefox.
https://www.reddit.com/r/firefox/comments/ow9k0y/is_there_a_...
https://www.reddit.com/r/firefox/comments/a98gmi/donations_t...
My mother's new Windows 11 laptop's out-of-the-box configuration had me clicking through half a dozen things attempting to manipulate me or her into spending more money. There are (I can only assume paid-placement) news and adfotainment in the start menu! Repeat pop-up reminders from Lenovo to subscribe to their protection package. Emotionally-manipulative reminders to subscribe to virus protection services. To Microsoft Office. Etc. etc.
It's been the same thing in the mobile market, where the move to "apps" means you are running their software on your device all the time, so they can optimally surveil you, and target the advertisements and behaviourally-modifying nudges. Quite a few messaging services now actively mess with delivery of notifications, spacing them out, delaying them, according to research that shows what maximizes engagement.
I saw the trend 20 years ago and switched to free software around that time -- I liked Linux anyway, but it was partly on principle. Still, the new laptop was eye-opening. The degree of intrusion, the degree to which even desktop computers have turned into user-hostile advertising terminals serving the purposes of their manufacturer, rather than a computer for the user to accomplish their work, is quite shocking.
Everything networked is becoming like that - twisting the user's hardware, turning it into nothing more than a terminal, an extension of the corporation, serving their interests at all times. Even smart TVs now have ads built-in to their menus and such.
Furthermore, even if the "key facts" it reports don't initially include results of hardware remote attestation, it's entirely foreseeable that over time these will be added.
Pragmatically, I'm hoping that a Chromium spinoff like Brave (or Edge!? Could MS be the hero we need?) will turn the privacy switches on, WEI off, and get enough market share to make WEI infeasible.
US:
- https://www.ftc.gov/enforcement/report-antitrust-violation
- antitrust@ftc.gov
EU:
- https://competition-policy.ec.europa.eu/antitrust/contact_en
- comp-greffe-antitrust@ec.europa.eu
UK:
- https://www.gov.uk/guidance/tell-the-cma-about-a-competition...
- general.enquiries@cma.gov.uk
India:
Yes, they will, because it has already happened.
On Android many many banking apps block rooted phones and custom OSes by using Play Integrity and Safetynet. And then games started doing it too, you can't play Pokemon GO unless your phone's OS passes Safetynet. And then restaurants joined in. Sorry, you can't order from McDonald's unless you pass Safetynet.
When does it stop?
I can't agree more strongly. I sat down to write a letter to the FTC, and I can't even articulate my objections because after reading this spec my only response is encompassed in "WTF is this shit?". I've worked in my past with members of the Chromium team and I've generally found them competent and well-meaning, and I can't see any amount of well-meaning (and some lack of competence) in this spec proposal. This feels like a shift in the behavior for Google far beyond their existing slow drive to consume everything, to something far more draconian and direct.
It's even funnier with the auto-reply "Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA)."
I think that was just a side effect of browsers like Phoenix/Firebird/Firefox and Opera offering numerous tangible benefits over IE and the other browsers of that era.
They offered things like better functionality, better security, better extensibility, better performance, better ad blocking, and so on.
There were many compelling reasons to switch to them, and many compelling reasons to suggest them to others.
I could easily show less-technical users how those browsers could make their lives better in many ways.
For a while now, though, that just hasn't been the case. Using Firefox today, for example, doesn't really leave most people any better off, but it does come with its own set of new problems. I can't bring myself to recommend it.
on iphone you can't even install software that apple doesn't explicitly allow.
they would love to extend this to all computing devices to remove control
Google sells ads. They want to kill ad blockers. This is how.
> Weiss's viewpoint is completely reasonable
Chasing diversions around in circles is not neutral. Someone wins by default. Diversions exist and they exist to tempt you into poor attention allocation decisions. This is not about safety, security, and providing an excellent experience. It's about ads and making sure you can't stop them.
Not going to happen. Rationally there should be broad political consensus about cutting Google back to size: from rabid libertarians worshiping the miraculous abundance generated by "competition and free markets" to bleeding-heart socialists keen on pushing back corporate power as the root of all evil.
Alas, these political categories no longer have any meaning. The US political system has mutated into something else (the messenger being a horned man) which will probably require some time to properly characterize and name using terminology that is appropriate to use in good company.
So the fate of Google will be more shaped by actions of external entities than as part of US regulatory efforts. Powerful countries that antagonize the US are simply degoogling and creating their own copycat panopticons.
The question is what will be the course of action of powerful countries that are alies of the US (i.e. Europe and a few others). Will they accept that their digital society will be feudal in nature because the broken US political system cannot deliver on even basic responsibilities?
Hulu has DRM issues in Firefox and their DRM just fails with unknown errors on about ~15% of content they host (anecdotally, of course, I have no specific data). There's no way for me to tell if a specific episode of a show will fail or not, some succeed, others don't. I at least find no pattern for this. From this perspective, they are essentially randomly breaking 100% of Firefox users some seemingly random percentage of the time.
They have "good" business reasons to require this DRM and whatever this random broken user percentage is, I'm sure it meets their bottom-line criteria as a business.
"95%" uptime for Chrome users is only "one-9", but it's still got that one 9. That's an acceptable SLA to many businesses. A business might easily decide attestation is worth that "uptime risk" because it sells more ads or makes the DRM vendors happier (and thus the content owners are happier) or any other number of "good" business reasons.
Not on HN, please. I realize that you're trying to protect something you care about (and that maybe we all care about) but this leads to ugly mob behavior that we don't want and won't allow here.
You can make your substantive points without that, as most other users in this thread have been doing.
You may not owe web-destroying $MegaCorp better, but you owe this community better if you're participating in it.
"Google is an advertising company and does whatever leads to more profitable advertisements" does a much better job of explaining Google's actions than "Google just wants to build the best possible browser", so it should be preferred even though it is a more complicated explanation.
Not only the proposal, but Google itself. Google desperately needs to be broken up.
The internet is made by big companies. Not standards bodies. The WHATWG has the actual living standards, and Google, Apple, Cloudflare and Amazon make the actual software. Nobody cares about the W3C. And Mozilla is long past dead.
Fine. Then, when we arrive in hell because this person took us there, it should follow him all the rest of his days that he was too Pollyannish about the consequences of his own designs.
Nothing in the proposal requires the third party be Google. The proposal does decrease the control the user has over their own hardware, in the sense that it provides a channel for a site to decide the user-agent / hardware stack is the wrong pedigree to serve; that's not universally considered evil either (few people really get bent out of shape that you need a Nintendo Switch to use Nintendo Switch Online services).
FTC is on a losing streak, with the latest fiasco being the Microsoft Activision acquisition fiasco.
Mozilla is far from healthy but calling it dead is overstating things.
The Germans, British, Australians and French are also attempting to build their own panopticons.
Any successful US-based tech post-breakup would be acquired by larger international players, like Tiktok was.
NOW would be different because, again, this system is worse than Apple's, and because Chrome has a larger influence on the web than Safari (on Desktop, on mobile its a foregone conclusion since you're not allowed a different engine other than Safari anyways, so the real fight there is allowing third party engines).
Does this answer your concerns? I can't tell if you are defending Apple and Google, or are against both but are using this what-about-ist accusation as a way to vent general frustration.
Even if you explain what is the difference, 99% they'll forget the next day.
It's just pointless. With this kind of overreach, only government intervention and regulation can help. Google is not something you can go against with your proverbial wallet - they are too big.
I would like to bring your attention to Google’s recent proposal to add a feature to its Chrome (Chromium family) of browsers called Web Environment Integrity. This provides a mechanism to reinforce Google’s already dominant browser market position by creating a technological control that can be used to nullify a user’s choice of browser, device and operating system. This technology also has the potential for abuse by preventing users from using browser extensions that can enhance security by blocking unwanted and potentially malicious content, as well as browser extensions that help vulnerable users with enhanced accessibility needs, such as color blindness and visual impairment.
Google’s dominant, near-monopoly position in the browser market already harms me as a consumer by reducing browser choices and preventing a competitive market for developing new browsers. Allowing Google to include this feature will reduce my browser choices and consolidate the browser market even further, and it is incumbent on [INSERT AUTHORITY HERE] to take action against this abusive behavior.I'm thinking:
- content addressing, not server addressing (to better distribute the hosting load)
- looser coupling between data itself and apps for viewing data (to prevent aesthetics from being used as a heuristic for trustworthiness)
- a native permissionless annotation protocol (p2p trust governs whether annotations appear: if you see an ad, just revoke trust in its author)
- no code execution needed for browsing, fancy features (i.e. the kind of thing you actually need js for) stay optional
I'm curious what design goals other people think are relevant.
They will now have to use old fashioned social engineering to make you cough up that credential to steal.
[1]: https://radar.cloudflare.com/adoption-and-usage And CF stats doesn't depend on JavaScript.
"Move fast and break things." How many here used to cheer this approach?
Yes. However said companies may want to avoid too much scrutiny from governments.
As long as they can pretend the web is an open standard, they are good. If Google were to leave the w3c, it would expose them to antitrust laws and so on.
IANAL, the EU is also on the right track with antitrust but unfortunately seems very weak in terms of penalties and enforcement.
At this point, anything we can do to slow them down in any jurisdiction in a win. Even if antitrust enforcement is weak making Google at least have to defend this in a pro-forma way I think helps.
Historically, many people making "insignificant" actions over time is the primary way that things have been improved.
Microsoft wasn't trying to control the web; they were trying to hobble it so that everyone kept on developing for win32. In retrospect, not a great strategy, but many companies try to kick the can down the road, and it often works, so I can't fault them too much.
What is different this time other than it being a feature that is considered user-hostile?
That's not to say we shouldn't oppose this feature, I just wouldn't be up in arms about an implementation existing.
Google can turn around tomorrow and say that no browser without WEI can access GMail, GMaps, GSheets, Photos etc; people will have to comply, effectively killing any browser that does not support the feature.
This is the problem with the Chromium monoculture. "We", as generic IT people and developers on HN, definitely have a responsibility for not deprecating this monoculture earlier. If you use Brave, you're guilty; if you use Ungoogled Chromium, you're guilty; if you use Safari, you're guilty. It's high time people start taking responsibility.
In fact, WEI will make it easier to use a robot w/ a sanctioned software stack since, hey, it's a "human" per WEI.
That's only applicable to Apple users, though.
Google has proposed a new Web Environment Integrity standard, outlined here: https://github.com/RupertBenWiser/Web-Environment-Integrity/....
This standard would allow Google applications to block users who are not using Google products like Chrome or Android, and encourages other web developers to do the same, with the goal of eliminating ad blockers and competing web browsers.
Google has already begun implementing this in their browser here: https://github.com/chromium/chromium/commit/6f47a22906b28994....
Basic facts:
1. Google is a developer of popular websites such as google.com and youtube.com (currently the two most popular websites in the world according to SimilarWeb)
2. Google is the developer of the most popular browser in the world, Chrome, with around 65% of market share. Most other popular browsers are based on Chromium, also developed primarily by Google.
3. Google is the developer of the most popular mobile operating system in the world, Android, with around 70% of market share.
Currently, Google's websites can be viewed on any web-standards-compliant browser on a device made by any manufacturer. This WEI proposal would allow Google websites to reject users that are not running a Google-approved browser on a Google-approved device. For example, Google could require that Youtube or Google Search can only be viewed using an official Android app or the Chrome browser, thereby noncompetitively locking consumers into using Google products while providing no benefit to those consumers.
Google is also primarily an ad company, with the majority of its revenue coming from ads. Google's business model is challenged by browsers that do not show ads the way Google intends. This proposal would encourage any web developer using Google's ad services to reject users that are not running a verified Google-approved version of Chrome, to ensure ads are viewed the way the advertiser wishes. This is not a hypothetical hidden agenda, it is explicitly stated in the proposal:
"Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins."
The proposed solution here is to allow web developers to reject any user that cannot prove they have viewed Google-served ads with their own human eyes.
It is essential to combat this proposal now, while it is still in an early stage. Once this is rolled out into Chrome and deployed around the world, it will be extremely difficult to rollback. It may be impossible to prevent this proposal if Google is allowed to continue owning the entire stack of website, browser, operating system, and hardware.
Thank you for your consideration of this important issue.
Please don't do this here. It's not what this site is for, and destroys what it is for.
Edit: I suppose I need to add—no, we're not pro-$MegaCorp or pro-$web-destroying-dystopia. We're just trying to have an internet forum that doesn't suck, and you guys need to make your substantive points without degenerating into mob behavior.
I fear you're right. But if the current trends keep up, I'll have abandoned the internet entirely before that happens.
I mourn for what we have already lost, and we are poised to lose even more.
Edit: I suppose I need to add—no, we're not pro-$MegaCorp or pro-$web-destroying-dystopia. We're just trying to have an internet forum that doesn't suck, and you guys need to make your substantive points without degenerating into mob behavior.
The phoenix can rise.
The frozen chicken can not.
Still breathing makes a huge difference.
If you don’t like what Google is doing, don’t pretend that Firefox does not exist. Do something instead. File bug reports, send patches, donate to those who are working on Firefox and countering Google.
Probably better for a different org with different leadership to start over. I wouldn't count on Mozilla to miraculously reinvent itself.
firefox --ProfileManager
firefox -P <profile-name>
The support for profiles is there, it's just hard to use in the context of a GUI desktop.
More explanation:
In addition: could you please stop posting unsubstantive comments and flamebait generally? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
- Behind dev flags
- And then wait for consensus
- And then there have to be at least two independent implementations
And only then does this become a standard.
Chrome doesn't care. They create a semblance of the spec, create a semblance of a discussion, and then enable it APIs in Chrome. And then pretend it's a standard.
Idk if that would achieve my goals and honestly I can’t plainly state what my goals are. All I know is I get tired of privileged California snobs telling me how things should be in my back 40
She's now happily using Firefox with a non-hobbled version of uBlock Origin.
The attester will attest whatever they want. They can evolve to match the further degradation of user freedoms.
If there were a good browser run by a different nonprofit org, I would support that.
This sounds myopic, or what do you mean? W3C is not only about HTML and CSS innovation, but is responsible for and/or involved in a diverse set of relevant standards — many of which "big companies" don't show as much interest in contributing to.
https://en.m.wikipedia.org/wiki/World_Wide_Web_Consortium#St...
There is no other end state in capitalism. If you want tools and products that serve you instead of an owner, you must do it outside capitalism like with truly open source stuff.
I mostly use maps via an app (Apple or Google, they seem to be the same for basic use). Usually if I’m using a map, I’ll be using it in my car for navigation, so Firefox doesn’t even come to mind.
I suspect, on top of the “maybe it is internal apps” thing I mentioned at first, some of the really bad sites are the really interactive ones, I probably just use the app without even thinking of it.
Apple's just more subtle than Google.
To clarify the acronym, _Google is already pushing Web Environment Integrity (WEI) into Chromium_
Agreed. Eventually the attestor will be measuring “proof of life” with the camera, for example.
“Please drink verification can” isn’t too far down that road either.
People aren’t up in arms about the process by which web standards become accepted; they are up in arms about this standard moving forward at all because of its dangerous implications for the web and it’s outright user-hostility.
> However, a holdback also has significant drawbacks. In our use cases and capabilities survey, we have identified a number of critical use cases for deterministic platform integrity attestation. These use cases currently rely on client fingerprinting. A deterministic but limited-entropy attestation would obviate the need for invasive fingerprinting here, and has the potential to usher in more privacy-positive practices in the long-term.
I think any holdback will eventually go away because of the "critical use cases for deterministic platform integrity attestation"
It can be done again. Just drop the fucking Chromium bullshit now.
I have been using Netscape/Mozilla, in terms of heritage, ideology, and codebase, for almost a third of a century now.
I was there 30 years ago using NCSA Mosaic when it was first released for the VMS Vax system. The only break of any kind I had was with Opera as a secondary browser in the few short years between Netscape 4 and Phoenix (original Firefox). And I was still using Netscape 6, just not exclusively.
They can tear Mozilla (or any one of its forked variants) out of my cold, dead hands.
The DOM is largely abstracted over by JS frameworks and component libraries.
XML, XPath, XHTML, SOAP, etc gave way to haphazard JSON that's easier to use.
JSON-LD is a tiny niche and mostly unknown.
SVG is used only trivially as a PNG replacement or for vector graphics interchange, while Canvas is more common whenever performance matters.
Aria is mostly an afterthought, put in at the last minute with alt tags and roles on random elements.
Maybe MathML is still used on Wikipedia?
Can't comment on the other ones I've never heard of, but the web ones all seem either dead or niche.
I think this illustrates what I meant by irrelevance. It's not that they make bad standards or have bad ideas, it's just that companies have always preferred their own implementations of these ideas rather than some standard. Over the last two decades, the W3C has been at times a strong suggestion, at times a weak consideration, but never an actual standard. It was always the big tech companies making the actual standards. We were lucky when a W3C spec actually reflected real world implementations.
And this isn't just my opinion... the WHATWG was created specifically to bypass the W3C on purpose.
There are already various services that require proprietary applications to be installed, most of which are closed-source with dubious security track record. Replacing those propriety apps with a common web browser is not necessarily a bad outcome.
Personally I am voting with my money and just avoid services that are user-hostile, independent of which user-agent I use to access those services.
... oh wait, they already did. They force a monoculture on all the platforms they can get away with, and even shipped this WEI crap already.
Explorer and Internet Explorer were deeply married, with the ability to set web pages as desktop background, the Explorer of Windows 98 having a "sidebar" that was an HTML page, the ubiquitous help format being compressed HTML pages with index and search, ActiveX giving webpages desktop-application-like powers, JScript being a powerful javascript-compatible automation language for Windows. Windows was full of web technologies in the dot-com era, many bringing web and desktop closer together. This stopped an reversed course in the early 2000s. You could now say that's classic embrace-extend-extinguish, but the collapse of the dot-com bubble explains explains the sudden lack of investment and increasing distance between desktop and web just as well.
That even Microsoft couldn't manage to keep up with progress only shows how utterly impossible it would be to kickstart a browser engine.
(The fact that Mozilla as an organization is embedded in constant infighting and utter incompetence doesn't help either)
In the last few days browsing Fediverse platforms I prefer the smaller communities for that old internet spirit anyway.
https://www.einvestigator.com/government-email-addresses/ [2022]
this abuse of tech, potentially goes beyond antitrust, and damages global economic wellbeing, as well as impoverishing information systems on global scale, generating isolation, ignorance, division, and radicalization.
Consider the phrase "tankie", what was once a term used by communists to describe a militaristic member who supported the USSR sending tanks into Hungary, has become a general phrase for anyone showing critical support to any socialist project.
Socialists are essentially told they are not allowed to support any previously or currently existing project because bad things were done, are told they're doing whataboutism if they compare the actions to western actions, and are called a tankie if they decide to stop caring about what liberals and right wing people say.
China IS a socialist project, are they strictly a socialist country? No. Did they perform the most thorough and equitable land reforms in the history of Humanity? Yes. Do they wield central power for central planning economic activities? Sometimes. Are they operating on a 100% worker ownership of industry? no, but they have a non-insignificant public ownership of industry, co-opting privately owned industry to steer activities with greater control and hold certain business leaders accountable.
I'm sorry to say, but "current day CCP conforms to the definition of fascism" just isn't correct and goes to prove the point that the meaning of words is mostly ignored. Fascism != Authoritarianism. There was a massive effort post WWII through the cold war to create anti-communist propaganda that simply wasn't true. You had actual ex members of the Nazi party leading anti-communist endeavors. The black book of communism counts Nazis as deaths from communism. The Victims of Communism memorial foundation is literally a mask on far-right thinktanks such as the heritage foundation.
That being said, the West is grossly lied to about China day to day. It is in various interests to have an enemy. To the point where one man can write a report identifying a "future cultural genocide" which was simply a reduction in growth of a population due to 1 and 2 child laws being imposed on a group that was exempt prior, as an actual, in-progress genocide. If you point this out, people call you a genocide denier.
That same man is a director of China Studies, at the Victims of Communism Memorial Foundation.
I apologize for this long winded rant, but yes, if you found an internet presence on being "anti-ccp", you're starting off on a literal fascist foot. The community will deride any left leaning voice, call any voice that says "hey china did a good thing here", as a "tankie", and it will become an echo chamber for right-wing hate speech.
Google makes it better for ordinary people. Or at least gives them that impression due to sites targeting chrome.
Firefox was an easy sell because it was just better for the user and importantly the dev tools were a quantum leap ahead.
The web was largely still made up of enthusiasts, very few people doom scrolled all day via apps like they do now.
Any fight back that isn’t mobile first is doomed.
And mobile first takes resources and taking on Apple and Google at once.
Firefox was better because it had tabbed browsing, integrated search, pop-up blocking, and extensions, but I was responsible for monitoring our perf back then and I can say for certain that we were not faster.
So its a regular drag for me. If I really need to move quick to find something, I'll begrudgingly open chrome.
That's not really true. Apple is encroaching freedom of software choice on their devices, but they know that they can't extend the same kind of security policies to the desktop. You can disable secure boot on Macs and even run Linux if you like. Additionally, it's a bit difficult but if you disable SIP you do get access to the entire systems file system. They're a shitty company when it comes to repair-ability and their walled garden, but they know they can't extend this to the desktop, or else they would disqualify themselves from the developer market (where they are quite popular).
That's what you are claiming with your sarcasm hidden behind a rhetorical question, I've never said anything about Flash or Silverlight in the comment you've answered to.
There is absolutely no difference from a conceptual perspective between EME implementation and proprietary plugins, EME is necessarily based on a proprietary spyware, but you can't fathom that fact apparently.
But that's for Apps. Native Apps, not websites. If we argue this way, then this becomes a solution seeking an issue, since the first thing you learn in web programming is to never trust the client. I don't even see how this changes here, given that it won't mitigate any bugs, except giving me proof that the only bugs present on the client side system are the ones written by me.
The reason Google actually want's to implement this, is because they risk loosing huge amounts of revenue due to adblocking, something they can control on mobile (since they control the software supply chain there) but cannot do in the browser (since I have access to the DOM).
At any rate, 100M downloads across the lifetime of the app isn’t much to write home about when considering the billions (plural) that use Google products. Furthermore, there’s an entire class of people that think Chrome IS the internet. It’s wildly more common than the average HN would think.
Most computers come with a trusted platform module which increasingly runs more and more services related to media handling. On modern Macs the T2 chip is an A8 or A9, meaning it has the same power of a modern iPhone and handles everything from device input (mouse & keyboard), to webcam decoding to media decoding. When you watch netflix on a modern macbook, the video buffer that is displayed is actually a shared memory buffer from the T2 chip, which the main SoC can't actually see. If you take a screenshot you will see that the screen stays black, since audio and video come purely from the chip.
You could run a Browsers Renderer in there and you would never notice.
I am posting from maintained Mozilla Firefox.
That would be impossible if FF would be dead.
1. Instead of using CSS to hide it by default, make the script to only add it (perhaps by document.write, or alternatively by adding text to an empty <div> or <span>) if Chrome is detected. (This way it will be compatible even if CSS is disabled (or not implemented).)
2. Instead of Firefox, mention something else such as Line Mode Browser (it has some features I had not seen in other web browsers, but which I think are good and would like to have), or some other uncommon one which doesn't have Google and Mozilla etc, or more than one.
> so fascism would be firmly out
This goes to prove my point, that there's a gross misunderstanding of history in the general population.
Fascism doesn't use force to get political power, it gains political power through reactionary ideas based on false assumptions that leads to a fascist regime where the violence then occurs on the "other".
It comes through ideas such as "protecting your family", "returning to tradition", and other feel good sayings that mean almost nothing. Think of the phrase "Woke", taken from black community vernacular and twisted to mean almost nothing at all. It describes everything and anything that can make a conservative person upset, from queer people to mental health professionals.
Despite meaning nothing, oh boy has it taken root. Beer is woke, tv is woke, the black guy in star wars is woke for existing. And oh man look how easy it is to take root and now millions of people live their life by the "anti-woke" lifestyle. What does that lifestyle mean? idk, buying shes just to light them on fire, i guess.
This is why communist regimes had gulags. Fascism takes root through reactionary(meaning feelz over realz) ideas, typically against change. A revolution is something hard fought, why would they allow it to be derided by some idiots who miss when they owned all their neighbors land?
What I'm trying to say is one end of the spectrum is at a huge advantage when it comes to free speech environments, for the fascist does not need to argue in good faith. Going by "philosophies that support the use of force..." will get you a lot of a certain group.
However, I think the other stuff that you had mentioned would be OK.
Furthermore, a distro maintainer could configure clients by default to disable WEI (or to not include client programs that have WEI).
Yeah, but that also means that fines can be much bigger now, and make bigger headlines - which is what politics is about.
> Any fight back that isn’t mobile first is doomed.
This is actually a prime chance to highlight that mobile needs serious antitrust work.
Firefox on mobile exists, btw. Are you using it?
That's part of the "problem" with Firefox's support of profiles. It feels more like an afterthought and less like a primary use case the product wants to surface. To approximate the functionality Chrome has, I had to bookmark "about:profiles" and make it my home page.
Chrome also added this nifty feature that lets you open links as a Profile, making it easy to switch.
These may seem like small issues, but the end up mattering.
This, so much. Anytime I've brought up profiles on Firefox, I'm told about this alternative that isn't a replacement for the feature.
Safari is (finally) bringing this, so maybe the folks at FF will begin to see this as a feature worth investing in. First-class profiles support is one of the main reasons I stick to Chrome, despite trying to switch.
According to these folks[0], Firefox has a 3.29% market share globally. They also claim there are 4.66 billion browser users globally.
If those numbers are correct, Firefox has a bit more than 150,000,000 users worldwide.
If my software had 150,000,000 users, I'd consider that wildly successful.
Other folks have different ideas/takes on that, I suppose. But it's food for thought nonetheless.
[0] https://backlinko.com/browser-market-share#worldwide-browser...
Edit: Fixed prose.
Plus--as I imagine it--users would be able to trust each other in certain domains, so which fragments your device hangs on to is going to depend on who you trust and what you're interested in.
Hopefully, these combined would mean that whatever part of the web is relevant to your location is also the part of it that's already cached on your device or on a nearby one.
But as you just noted there is no conceptual difference between EME and the proprietary plugins that it replaced (Flash based and Silverlight based video players).
So how does replacing something with something else that is conceptually not different change that status of the web from open to not open?
Citation? To be sure, there was not universal outrage over Safari's attestation implementation, but out of curiosity I looked up the only thread I was aware of, in part because I couldn't remember what my reaction was at the time. That thread was a year ago and the overwhelming sentiment of the comments section is critical: >>31751203
Here were my comments at the time:
They're less forceful than they are now with Google, partially because I know more now about how attestation works than I did over a year ago, and partially because (as some people have also pointed out) Chrome's implementation is straightforwardly more dangerous than Apple's is.
But HN "actively defending" Safari? That's not the impression I get from the overall comment section and it's definitely not what I personally was doing. There are a lot of people in these comments calling Apple's implementation DRM. So I'm a little skeptical of the "nobody on HN cared about this with Safari" narrative that has sprung up; from what I can see media coverage was fairly positive, but people on HN were rightly critical. I'm not sure the facts match the narrative: Safari was criticized for this.
It's a fair critique that there wasn't a coordinated attempt to outright stop Apple, but I would once again remind everyone that attestation in Chrome is way more dangerous than attestation in iOS. The market matters, that's not context that can be ignored. So it's not really all that weird to me that people are more willing to react more strongly to abusive behavior in Chrome.
Can't they already do this by having scrapers send plain-old client certificates? Or even just a request header that contains an HMAC of the URL with a shared secret?
Actually, taking a step further back: why does anyone need to scrape their own properties? They can make up an arbitrary backchannel to access that data — just like the one Google uses to populate YouTube results into SERPs. No need to provide a usefully-scrapeable website at all.
Neither Flash or Silverlight were ever web standards. Flash was never accepted as a web standard. EME is a web standard.
EME is as bad as Flash or Silverlight from a conceptual perspective. EME has no place in web standards, no more than flash.
Again, it's you who brought up Flash and Co, I never brought it up.
DRM as implemented by EME is necessarily a closed source, proprietary plugin just like Flash, I never said that Flash was just a DRM. Flash could be used as DRM system, in fact its video format FLV supported DRM.
Ultimately, it's all just instructions being sent to your computer to be executed, and "your computer" is whatever you say it is. Everything (e.g. Intel SGX et al) can be emulated in a sandbox. That's how modern DRM is defeated.
For any experiencing barriers for writing the email, my method is below; Bing Chat generated an excellent email that only needed a bit of editing.
1. Open https://vivaldi.com/blog/googles-new-dangerous-web-environme... page in (ugh) Edge.
2. Open Bing Chat sidebar (top right corner); it auto-summarizes the article.
3: My prompt: Using the that webpage summary, please write a letter reporting Alphabet for antitrust violation. Please include the following [this language is from the ftc.gov site]:
Q: What companies or organizations are engaging in conduct you believe violates the antitrust laws? A: Alphabet
Q: Why do you believe this conduct may have harmed competition in violation of the antitrust laws? A: [use the article]
Q:What is your role in the situation? A: I'm a user of the Firefox browser
[edit: line breaks for readability]
What you fail to take into account, is that geeks like being able to freely goof around with stuff; and that new disruptive tech evolves precisely in the ecosystems where geeks are goofing around with stuff.
Consider the dichotomy between iPadOS and macOS. macOS still exists — and still has things like the ability to disable Gatekeeper, enable arbitrary kernel-extension installation, etc. — because the geeks inside Apple could never be productive developing an OS on a workstation that is itself a sealed appliance. They need freely-modifiable systems to hack on. And they may as well sell other people those free systems they've developed — with defaults that make the tool appliance-esque, sure, but also with clear paths to turning those safeties off.
The same thing was true in the 90s with the rise of walled-garden ISPs. The average consumer might be happy with just having access to e.g. AOL, but the people who work with computers (including the programmers at AOL!) won't be happy unless they can write a program that opens a raw IP socket and speaks to another copy of that program on their friend's computer halfway around the world. And so, despite not really mentioning as a feature, every walled-garden ISP did implicitly connect you to the "raw" Internet over PPP, rather than just speaking to the walled-garden backend BBS-style — because that's what the engineers at each ISP wanted to happen when they used their own ISP, and they weren't going to tolerate anything less.
And then, gradually, all the most interesting stuff for consumers on the Internet — all the "killer apps" — started being things you could only find the "raw" web, rather than in these walled gardens — precisely because the geeks that knew how to build this stuff, had enthusiasm for building it as part of the open web, and no enthusiasm for building it as part of a walled-garden experience. (I would bet money that many a walled-garden developer had ideas for Internet services that they wrote down at work, but then implemented at home — maybe under a pseudonym, to get out from under noncompetes.)
Even if there comes about an "attested Internet", and big companies shift over to using it, all the cool new stuff will always be occurring off to the side, on the "non-attested Internet." You can't eliminate the "non-attested Internet" for the same reason that you can't develop an Operating System purely using kiosk computing appliances.
The next big killer app, after the "attested Internet" becomes a thing, will be built on the "non-attested Internet." And then what'll happen? Everyone will demand an Internet plan that includes access to the "non-attested Internet", if that had been something eliminated in the interrim. (Which it wouldn't have been, since all the engineers at the ISPs would never have stood for having their own Internet connections broken like that.)
The point is not that Google cares about those sites - they don't. Those services are leverage that they use to control web standards, in order to enable their real cash-cow: AdSense. They will use their web properties to shove down our throats anything that makes AdSense more profitable, from the anti-adblock measures in Chrome to this one.
> If we're all dependent on them enough that that's a problem for us, then that dependency is the problem
I don't disagree - and I use Firefox, keep my important mail outside of Gmail, etc etc. But I recognize that many, many people don't, so the technologically literal out there have an ethical responsibility to push back against corruption of the open web.
Here you can specifically create new antitrust complaints.
That one is in the category of things that is little more than a nuisance in practice since it’s so easy to circumvent, but that’s a hardware thing and therefore it’s easier to plug something in that is unauthorized. Things are getting so tightened up on the software side with secure boot, Apple’s read-only system partition and by-default App Store Only policy on the Mac, etc. that I suspect this type of thing will be a pain for normal people, though actual at-scale bad actors will probably figure it out.
One company dominates "the Web" and pulls these shenanigans all every other year, the other one is totally dependent of the former to pay their bills.
So yeah, Google has been better managed than Mozilla. That doesn't invalidate Google's execs are a bunch of lizards on the now common SV ego trip and screw up all the time, but they can and ensure they can continue to do so, Mozilla is not in the same position and part of blame must be attributed to them.
We had a shot at open browser engine development with limited scope. Everyone said no, not just Chrome. Mozilla and Apple both have blood on their hands too, if we want to be reductive.
The platforms most people use will see benefits. Apple users apparently already do.
I understand the argument that the open source experience will get worse. But frankly, google.com will still work for you. It will be other websites that make your experience worse.
If you want to know more, others have written novels in these comments.
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
And here's why it may be bad:
https://vivaldi.com/blog/googles-new-dangerous-web-environme...
And the HN discussion on the latter:
Whatever someone may think of Google or even of ads, it’s smart to keep that important thing in mind and remember their alignment is and must always be toward maximizing and improving advertising.
So no, you shouldn't ask for forgiveness and pretend that you're just gathering data.
That's why what Google is routinely doing now (releasing APIs after a very short period in origin trial and without ever reaching consensus) is so dangerous.
Because I could say chrome always works for me (which would be true in my experience), but that doesn’t mean it always does.
The companies have an imperative, since I guess calling it a vested interest would be an understatement, to not let you escape from their clutches.
They can't force you to come inside, and they can't force you to stay, but they can make it so that it's almost impossible to go anywhere where they are not already there. It's creepy and predatory vulpine super stalker behavior, but unless we establish a system of government that puts our desires above theirs there is not much we can do about it other than stay away to the best of our abilities.
Given that it's open-source and anyone can roll and distribute a tweaked version of Chromium (and many have, notably Microsoft), it's really hard to see an argument here that Google is acting anti-competitively. If anything it's very pro-competitive to give away your secret sauce to your competitors.
Just because their browser is more popular than you would like, and you don't like a feature they're adding, doesn't mean a judge is going to stop them from adding it.
We need deep changes in the regulation and breaking up of those companies that are "too big to fail" and have too much power.
All you need to do is to jingle some real, if small SEO/ad advantage and people will bend over themselves to lick Google's boots.
0: https://gs.statcounter.com/os-market-share/desktop/worldwide
Mozilla opposes this proposal because it contradicts our principles and vision for the Web. Any browser, server, or publisher that implements common standards is automatically part of the Web. ... Mechanisms that attempt to restrict these choices are harmful to the openness of the Web ecosystem and are not good for users.
The full response is here:
https://github.com/mozilla/standards-positions/issues/852#is...
So I don't think this rubber-stamping W3C will do anything. They have no power over Google, and they know it.
Mozilla developers will then try to reach out to the website’s owners, add a fix or workaround in Firefox, or (as a last resort) spoof Chrome’s User-Agent string to bypass the website’s Firefox block.
Are they? Is there any evidence those companies support the proposal? I haven't seen any statements to that effect, but I might have missed something.
For example, these provide essentially the same attestation service for native apps consuming APIs, validating that the phone is not rooted, and the OS and app are unmodified:
https://developer.android.com/google/play/integrity
https://developer.apple.com/documentation/devicecheck/
Apple and Cloudflare combined to take it to the browser last year and basically no one noticed:
https://blog.cloudflare.com/eliminating-captchas-on-iphones-...
Of course that will be hooked up to Google's new thing as soon as possible!
Microsoft has also been preparing it with the whole TPM integration in Windows 11 and mandatory inclusion of such hardware in all prebuilt PCs since ~2015. That's what the Chromium integration builds on - Google can't actually do the foundation for this themselves on Windows.
You can absolutely bet that all of these companies are on board with whatever Google is doing.
Your personal opinion may well be that ‘this is fine’ but by failing to declare that bias and having never posted much of anything else it is difficult to interpret your actions as a good faith contribution.
And this particular feature? They want to pretend it's s standard. You don't create a spec proposal for a feature you don't just develop internslly
I don't see how it is against their interest, it would cement Google into power in a way that is very difficult to undo barring government intervention (which I doubt is going to happen).
> It seems like the project is explicitly stating their goal isn't to allow for websites to do this, and they are implementing it in a manner consistent with that.
If you drop a frog in a pot of boiling water, it will of course frantically try to clamber out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite placidly. As the water gradually heats up, the frog will sink into a tranquil stupor, exactly like one of us in a hot bath, and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death.
> If I understand correctly Hulu cannot act unilaterally with the currently planned implementation of this.
Hulu will keep their attestation implementation ready to turn on at a moment's notice because it's patently obvious that the hold-back stuff will be gone when it's ready to go, and it's obvious because the currently described implementation (with the hold-back) does not really serve any real purpose.
The hold-back is only on the spec to keep people from revolting while the thing is built and tested.
We would’ve gotten Electron any other way if it wasn’t Chromium, it’s the only endgame for UI given how native layers shat the bed.
Mozilla also no longer even supports embedding. ;P
- ie6 which was a security nightmare for everybody
- browsers like Opera developed by very small companies against which competition was more based on merit
The only way for Mozilla have been able to maintain its market share against chrome would have to manage to reach both these requirements:
- build the #1 smartphone OS in the market in term of market share to have it preinstalled everywhere
- build the #1 search engine in term of market share to advertise using it everytime the user search for something.
Both feats requiring:
- financial means that were out of reach from the Mozilla foundation at any moment in time regardless of its management.
- giving up on mozilla ethics and values to be on same level as the definitely evil competitor.
He provides a nice piece of anecdata there: for one-on-one meetings, you can just send people a link and usually they just join. Even if they've sent a link to Zoom or Meet or whatever, you still can say “hey, join this instead” and it will work. I haven't tried this yet, but sounds plausible to me.
> it is the only game for developers that couldn't care
Yeah, dude. Most devs literally do not care, they just want to write and ship stuff. The native stack(s) are not cohesive enough and the numbers do not lie; devs do not want to rewrite the UI n times.
Signed, someone who also does native and web UI dev. ;P
There is another possibility; EU countries may decide that this amounts to tacit admission by Google that the revenue generating event in ad sales happens on the browser, and ad revenue is therefore always taxable in the country where the browser (and viewer) are located. No more laundering international revenue through tax havens.
And since Google just demonstrated such an effective verification mechanism ... well they can just repurpose it to track all such taxable revenue for the countries in question ... otherwise they might be deemed a criminal enterprise and have to be blocked nation-wide.
No need to block the useful parts, just the illegal tax-evading ad empire.
... and countries can move fast when there is a lot of money to be had ...
The downside with this is that there will be a walled garden where custom devices are not allowed access too.
Fight.
I stopped declaring my employment because it's a hassle to do that on every comment when writing multiple comments. And no one else seems to disclose their biases in this discussion.
That said, I agree with you that I should have declared my affiliation. Apologies.
As many people here, I am trying to understand the implications of WEI. Of course I will challenge the mainstream opinion to advance my own understanding and hopefully those of other readers too. I don't think arguments should be dismissed based on affiliation.
All of the following are true statements:
- Not all chrome flags are related to spec proposals
- Not all spec proposals are related to chrome flags
- Not all chrome-led proposals are finalized
- At least one browser must implement and test the proposal before the proposal can really be considered, and multiple other browsers must implement it before it can be accepted.
- Peter Bork Pakkenberg - Rayan Kanso - Dmitry Gozman - Richard Coles - Kinuko Yasuda
Let's not forget that it is not Google in itself, but persons being the keyboard that are pushing that. People that have the power to say no but did not.
I don't know you, but at the next Google mass layoff, I will certainly not offer to give an employment to someone with so little morality like them...
It uses Microsoft Edge while installing to open links - like the link to their privacy policy - while the OS is set to use Firefox (and every other app use this). Then I found out that it has zero containerization features at all. Don't want Google cookies from one tab read in another tab? Use a new Private Window. No thanks. Uninstall, and then it used Edge to open a page asking why...
It's a simple observation. They don't have the interest to make it pass but they still have to do it to save face.
And yet, we've seen many such proposals go through this process because Chrome is paying lip service to it. Whatever Google wants it ships. And Google wants this.
As an adjacent (ads- and tracking-related) example: Google's FLoC flopped, hard. So they immediatey shipped the replacement Topics API [1] despite there being no consensus. E.g. Firefox is against [2] (but Chrome presents Firefox's position as "No signal" in the feature status). And despite the fact that its status is literally "individual proposal, not accepted" [3]
Do not assume any good intent on Google's part when it comes to Google's business interests. Their intent is always malicious until proven otherwise. And there have been fewer and fewer cases when they have been proven otherwise.
[1] https://chromestatus.com/feature/5680923054964736
[2] https://github.com/mozilla/standards-positions/issues/622
If chrome implements WEI and it isn't standardized, you're not going to be knocked off the internet if you use firefox. That's extremely silly.
[1]: Keep in mind that things that aren't standardized include third party cookie behavior, so the behavior that FF and Safari have, that you support, isn't standardized either. If you're fully against browsers implementing nonstandard apis or features, you can't be in support of third party cookie sandboxing at all.
The only way this attack can even be avoided in principle is to restrict distribution of the DRM TPM chip — ala Nintendo's NES CIC lockout chip that never left Nintendo's hands except in the form of finished first-party-assembled game cartridges. But even that only prevents mass production and sale of devices that defeat your DRM; any sufficiently motivated attacker can still buy a legitimate device from you that includes the DRM TPM chip, rip the DRM TPM chip out, and feed it to their evil-demon hardware to enable it to faithfully attest a lie over the network.
In short: if this was truly a practical additional layer of defense, there'd be tons of use-cases for it — game consoles, set-top boxes, kiosk computing (e.g. ATMs), etc.
But you don't see anyone using DRM TPM chips for these systems, because it's not a practical additional layer of defense: such chips would increase BOM for these systems, while only defending against attacks that weaker defenses (namely software DRM, or programmable-firmware DRM like Intel SGX) already defend against; and while not doing anything more to stop the truly motivated attackers than current layers of defense already do — as your Netflix pirate media-scraping bots, your EVE Online gold-farming bots, etc. all have the monetary incentive and capital to invest to build exactly these evil-demon systems.