This implements device level verification of the code running your browser. If the device identifies as something Google, or other implementing websites, don't approve, you'll get an error similar to how you see 404 errors for missing/wrong links.
Google is an ad company. They're not a browser company.
Now it's almost impossible to access websites in an automated way -- the CTO posted you can just email him (>>34639212 ) and he'll sort it. Because that scales.
edit: Mispoke about the CTO, said he would approve you, I was wrong. Apologies.
Their DNS is "privacy focused", but they provide "aggregated results" of domains. How is that privacy focused?
Cloudflare came from the approach of being a developers friend ("Look! SSL is now free!") but was given the internet on a silver platter.
It's permanently blocked to prevent piracy, or something, mumble, mumble...
Apple and Google only just now implemented this kind of web DRM, which absolutely can have further restrictions added to it. Careful with your absolutes.
The same technology could easily be applied to simply blocking anyone who isn't verified (in the name of stopping spam, DDoS, bank security, you name it), meaning anyone not using an approved install of Windows/macOS/Android/iOS is shut out from the internet.
In the long term, in the name of "banking security", they're likely to add a mode that also lets you ensure your pages aren't tampered with by extensions, and there go all the ad blockers.
Whatever you may think of Kiwifarms, we all saw how that narrative unfolded from a technical perspective.
Reddit wanted to control how users consumed content on their site. To control the experience (i.e. monetize with ads), they had to shut down third-party clients, since those could remove ads.
Google appears to be doing the same thing, but for the entire web. WEI is a way for sites that want to monetize with Google ads to prevent folks from accessing their site unless they can cryptographically assure that the user's browser will follow all the rules Google sets. We don't yet know exactly what all those rules will be, but it isn't hard to guess that they'll be along the lines of whatever makes Google the most money.
This applies to desktop browsers, but also affects automated tools like wget and curl. It could kill web scraping altogether.
The temporary nature of any licensing deals behind these services and the resulting lack of reliable long-term access to content have become more and more obvious.
Increasingly the streaming services seem to be so paranoid about piracy that they are blocking "unapproved" players from getting the highest quality versions of the content - as if anyone who wants to pirate any blockbuster movie can't already find a way to get it in 4K somewhere else if they really want to. Meanwhile you can't watch your 4K movie on a service you're literally paying to provide that movie. IIRC Amazon Prime Video still won't even let you have HD content if you're on Linux.
It feels like the commercial incentives for tech firms to create walled gardens and a culture of never owning anything permanently are going largely unchecked and by now the governments who are supposed to act in the interests of their people should really be stepping in with regulation to counter those negative trends.
Sounds like a great way to enforce censorship:
- websites can deny access to unverified web browsers / web clients
- WEI-enforcing web browsers / web clients can refuse to go to unverified websites (not a stated goal, but it is a logical next step to boost website adoption of WEI APIs once a critical mass of clients is reached)
Google wants to build a wall around the Web and have their own walled garden:
Surveillance is possibly the worst of the bunch. They say it’s just to do a better job of serving ads, but that’s only the tip of the iceberg. Governments could easily use it to know and track everything you do online. Just wait till the next elected nut job wants a list of everybody that has ever looked at or searched for a certain type of information, maybe they don’t like that you looked up info on abortions or lgbt info, now they can know the full extent of what you saw and when.
Ads will be worse. You think YouTube ads are bad now, just wait till you can’t visit any page without the mandatory viewing of their ads. They can require a cam installed to make sure your eyes are on the ad, helpfully pausing the video when you look away.
It was this thread, where you mentioned emailing: >>34639212
The infrastructure to do signed OS loading is already in place, and on some operating systems (e.g. Android), the OS attestation service is already in place. So everything is mostly in place already to have your browser attest that it is official Google chrome on Google Android on an approved device with a hardware chip that verifies a Google approved boot signature. That hardware chip contains a Google approved private key (a key that's signed by a manufacturer that Google has in turn approved/signed) that can't be extracted, and that's the key that makes the attestation. Replace the hardware boot verify chip with one that will verify software you want, and you lose your attestation key.
They could also make the OS service reach out to a web service to get an attestation that the attestation key hasn't been revoked, so even if someone did physically extract the key from hardware and share it, it could be revoked (assuming each device gets its own key).
In effect, wide use of this kind of thing means that open source software is no longer free since even if you can look at the code, you must be part of the anointed class (i.e. working within our approved by a major corporation) to edit it and run your edits.
Remember that moderators can be abusive not just in terms of removing content that shouldn't be removed, but also by forcing you to accept things that harm you. Moderation is a trust relationship because I'm delegating my own personal decision to accept or block traffic/content/etc to someone else. Cloudflare is not trustworthy.
Cloudflare also used to be a big pain in the ass for Tor/VPN users because competent DDoS protection requires some kind of traceable identity. Their solution was Privacy Pass - an extension that let you pre-solve their CAPTCHAs. However, this wasn't good enough, so their next solution... was to literally partner with Apple to implement Web Environment Integrity, years before Google even proposed it. Nobody noticed this - not even me - because it was sold as a way to make CAPTCHAs less annoying. It was literally the trojan horse Google could only dream of building.
[0] https://forums.malwarebytes.com/topic/108447-my-site-using-c...
The problem was that if you used a third-party client, Reddit would have to coordinate with them to launch whatever new stupid cryptocurrency scam they wanted to push that week. On a web browser they can just push new code into it[0], and their first-party mobile clients can be updated ahead-of-time with support for the feature. But third-party clients would have to spend their own development time adding stupid "click here to get your Snoovatar[1]" links. They could slow-walk that, or just not implement that, and Reddit would have to spend time and money kicking users off that third-party app.
This, incidentally, is why every other major social media platform bans third-party clients. Third-party clients are user agents, not platform agents.
[0] Which, incidentally, makes web browsers not user agents
[1] An NFT scam Reddit tried to pull
[0] An ARM exception level that sits above hypervisors and is specifically intended to support trusted execution modes for isolated mini-operating-systems that do this sort of shit
I'm having trouble grasping how WEI works, providing examples of what would and could happen and what to ask/tell the EU specifically.
From my limited understanding it would mean the lockout of people with non-compliant hardware/software, greatly increase the fingerprinting of web browser users and further vendor lock in to Google as a company?
Because that thing basically describes a proprietary plugin like Activex, Silverlight or Flash before it, so a third party browser which doesn't have that proprietary tech can't fake it, under pretense of "standard". The code of that plugin will not be open source, worse, it will act as a spyware on people's computers at the OS level.
It's like EME before and these proprietary techs have no place in a open standard spec.
There are already various services that require proprietary applications to be installed, most of which are closed-source with dubious security track record. Replacing those propriety apps with a common web browser is not necessarily a bad outcome.
Personally I am voting with my money and just avoid services that are user-hostile, independent of which user-agent I use to access those services.
That one is in the category of things that is little more than a nuisance in practice since it’s so easy to circumvent, but that’s a hardware thing and therefore it’s easier to plug something in that is unauthorized. Things are getting so tightened up on the software side with secure boot, Apple’s read-only system partition and by-default App Store Only policy on the Mac, etc. that I suspect this type of thing will be a pain for normal people, though actual at-scale bad actors will probably figure it out.
Whatever someone may think of Google or even of ads, it’s smart to keep that important thing in mind and remember their alignment is and must always be toward maximizing and improving advertising.