Are you okay with buying a new computer running the operating system and browser someone else wants to access your bank's web site?
You can still use you current computer and bowser to access HN.
In practice, this will make it harder, but not impossible, to run ad blockers. Now instead of just finding and installing a plugin, you'll have to first find and install a forked browser that implements the attestation as something like 'return true'. This will predictably decrease the number of people blocking ads.
Personally, I don't object to this. The easy solution for most people is simply: don't consume the content. Or pay money instead of watching ads. Content creators, it must be said, also have the option of self-hosting and/or creating content as a hobby rather than a career. As someone who has grown more and more despairing of any paid-for speech, especially by ads, I welcome this change.
Far more troubling is the possibility of attestation for "important apps" like banking or government. In general this mechanism gives the org a way to prevent you from doing what you want with your data. For example, they can prevent you from scraping data and automating end-user tasks. This takes away your degrees-of-freedom, and using a modified browser will certainly become an actionable offense. In my view this is by far the more troubling aspect of this change, since it take away significant aspects of user autonomy in a context where it matters most.
Technically sophisticated users will note that it's not possible to secure a client, and foolish to try. This misses the point. These changes stochastically change behaviors "in the large", like a shopping center that offers two lanes in and one lane out, or two escalators in and one out. This represents a net transfer of power from the less powerful to the more powerful, and therefore deserves to be opposed.
EDIT: please don't downvote, but rather reply with your objection.
This will not increase security for the user either, it's just a new barrier at the risk of higher fingerprinting. Why should you care how your bank handles security? It's their responsibility, not yours to handle.
But it's absolutely fair to argue that the web operates on a different set of expectations than the Play Store/App Store, and I think the concerns that this will create a second-class citizen status for browsers are totally valid. There's a huge difference in character between "in order to prevent piracy and ensure ad revenue we are only releasing our app on the Play Store" and "we are only releasing our web app for Chrome".
This is bad as a user story if you are not blessed and get likely locked out because the web operator doesn’t recognize you as valid
This is worse in the second order effects in that it can be leveraged to fight against ad blockers, paywall bypassers, YouTube video downloaders, and so on, by forcing all those user-friendly software under the umbrella of being unblessed. Hence the moniker of “web DRM”
It is not technically impossible, it's just going to arduous.
Despite what some on the political spectrum try to say, the Internet has become a basic human right. It is required in schools in America. In many cases, it is required to even interact with certain government entities. Allowing governments and corporations to force users to a specific browser on a specific operating system just to interact with their site goes against everything the web is supposed to be -- an open platform for the free exchange of ideas.
This proposal is a slap in the face to all of that and basically allows governments and corporations to force users to use what those governments and corporations choose.
This is net neutrality all over again, just in a different vein.
I, for one, will continue supporting Mozilla and Firefox and will never again use Chromium-based browsers, or any browser which supports this. I just hope I can keep browsing the sites I need to.
There is no option to "implements the attestation as something like 'return true'". There is a chain of verification from the hardware manufacturers building in software surveillance, through OS developers treating the device owner as an attacker, this proposal of carrying the same user-hostile dynamic through browsers, and finally to the website that by verifying the signatures can force a user to only use software that enforces all of the above.
You should very much object to this! Today, "unsupported browser" is a CYA term that doesn't really mean much besides that the website has limited testing budget (and who doesn't?). With this proposal it would become a hard blocker. Goodbye Linux/BSDs/etc. Goodbye `make install`. Goodbye virtual machines. Goodbye computers that last longer than the rapid e-waste treadmill of mobile phone land. You will of course be able to keep running user-representing operating systems, old computers, "jail" breaking them, etc. You just won't be able to access banking websites, followed by web stores, then general sites. Basically anywhere today that hassles users with CAPTCHAs will be looking to implement these restrictions eventually (which is basically everywhere).
Will this person's bank implement WEI in such a way that none of this person's devices (computer, phone) are supported and will this person not be willing or able to switch banks, only then buying a new computer comes into view. Without knowing anything about this person, assuming average, the chances for this must be low or the bank will have no happy customers left.
I fully agree with the underlying worries you and others in this thread have, but to extrapolate that without any nuance into a world where we all become privacy-less, ad consuming, eye tracked zombies on newly bought computers is not helping the case (in my view).
Your second paragraph, about chain of trust, gets a little more wobbly, but this is a matter of fact, not opinion. Will this change require a chain of trust from hardware up? That's startling. Do you have a link? I read the proposal but don't recall seeing that.
The third paragraph seems to articulate the worry that systems will now be closed with centralized gate keepers determining what we can do with our systems. Or at least, that will be the default unless you can get grandpa's old TPM-free linux laptop working again. And even if you do, you won't be able to connect it to the future internet to do anything real. That's not a good future. It's one which makes individuals passive and controlled by central authority - and even if you don't object to this morally, you must admit that an ignorant and disabled population is weak and susceptible to attack.
It will be swiftly adopted by well meaning but clueless bank and government clerks who will accidentally use to lock all open hardware, open operating system, open browser users out and mandate you need to purchase at least one locked down corporate device to exist.
It's the trusted computing story all along. Eventually you will need permission to run your code on your own device and such "unlocked" device will be blocked from accessing any digital infrastructure because it might be otherwise used to breach ToS.
It's like how all these "free" websites coasted along for years being quite user friendly, but have recently switched to extraction mode. Anybody who thought about the incentives knew what was coming down the line eventually.
> With the web environment integrity API, websites will be able to request a token that attests key facts about the environment their client code is running in. For example, this API will show that a user is operating a web client on a secure Android device. Tampering with the attestation will be prevented by signing the tokens cryptographically.
I don't see what else this could be referring to besides bringing TPM "remote attestation" up through the software stack to the level of a web browser. By "secure" Android it must mean one running a corporate Android distribution (see: SafetyNet), where Google has already been pushing this lockdown dynamic for a few years at least. Without tying it into the TPM, there would be literally no point to this specification as it could always be faked.
The insidious thing about this spec is that it's not an immediate prescriptive lockdown the way corporate "secure" boot is. Rather if it turns on tomorrow, Firefox, extensions, and community Linux distributions will all still work fine. But the long term dynamic is that each of these nonstandard things will be stamped out in the name of "security" - look at how the SafetyNet requirements on Android are getting incrementally harder to "pass".
Fundamentally this is entirely about consensual interactions. Right now, the demarcation point between user interests and website/server/company interests is the communications protocol itself. Your computer represents your interests, my computer represents my interests, and they possibly communicate with each other while still representing each of our interests. Remote parties that you're communicating with being able to verify what code you are running means they are then able to dictate what code you must run, even when it undermines your interests. Your only recourse becomes to not communicate, which doesn't work in our world of imbalanced power relationships. Computing's revolutionary spark of personal autonomy gets shoved back in the bottle as far as the Web is concerned.
> centralized gate keepers determining what we can do with our systems. Or at least, that will be the default unless you can get grandpa's old TPM-free linux laptop working again
There's some nuance here. Likely you will still be able to "jail break" new devices, or even root them in a supported way like Google's current Android devices. But doing so will make the device useless for accessing any website that insists on performing the verification. So sure, you can keep on using your nonstandard development environments just fine - most of the Web will be unavailable to it though.
You will just need a second WebTV like device for accessing banking websites, then shopping websites, then news websites. As I said, anywhere that currently pops up CAPTCHAs when browsing from less-surveillable IPs is a good indicator for the eventual adoption path. Said device will implement all the restrictions the website publishers can dream of - ads, lack of copy/paste, no screenshots, no access by VNC, no browser extensions, no protection from corporate surveillance, etc.
> And even if you do, you won't be able to connect it to the future internet to do anything real
That's a long way off and doesn't have any technical connection to this proposal. But one can imagine this proposal being one step in a chain of developments/legislation that brings us to that point.
I own a rooted Samsung device and have to jump through 100 hoops to be able to use my banking app or Netflix or some rando game (which I don't actually play). SafetyNet broken, hardware fuse blown, Magisk Hide + some other havks just to still be able to do online banking.
I just want to be able to ssh into my own device or install a real ad blocker, like Adaway without losing access to real world applications.
This is all very depressing.
I disagree. There is a point to making something more difficult but not impossible: you alter behavior at statistically significant scale in practice AND you get to point to the alternative as a reason why the change isn't "coercive". In practice, 99% of users won't know to download an altered Chrome - they have a shaky understanding of "browser" and "os" as it is. In fact, I can imagine Googlers rationalizing this as a kind of shibboleth that keeps hacker culture alive.
Furthermore, even if the "key facts" it reports don't initially include results of hardware remote attestation, it's entirely foreseeable that over time these will be added.
Yes, they will, because it has already happened.
On Android many many banking apps block rooted phones and custom OSes by using Play Integrity and Safetynet. And then games started doing it too, you can't play Pokemon GO unless your phone's OS passes Safetynet. And then restaurants joined in. Sorry, you can't order from McDonald's unless you pass Safetynet.
When does it stop?
on iphone you can't even install software that apple doesn't explicitly allow.
they would love to extend this to all computing devices to remove control
They will now have to use old fashioned social engineering to make you cough up that credential to steal.
That's not really true. Apple is encroaching freedom of software choice on their devices, but they know that they can't extend the same kind of security policies to the desktop. You can disable secure boot on Macs and even run Linux if you like. Additionally, it's a bit difficult but if you disable SIP you do get access to the entire systems file system. They're a shitty company when it comes to repair-ability and their walled garden, but they know they can't extend this to the desktop, or else they would disqualify themselves from the developer market (where they are quite popular).
But that's for Apps. Native Apps, not websites. If we argue this way, then this becomes a solution seeking an issue, since the first thing you learn in web programming is to never trust the client. I don't even see how this changes here, given that it won't mitigate any bugs, except giving me proof that the only bugs present on the client side system are the ones written by me.
The reason Google actually want's to implement this, is because they risk loosing huge amounts of revenue due to adblocking, something they can control on mobile (since they control the software supply chain there) but cannot do in the browser (since I have access to the DOM).