The freedom problem is this: you will not be able to roll your own keys.
This is probably the biggest nail in the coffin for a ton of computers out there. In theory you could simulate via software the workings of a TPM. If you built a kernel module the browser would have no real way of knowing if it sent requests to a piece of hardware or a piece of software. But the fact that you would have to use Microsoft's or Apple's keys makes this completely impossible.
The hardware problem is this: you will not be able to use older or niche/independent hardware.
As we established that software simulation is impossible, this makes a ton of older devices utter e-waste for the near future. Most Chromebooks themselves don't have a TPM, so even though they are guaranteed updates for 10 years how are they going to browse the web? (maybe in that case Google could actually deploy a software TPM with their keys since it's closed source). I have a few old business laptops at home that have a 1.X version of the TPM. In theory it performs just as well as TPM 2.X, but they will not be supported because, again, I will not be able to use my own keys.
Lastly there is the social problem: is DRM the future of the web?
Maybe this trusted computing stuff really is what the web is bound to become, either using your certified TPM keys or maybe your Electronic National ID card or maybe both in order to attest the genuineness of the device that is making the requests. Maybe the Wild West era of the web was a silly dream fueled by novelty and inexperience and in the future we will look back and clearly see we needed more guarantees regarding web browsing, just like we need a central authority to guarantee and regulate SSL certificates or domain names.
> In many ways, if we get Web Environment Integrity, we’ll need every government to regulate Google, Apple, Microsoft, and adtech in every way possible
And now history repeats itself and we have Firefox being the alternative to the mighty Google Chrome and Google emulating more and more of what people hated about Microsoft's stewardship of Internet Explorer and dictating to users what they must have their eyeballs exposed to. In Microsoft's case that was obnoxious popups and popunders, shitty toolbars, and endless crap they came up with to somehow lock users into all that. Now Google is whining that nobody wants to see their shitty ads (correct) and somehow feels entitled enough that they can dictate browsers to respect their authority regarding what users can and cannot block. It's the same behavior. And the fix is the same: abandon the Chrome ecosystem. The more users do that, the more the web will basically remain outside of the control of Google.
This is fundamentally the problem isn't it. They feel entitled _because_ they can dictate terms to the rest of the web, or at least they think so. There's no fixing this by changing Google's mind, only by forcing their hand by making this decision hurt their wallet. And as you point out, that only happens if people stay outside of the Google garden.
Do we know the financial impact ad blockers are thought to have?
I’m guessing ad fraud is a way bigger problem, although some would argue that add fraud is not googles problem, it still hurts Google.
Maybe it’s also a third thing I just can’t think of right now, ad blocks just seem to niche to me. How about just enforcing a stronger monopoly on user tracking?
Yes completely impossible to fake by design. Otherwise whats the point? But I think the root of trust is whatever signs the hardware TPM module. So, Intel, AMD and Apple.
If I understand it correctly, the secure chain of trust will be something like, hardware TPM module -> secure boot -> windows signed kernel -> Chrome (signed binary). Its not clear to me if desktop linux will be able to participate in this ecosystem at all - which is ironic given how much google uses linux. Maybe a couple of the big distributions like Canonical will be able to sign their linux kernel builds.
> Lastly there is the social problem: is DRM the future of the web?
Its opt-in by website operators at least. Assuming this happens, there are two big questions in my mind:
1. How much of the web will go dark to anyone not using a corpo software stack? I imagine bank websites will adopt this technology immediately, while sites like HN, personal blogs and wikipedia won't touch this stuff. How much of the web will stop working on my terrible "hacker" computer where I use firefox on linux?
2. How will this interact with browser extensions and dev tools? If websites won't function outside of chrome, will we be able to continue to drive chrome programmatically? Will chrome's dev tools still work? Will websites be told about my ad blocker extensions? Will webdriver (and similar tools) be blocked?
Actually it was a pyrrhic victory, as Microsoft went on to apply their ideas to XBox, Azure Sphere, and now the change is coming back as future Windows hardware requirements for secure workstations via Pluton integration.
https://www.microsoft.com/en-us/security/blog/2020/11/17/mee...
I bet mostly UNIX focused folks haven't noticed that their next PC might have a Pluton CPU on them.
https://www.thurrott.com/hardware/260917/here-come-the-first...
As always people see the happy path down the middle of the forest, not the creatures waiting to leap out and eat them two steps down the line.
And also, frankly, I don't really frakking care if their purpose is to prevent ad fraud. That's not my problem, why should I be the one paying for Google to make more money from a problem they created themselves in the first place. As far as I'm concerned, if Google really wants to prevent ad fraud, they can just stop doing advertising; Problem solved.
---
Dear <<REPLACE>>,
I am a <<COUNTRY>> citizen, and I live and vote in <<REPLACE>> district. Professionally I am a software engineer <<blah blah blah years of exp, exp with web etc>>. I am writing to you with a concern about a recent planned change by Google called Web Environment Integrity (WEI). I believe this change is anti-competitive, against the open web, and a risk to our country's security agencies.
Very simply WEI allows websites to verify the users browser (e.g. Chrome), and potentially the Operating System (e.g. Windows) is official and unmodified, this process is called attestation. Basically how it will work is:
1. User navigates to a website 2. The website executes a challenge to the browser (e.g. Chrome) asking for attestation and listing the acceptable attestation services. 3. The browser makes a request to a third-party attestation service (e.g. Google) 4. Software, an attestation agent, runs on the user's computer. This software scans files and memory of the user's computer or phone and sends back proof, to the attestation service (e.g. Google), the user is running an acceptable, official and unmodified browser and/or operating system. 5. Once satisfied, the attestation service issues the user's browser a token. 6. The user's browser forwards this token to the website 7. The website can use this token to check against the attestation service that the user is indeed running official or unmodified software. 8. The website then permits the user to access the site.
In the event the attestation fails or the browser fails to provide a valid token the website will likely deny access to the site.
On the face of it it may seem like this is a noble goal, unfortunately it mainly entrenches Google's position of power. Google's browser Chrome is used by 85% of users, Google search is the most popular search engine, and Google controls the biggest online advertisement service, AdWords. Once implemented Google's existing dominance places it in a position to push it onto websites and users. Google could deny access to GMail, Google Maps, and YouTube unless the user has this feature. Google could deny placement of ads, and subsequent payment to website owners unless those accessing their site have WEI enabled.
The proposal is bad for the following reasons.
1. Limited Attestation Services - Website owners have a list of attestation services they trust. It is extremely unlikely a large number of websites will add Joe Bloggs third-party attestation service as trusted. As a result it is likely only 3 attestation services will exist: Google, Microsoft and Apple. This proposal will further entrench these three companies as owners of the web. This is anti-competitive.
2. Prevents alternative browsers - Create a standards compliant browser is a monumental task which is why only a limited number exist Chrome (uses Chromium which is based off Webkit), Safari (based of Webkit), and Firefox (uses its own Gecko browser engine), most others (Brave, Microsoft Edge) use Chromium browser engine under the hood. Currently, apart from the effort, there is nothing preventing a group from creating a brand new browser engine. An extremely dedicate team could create a new browser and all websites would work with it. If WEI was implemented this new browser would need permission from the incumbents otherwise attestation would fail and users would be denied access to, potentially, most of the web. This is anti-competitive.
3. Prevents accessibility tools - Some people have additional needs due to disability or age and may use tools like screen readers or text only browsers to navigate the web. This involves additional software which injects itself into the browser in order to provide the functionality. This process, while legitimate, may result in attestation failing, especially after new software updates, and as a result denying marginalized users access to the web. This is against the open web.
4. Prevents alternative web crawlers - In order for your website to be listed in Google search an apps called Googlebot and Google crawler need to connect to your website and go through each page, this is then indexed and the results are presented based on relevant search terms. There are other web crawlers by Microsoft/Bing and Yandex which do something similar for their search engines. While they are likely to provide themselves attestation tokens in order to continue the service and new company may invent a better way of providing internet search but in order to crawl, with WEI in place, they would need to ask permission from Google to authorize their crawler. This is anti-competitive.
5. Prevents legitimate scraping - Similar to crawling there are legitimate uses for scraping, which is extracting data from a webpage by an automated tool for use as some other purpose. One example is the Internet Archive (archive.org) they regularly visit millions of websites around the world take a copy of them for historical purposes. You can use archive.org to view Google's first homepage from 1999, or Yahoo! from 1996. WEI prevents new companies or groups from creating novel tools created from legitimate scraping without asking permission from Google first. This is anti-competitive.
6. Prevents security agencies from doing their jobs - Government security agencies and police hack, monitor, and scrape, as permissible under law. These actions are performed by expert agents who are also supported by various scripts, bots, and custom built apps. These tools are rapidly modified and continuously changing depending on the operation. WEI would require these tools to be authorized by the attestation agent or service, while there are a number of ways this could occur, ultimately this requires Google to authorize each tool in order for the tool to successfully collect a valid token. Google could temporarily or permanently deny access to valid tokens, or change the algorithm for generating them to prevent security agencies from generating their own, which would deny security agencies from using their tools against operational targets. This is a risk to our country's security agencies.
"Is your stuff going to keep working? There's literally a website dedicated to the products Google has killed. What makes you think you're so special that they won't do that to something you use?"
Of course, you're probably sleeping on the couch that evening...
https://www.microsoft.com/en-us/security/blog/2022/01/21/cel...
I would find quite a bit of value in getting that person locked out of their google accounts and forcing them to deal with the consequences; Especially if the lock-out was just me getting in and changing their password so that their access can still be recovered. A little controlled scare would be far better than getting locked out at some unknown/unprepared-for point in the future.
So perhaps in your case, the wise thing to do would be to ask your gf to try to pretend she was locked out of her google accounts for a week. Force her to see how much she relies on it, and how bad it is when that spf actually fails. You could probably accomplish it by allowing her to change the password to something she doesn't know for a week.
And also when Firefox 1.0 came out, sneaking around the school library computers and installing it as the default browser. The librarian eventually found out and asked me to just install it on all the computers so that the other kids wouldn't be confused why the browser was different on some machines.
I suspect most politicians this will be far too long and too technical for them to bother with.
They can only blame themselves for faking data.
Which is likely a big part of why MSFT tried to get rid of it.
In the emails I sent I did use judicious formatting. i.e. "Prevents alternative browsers" is in bold, and "this is anti-competitive" is italic so someone scrolling through it could just read those.
How it works could be dropped or pushed to the end.
Once upon a time, I was a homeless teenager running from a cult. If not for software I wouldn't have gotten out of that.
WEI (and other such things) are mainly about regulating who is allowed to write software, and so the way I think about it is this: If WEI existed when I was a homeless teenager, I might be dead.
I do not think I would like your girlfriend very much if she said keeping "her" stuff working was more important than my life, although I could understand her not understanding how big of a deal it is when you talk abstractly about the "open nature of the web" without putting it into human terms;
The "open" part is really important to get across because it means anyone who has the ability to can contribute: Does such a high level academic with a strong mathematical and logical background understand what can be lost not just to industry, but to science itself when a church wants to name itself the arbiter of who can work?
> If you haven’t been under a rock, you may have heard about Google’s evil Web Environment Integrity “proposal”. Supposedly, this is to make sure a browser environemnt can be “trusted”, but it seems Google wants this so they can kill ad blockers.
Also you misspelled environment. Surprising for a geological enthusiast.
"I can keep buying this stuff, and can't practically avoid it, therefore it doesn't affect me."
Most people don't want to dedicate hours a day to a "vote with your feet" attempt that will not even register on corporations' balance sheets.
Already, other browsers have led on tracking protection and control of third-party cookies, affecting Google's business model. So Google built Chrome, invested in it so people would prefer it, pushed it on their websites to ensure people would prefer it, and built a walled garden with Chrome Sync + Passwords.
Then they started using it to decrease privacy by signing in to Chrome when you sign in to Gmail. They track your websites visited and use it to improve their advertising even when the website doesn't use Google ads.
Theirs is the only password manager for Android which is limited to their browser. That's for a reason.
Not sure what is the solution here. Several years ago it seemed to me that Mozilla may be on track to get their shit together, then they decided to lay off Rust/Servo people, left their Firefox for Android team barely staffed so they couldn't even handle more that handful of supported extensions and instead spent all the money on their CEO bonuses. Guess this is going to be quite a painful decade for the open Web...
Don't be so sure, after all they adopted TLS. Which is essentially the same shit, just slightly less draconian.
This is the actual missing key bit. The problem that Google is trying to solve here is not actually a hardware / computational problem, it's a Real Identity problem. Hardware / TPMs are a poor proxy for solving that problem.
There's drastically less eWaste and impact on software freedom if you seek attestation from a national ID provider than if you seek attestation from one of a handful of personal electronics OEMs. National ID providers can offer to sign not only Real Identity attestations, but also anonymized attestations to protect citizen privacy. A web operator can decide whether to allow for attestations from only their own national ID provider, foreign national ID providers, private ID providers, or none at all if they just have a read-only site and don't really care.
The truth is that government inaction is forcing Big Tech down the road of violating user privacy and freedoms to solve Big Tech's problems. But getting the government to offer a flat Identity Provider playing field would solve these problems in a way that doesn't require such violation.
MS hasn't thrown in the tower on Edge and is even still working on Internet Explorer.
No, it's about being able to prove that your device is secure. Attestation doesn't stop you from writing software for your device.
>if she said keeping "her" stuff working was more important than my life
Arguing that you would be dead if your viewpoint isn't correct is a bad argument.
>what can be lost not just to industry, but to science itself when a church wants to name itself the arbiter of who can work?
It would be a better analogy to say that "employers can run background checks on people who want to work for them." Because it is up to each website to choose which attestors they trust and the websites have the choice of doing whatever they want with information or not requiring attestation at all.
If you can detect if anyone is using a system that supports this then you can ban only them instead of allowing only them, right?
Maybe we should nip this in the bud? If even 10% of sites banned anyone with this enabled from day zero before anyone else is requiring it, users would turn it off and then it wouldn't be there for anyone else to use.
>Even if it's signed and approved, malware can still hijack it....
At which point the vulnerability in the software or hardware should be fixed and the old version should be blacklisted.
For now. But in many countries you already have to show ID to buy a SIM card. This could be extended to all devices that have this key on them. And then it could become a dereliction of duty for certain types of websites not to do checks they could easily do.
For example you could have the website never knowing your actual ID but simply passing an encrypted string to the national server, which would return a 200 response if the document is valid. You could also have additional requests like "is the user 18+".
The website will just know the request is coming from something which has a valid ID available. The state will also not know which pages you browsed, only the domain of the request, just like with HTTPs your ISP does not know exactly the pages you browse but just the websites themselves.
And before someone talks about the state knowing your browser history: they already can by calling up your ISP, and they would get a lot more information than this mechanism would provide.
I'd expect threshold cryptography to solve that issue in the near future.
The vast majority of Indian internet users are from mobile. It's a market lead by Xiaomi and other Chinese OEMs who sell phones that dies after a year or two with horrible ota updates. Some people downgrade, some use custom roms. But the majority just buys a new phone every 2-3 years. Or even 1 year. The poorest of people here buys iPhones with financing. Besides you don't need to buy expensive devices. Every GMS certified phone made in the last couple of years has it.
Now for actual computers, most are either prebuilts or laptops. They all come with secure boot since 2013?. The last Windows release without a mandatory TPM is going to be discontinued in 2025, microsoft will scare people into upgrading.
These are old machines. Any laptop made in the last 4 years will be able to access the new closed web so it won't be hard to replace of them.
I'm just hoping this "end of internet" happens really quickly. So that people would notice. One day people should wake up locked out of the web on their expensive devices. If it's a slow boil, we'll be too late to stop it. Again.
On personal level we have health - why can't I have fries and ice cream all day, everyday. That's what any sensible children would choose. Education - why can't I play video games and watch tik tok attention grabbing videos all day. In fact many do.
On country level, why would we want to help Ukraine or Taiwan. Why would we want to reduce carbon footprint. Stuff just keeps working.
Lead pipe worked just fine. Asbestos worked just fine. Smoking was just fine. Until they aren't.
Secondary effects require experience and education. We are not so good at grasping causal relationship when the results aren't immediate.
Being a Russian passport holder who lives abroad for years, I don't want to be in touch with my gov in any way possible, and moreover depend on it.
That's actually the case for millions of people from different countries with dictatorships, do you propose just to discriminate everyone outside of 20-30 countries with more or less democratic systems ? Those countries don't care about "citizen privacy".
Apart from that, we all see the bill in the UK which is as much a disaster to human freedoms as Russian and Chinese laws, for example. So even being a citizen of a more modern country is not a guarantee.
People don't always live in their country of citizenship, they don't always live in one place (see digital nomads) and have a residence, they don't always trust their government and they should not be discriminated on internet usage because of that. That makes a person more of a government property rather than a human being.
Frankly I'm unsure if Firefoxs fate was to be EEL (embrace, extend, lock down) would we be worse off or better off than what we are right now with Chrome?
Citation needed. I'm pretty sure all Chromebooks have a TPM and it's a firm requirement for making one. ChromeOS uses the TPM extensively and fully supports remote attestation:
https://www.chromium.org/developers/design-documents/tpm-usa...
TPMs have been a requirement on PCs since at least 2016 I think, and in reality most came with them before that too (but there's a v1 vs v2 difference).
> a 1.X version of the TPM. In theory it performs just as well as TPM 2.X but they will not be supported because, again, I will not be able to use my own keys.
This is all wrong. TPM 1.2 uses SHA1 for everything which is a broken hash function so there is a major difference in robustness between them. That's why TPM 1.2 is being phased out. It has nothing to do with "using your own keys" which is out of the domain of what TPMs do anyway, TPMs are always owned by the device user. You're thinking of firmware boot signing and other things that are separate to the TPM chip but even there, you can use your own signing keys.
It takes many years of activism to build awareness for these sorts of issues. I worry that increasingly tight technological control over various aspects of our lives will create more of these situations and eventually overwhelm our capacity to build awareness. The result could be widespread cruelty.
The solution cannot be for each and everyone of us to be aware of and emotionally enganged with every possible predicament in which others could find themselves. It's just not possible psychologically.
We need to design our rules and systems to be resilient in the face of unexpected things going wrong and in the face of permanent partial brokenness of everything, including rule making itself. It's very difficult and I'm not optimistic.
I can buy a SIM card that gives internet pretty much everywhere around the world with bitcoin with silent.link. Granted you don't get an IP matching the local country, but still...
This choice will still render a ton of devices basically e-waste for no real good reason
at which point you could attest any environment you wish, across as many machines as you want
a nice side hustle for bored university students with access to the equipment needed
(currently this doesn't happen as the TPM keys are essentially worthless)
""" Dear <<WHOEVER>>,
I'm writing to inform you of a change that Google is proposing which will:
1. Reduce the ability of the security agencies to do their jobs
2. Limit the ability of ordinary citizen to access the internet
3. Lock control to big tech companies and reduce innovation in the technology sector
As a citizen of <<COUNTRY>> living and voting in <<REPLACE>> and a software engineer with X years of experience, I believe this proposal (called Web Environment Integrity or WEI), although presented as improving security and privacy, is damaging because ... """
(edit: formatting and expanded the final line)
Just think about it: I really conceptualized how I can hook my Android phone to my server, add a digital camera to photograph the OTP-Code, OCR it and have a docker based Selenium script with chromedriver to login to my bank to pull the PDFs. All that just because big banks can afford to be so customer unfriendly.
Ten bucks says that it's added to FingerprintJS or equivalent within a year and sites are "opted in" without thinking about it.
(and we'll still have fingerprinting, which this claims to remove the need for - which means we won't actually solve anything)
But over time rules are tightened, penalties increased, more loopholes closed and fewer people will have the expertise, the determination, the funds and the nerve to work around the rules, even if it is theoretically their right to do so.
Eventually only hardened criminals and highly knowedgable and principled activists and professionals will realistically have access to some of these options.
A) used as political chaff for jockeying by power hungry politicians as distraction fodder or FUD material
B) centralized by the intelligence community of your country, or an allied country with an agreement that they'll do the work for your government that your government can't.
There are things that simply should not, nay, must not be made.
The Single Identification Number is one. We have all the tools to do it today. The only thing keeping it from happening is refusal to implement at the grassroots level.
Ah, ha!
The PR spin necessary to kill this in the US would be to connect it national ID. I hadn’t thought of that.
A narrative about national ID with some vague “mark of the beast” insinuation thrown in and suddenly a large political faction who otherwise would care about this would be opposed. I like it.
Most people are not qualified to give a crap.
We don't adopt medicines on the basis of "most people's" opinion, we don't adopt anything technological with potentially harmful impact on the basis of the opinion of large uninformed masses.
Thats why we have regulators and other institutions that should be informed and give an informed crap. On a ongoing basis and not only a result of popular outrage.
Which brings us to regulatory capture and said institutions actually failing their mandate to serve the interests of the people that fund them.
But now we have something that most people should give a crap about. This is not technical, it goes to the foundation of democracy and governance. Otherwise we might as well stop voting and accept we live in a corporate oligarchy.
It’s about proving your device meets an unspecified standard. Today that standard would probably involve a signed browser binary and kernel verified by a hardware root of trust.
Tomorrow it could be “Please drink verification can.” or “Your social credit score is too low for you to use this feature.” or any other arbitrary criteria that gets cooked-up.
> Attestation doesn't stop you from writing software for your device.
Attestation means the metes and bounds of your computing experience are defined by a third party.
What you use your computer for today might not be permitted tomorrow. Look at the invasive software mechanisms that games use for “anti-cheat” if you want to see one possible eventuality.
This is “Right to Read” territory we’re walking into. We’re already there with phones because we ceded freedom for “security”. (“Phones aren’t computers.”, “I just want my phone to work.”, “I don’t want to remove malware from the phones of the oldsters in my life.” Blah. Blah. Blah.)
Now we’re going to do that with personal computers.
We’re getting what we deserve, so guess.
if they control your computer, they can prevent you from incurring in 'illegal' activities such as piracy
but it all boils down to the logic of the market, the raw fact that capitalism works even with marginal costs. but when copying (and distribution) costs go lower (less than 'marginal' down to zero cost) it all starts to break down
if people aren't selling digital assets to each other (which doesn't make sense with the technology we have right now), they cannot be taxed and so on.
solution: fix the technology. make it so that only those with specially authorized keys (trust worthy actors) can copy digital information at will. everybody else will have to pay them for this privilege.
oh and nevermind the fact that computers work by copying bits all over the place
Or was this an afterthought like everything else in their proposal?
How do I prove my device is secure while also being able to run any software that I want?
That such a pivotal issue is not handled competently with the top priority attention it deserves says more about the state of the US polity than the horned man storming the Capitol.
I find the easiest way to make these people think, is to attack it from a money angle. Disregard all the ideological, practical, security, surveillance related issues. Ask them how would they feel if from tomorrow, they would need to shell out money, a $100 equivalent of their local currency when buying any kind of computer (ipads, mobile phones, pcs, macs) for a stamp of approval, and then having to fork over $10 every month for renewing an "attestation license".
You are not forced to get this stamp. There will be some websites restricted that you can't access, but your computer will keep working fine. First it will be your bank website, then streaming sites, then food ordering services, and so on, until eventually all the major services will be walled off until you pay.
Because that's what will happen (among other things). All this infrastructure will need setup, maintenance, and it will not be free, and you can bet your ass that FAANG (or whoever will be running the attestation services) will be charging whoever is using their services, and they will be forwarding the bill to you, the end user.
I speculate that it might start off as a mesh network, maybe using unregulated spectrum on a local level. It will probably resemble BBS fidonet, but with more modern features. bandwidth and E2E latency will be terrible, but it will be free.
As long as there are skilled engineers who have the spirit of freedom, there will always be an 'open' network for humanity to communicate (with all the good and ills that comes with 'open').
> No reason
Using broken encryption is quite a decent reason.
I think a political strategy of getting rural school districts + 20 State governments to go on record saying they will not purchase or use computers that have Google WEI could be very effective.
That seems really one sided. To me that indicates that I as a user have a right to know that a human and not a robot is responsible for me seeing this ad. That's not the case of course. What this would do is kneecap the enemy/users and let the advertisers be the only ones with access to automation and integrity validation.
I doubt that many objects to see ads for powertools on a DYI forum or developer tools on Stackoverflow, seems reasonable. The objection is to being bombarded by obvious scams, micro transaction laden mobile games, online casinos and anything that in no way benefits me as a consumer. Google should perhaps focus a bit more on validating the integrity of their consumers i.e. the advertisers.
I don't see banks adopting it at all for consumer banking. I work for a bank; I can tell you a bank isn't interested in adopting any technology that introduces friction for high-balance customers. What would they gain? A little extra fraud protection? You'll find lots of articles online spelling out the reasons that the optimal amount of fraud is not zero.
You can be against something and not have the resource to fight it. The person in question said they don't see the problem which is the former.
would I pay $500 for a TPM key I can use to "attest" my hacked version of Chromium that removes ads? hell yes
would cheaters pay $500 for a TPM key to bypass valorant anti-cheat? hell yes (they do already)
would spammers pay $500 to spam Google?
and so on
ultimately attestation to control the user (vs. protect them) sows the seeds of its own demise
Important to note here that it's only possible to "fool" SafetyNet/Play Integrity because of compatibility with older devices. The strongest Play Integrity level (MEETS_STRONG_INTEGRITY) is simply not possible to fake on a device with an unlocked bootloader, it's just not a big problem right now because most apps do not require it yet, since there are still many old devices that don't pass it, because of missing hardware or outdated android versions.
Eventually, in a few years, a time will come where the number of non-unlocked devices not compatible with MEETS_STRONG_INTEGRITY will be low enough that apps will start requiring it, and that will be the end of bootloader unlocking for most users that still do it.
This is why we need to be politically active and politically effective and I'm glad OP called that out in their post too. It's like reminding people to vote when dealing with the consequences of elected officials.
edit: What business, other than an ad business, can safely say "we don't care what digital technologies we invent, as long as they are popular we can make piles of money." IMO, that is the motto of a dominant tech company. You can see a striking example of this failing with the various home assistants. Despite their popularity, tech companies can't figure out a way to shove ads into the UX, so they can't make money.
Why does Google get to do something that no other website in the world is allowed to do? This feels like something Microsoft would have gotten hit by antitrust over decades ago.
There’s no reason why logging into a Google site should silently give them all of your web browsing history across every site you browse. I know you can turn both those settings off but most people don’t even know they exist.
If any of that trust is broken my privacy is at risk.
> And before someone talks about the state knowing your browser history: they already can by calling up your ISP, and they would get a lot more information than this mechanism would provide.
That depends on how you browse the internet today, and how the ISP tracks it. Simply using a different DNS service goes a long way, and using a VPN or the tor network may not be totally fool proof but should get around the basic drag nets am ISP is likely to use.
It can replace your physical ID but it also has other useful features.
The most useful one is the ability to generate Identity Proofs that contain only the minimum required information to prove your identity.
They even have an expiration date, a named recever and a motive.
Of course the receiver can verify their legitimacy in the app.
No more sending copies of your ID !
I also think one of the features is proof of majority without revealing your identity. Probably made for adult websites because a ruling was made a while ago that they would have to enforce age restrictions better.
We didn't have to buy into these products or allow them to take over or lives if we has an issue with ad companies running them. We could simply not use them, accepting the negative impact that will have on parts of our current life. If the majority of our people don't care and have chosen the convenience, and the dopamine hit of, the digital products should politicians really step in though?
If politicians in a representative democracy are meant to represent the people then it really isn't their job to fix this, the people have already spoken. I don't agree with it and do my best to limit my use of these ad companies, but that doesn't mean it's my responsibility to rip these products of everyone else's hands of they chose their own tradeoffs. If Google wants to do this and people really care, they'll just stop using Google and accept that they won't have access to any services that decide to require this kind of DRM-like verification.
People should never be expected to make meaningful decisions in their life only because someone with degrees said it's best for them, or even worse make no decision because the leader already made it for them. People need to be able to think for themselves and make their own decisions, even if the few experts may disagree with the decisions made.
In my opinion, this should have been the most important lesson from three years of pandemic response. We had a small group of experts getting out over their skis and speaking with certainty about the virus and what everyone must do. In reality these experts had much less research-based data to support this level of confidence, and in some cases the data even contradicted them. In the meantime we were all forced or coerced into various decisions and protocols that didn't seem to pan out, for a virus that we once got kicked off social media platforms for comparing to the cold or flu while that's precisely how said experts discuss it today.
Experts should absolutely weigh in and attempt to educate people on what's at stake and why they should make one decision of another. But a system in which a few at the top decide for and control the rest of the population is extremely dangerous and should be reserved for only the absolutely most important situations.
Being nobody's resident doesn't mean that you're not a human.
And anyway, there are a lot of people inside Russia, China, Iran, etc. And instead of helping them to use services with better privacy and consume uncensored views from outside id based system will give an impressive way to censor internet usage by government attesters. Have wrong views - say goodbye to the internet.
Yes, but unlike say construction, the environment, or medicine, when it comes to IT, most of our gov representatives in charge of regulations are horribly out of touch with what's happening in tech world and how fast things are changing.
Just look st the senate hearings of Zuckerberg and the TikTok CEO, what questions they were getting: "can TikTok access my Wi-Fi?". I rest my case.
They have no clue how the whole "internet-thingamajigs" work, nor do they care to listen to people who actually do know, because they can also be easily lobbied by big-tech to look the other way, especially since for the US-government, having US companies dominate everything IT related on a global scale is a national-security asset rather than a curse, which could be say if Chinese companies were to take over instead.
Google is essentially hijacking the web and turning it into something that it can entirely control and dictate, since Google owns not only critical infrastructure (Chromium, the most used browser), but the most visited websites (Youtube, Search). That's a coup d'état, no more no less.
And the slippery slope is abrupt dude, we went from EME which was already spyware to WEI, and there will be a next step, since we would have already accepted Google's supremacy.
I’m seeing the biggest issue is who decides what a “trusted” browser is. Is it Google? I’m guessing the will establish a non-profit “independent” advisory board which will have members who somehow align with the interests of all major advertising stakeholders in the world. This is dripping with anti-compete potential. Some lawyers are going to get rich from this.
It's not focused on censorship resistance but instead decentralisation.
The ISP, with SNI implemented, would only be able to tell the state that "a device connected through this physical location accessed a server through Cloudflare".
I mean — all this doom from HN about huge centralized corporations, about banks being inaccessible, but the moment you mention the only viable (at the moment) alternative — many people reach for their trusty downvote button.
I mean, with all the hate towards all alternatives to trusting Big Tech corporations, with all the effort to actively bury any potential to build and improve decentralized systems, some of you deserve to live in a world controlled by large states and corporations. This would be your future dystopia, because you actively dismissed every alternative out of hand. But it won’t be your future — because many people outside of HN continue to build systems like MaidSAFE, IPFS and BitTorrent which do not have these restrictions. There are far better and nore scalable networks coming out that are beyond blockchain and beyond smart contracts that allow building backends which CAN’T discriminate against clients, and let anyone generate their own public-private keys. Even though you may hate on these technologies and downvote any post mentioning them, they’ll be there when you finally need them. You’re welcome!!
I don’t want Google and Microsoft to have the keys to the kingdom, but on the other hand, I really want a way to know that I’m having genuine interactions with real people.
I wish government was getting more involved here.
Most people don't know how the internet works, don't care as long as it works and do not think about it beyond that.
My ISP will tell them I spend most of my time connected to Mullvad VPN, and Mullvad will tell them they don't know anything about what any particular IP address was doing.
Having to give identity attestations either directly or proxied by a government server would make such anonymous browsing much more difficult, if not impossible.
I don't think there is or there will ever be perfect regulation. Pick any sector (banking is a prime example) and you can identify recurring failure, capture, complacency and other pathologies on top of the intrinsic difficulty of working out the unknown-unknowns.
Ultimately the only structural mitigation available is to have as many checks-and-balances as possible and transparency about motivations and incentives of all actors involved.
But that is not the immediate problem with "tech". I put the term in quotes because even that is a conceit. The accurate term is probably "random conglomerates that were first movers in adopting digital technologies, with user-data based advertising the overwhelming business model".
The shtick has been that "heavy handed" regulation of said "tech" will stifle innovation and other such drivel. Indeed, if by innovation we mean drifting ever deeper into the black hole. For more a decade now we are trapped in an egregiously suboptimal situation.
https://www.gnu.org/philosophy/right-to-read.html
He wrote that 26 years ago. It's worth reading again just to see how much he got right.
> to optimize their taxes
How would they kill ad blockers this way? I can just use librewolf browser, sites will detect it and not work. But we already have this in form of Widevine DRM. Spotify does not work in my browser without DRM. They can't really force this on google search, because many clients will never support it (older Nokia 3x4 keyboard phones etc).
why should that be accepted though? There are plenty of experts to consult and (like the very salaries of politicians) none of that expense is out of their own pockets.
> a national-security asset rather than a curse
when every excuse fails national security is invoked. Somehow advertisers are now a critical element in keeping the free world free.
When discussing tradeoffs, it's not about correctness but value judgments. Is it preferable for people like geocar to die than to continue allowing people to access all websites with arbitrary devices and software?
Of course, there are services that could be exposed through a website where the consequences of improper use would be catastrophic, but I would argue the web is usually inappropriate for control of life-critical systems without other safeguards or redundancies.
GF: "If my stuff keeps working, why is it a problem?"
BF: "Is your stuff going to keep working? There's literally a website dedicated to the products Google has killed. What makes you think you're so special that they won't do that to something you use?"
GF: "If Google deploys this and then kills it, my stuff will keep working. So why is it a problem?"
...and she would be right. If it doesn't break her stuff when some websites start relying on it for user device attestation, then if Google kills it making it so sites can no longer use it for user device attestation those sites aren't going to just say "Oh no! User device attestation no longer works! Let's shut down the site!". They will go back to whatever they were doing before it became available.
How are you drawing this conclusion? What about paying Apple for verification would imply that any of that money would go to the websites you're visiting, or would make it any easier for those websites to collect payments from you?
All these elites always want to know what we plebs are running. The governments want Venmo to report anything that adds up to over $600 a year to the IRS. FATCA travel rule pushes all countries to do the same, for $1K but FINCEN has lobbied for as low as $250!
Meanwhile the Pentagon can’t account for trillions, and both parties give them more money than they even ask for. We have government officials in constant secret meetings, failing to avert disasters, then the plebs have to fight.
I say — we should have attestation that the server is running verified code, the one that was audited by third parties that I accept! That would be what I always wanted on the Web. Instead, they only do it the other way.
We the People have to rise up and demand that Google implements a standard that uses SGX extensions or whatever, to guarantee that the code managing the website matches the audited code. This is long overdue! It is also why we use smart contracts and Web3 for now.
All I really want, on the mobile Web, is a way to visit a URL that has a content hash, and it will load a static file matching a content hash, and save it so it’s always available locally. That’s it! So I can trust the code. Without having to install an extension. Instead Apple clears everything after 7 days, making it useless! And SRI only works for subresources. Which means the server can be hacked and serve malicious code to me anytime!
https://arstechnica.com/information-technology/2022/08/archi...
At least in the US. I’m not sure how EU politics is actually motivated, though they seem to advance the most useless political solutions to technological problems (browsers not having good defaults for cookies? Let’s make website owners show confusing cookie modals within the website context, that don’t usually even work!)
That would be for messaging & fun internet.
No money or influence to be made.
And fringe or grey area stuff. Copyright infringement, censure evasion… meh.
But in most of the states that have been pushing such laws that is very much not the case. The deliberately pick forms of ID that are less prevalent among poor and minority voters and that for many are expensive to obtain. In several they have also taken measures to make it even more difficult for those people to obtain ID.
For example if they require an ID that you get from the state's department of motor vehicles (DMV) they (in the name of budget cuts) close many DMV offices, and in the ones that remain open the cut back on the hours during which they will issue licenses to a few hours on weekdays. The closures mostly hit in poor and minority districts.
Yes, some of those laws do make some forms of acceptable ID free, but only in the sense that there is no fee to obtain that ID. Obtaining the documents necessary to obtain the ID will still have fees.
(Specific communication)
We need PQ FIPS and TLS revisions; not this.
The general public doesn't care, and won't care until it actually materially affects them. Until then they'll look at the people who do care as weirdos. And even then, plenty of people still won't care so long as they can access their social media etc. on their shiny new iPhone 28 or whatever version is out when that time comes.
As stated this is not strictly true. E.g., Apple would object (with at least some merit) and every tech company before adtech (i.e decades of commercially viable tech) would object as well.
What is true is that adtech is the most lucrative way to monetize any digital consumer device.
This economic dominance of adtech is real and extremely distortive of the technology landscape but 1) it is predicated on questionable behavioral stances ("consumers don't care about privacy") which are manifestly not universal (see e.g. EU-wide regulation) and 2) is an incongruous and incomplete architecture for a digital economy: e.g., there is no hard line between consumer and business devices. Do businesses also don't care about commercial secrecy?
Effectively adtech short-circuited the digital society motherboard by identifying an emerging opportunity that did not exist in traditional physically organized economies. Large and vital sections of the motherboard (e.g. journalism) are now burned out.
Its a dead end.
Real identity doesn't necessarily mean passport. It can mean, for example, a visa issued by your host government; being a valid visa holder therefore grants you a valid digital identity issued by that country.
> People don't always live in their country of citizenship, they don't always live in one place (see digital nomads) and have a residence, they don't always trust their government and they should not be discriminated on internet usage because of that. That makes a person more of a government property rather than a human being.
Then let's get rid of passports. Sounds like the deeper issue, no? Wouldn't you agree that freedom of movement and immigration is a higher and more important freedom than freedom of internet access?
This is the world we live in. Immigration concerns exist. Government-issued identity is real. It just hasn't caught up to the 21st century.
https://www.notebooksbilliger.de/acer+swift+1+sf114+34+p91a+...
They have physical stores.
But you will have to use hardware and software from approved vendors.
So if we could reliably extract keys it may be enough to break this. (or force TPM makers to have per-device keys instead of per-batch keys)
In which case the internet we all grew up creating will effectively turn into the "Ham radio" of digital computer communications and will be effectively bandwidth throttled the way amateur spectrum allocation is
Doesn't seem crazy that something like this would be the end result
1. 18+website tells the browser age verification is needed, gives a random token
2. Browser signs a verification request with the local ID card (or a key temporality allowed to do so), forwards it to government server
3. Government server sees the request with random token, signs both, answer the browser
4. Browser forwards signed attestation to 18+website.
The government server only sees the random token. The website only has the attestation. There are other things that can be nitpicked against, but not this. For instance, can we require local ID cards? What about foreign visitors? Possibly an attestation from their passport? And of course, browsers sit in the middle and see everything.
However, this could be a useful mechanism to have. For age verification, nationality check, or even identity check on official websites. And if we have this, it's bound to be abused in some ways (Facebook could require an ID check).
This is just an enormous nope for me. No better than this WEI stuff.
> The truth is that government inaction is forcing Big Tech down the road of violating user privacy and freedoms to solve Big Tech's problems.
Whether is governmental or private action, how is it right or good that everyone has to suffer just because big tech has business model problems?
I don't understand how TLS is anything like WEI. Can you explain?
You can stay in UAE for half a year, start being their resident with 0% tax and then moving around stayng less than 183 days anywhere. It's of course better to be connected to UAE or other low tax jurisdiction in case of "personal connection" taxes requirements. Nothing unethical, illegal or bad in that. As far as it's perfectly legal in lots of countries, that's optimizing and not dodging or avoiding.
If you are staying UAE resident this way, you probably will have some troubles receiving gov services, because you don't live there in fact most of the time (and you are still just a tax resident and not always resident in terms of long-term living permit).
Anyway, placing a person to be "managed" by some government is a really dystopian concept.
There is basically no reason for, for example, African young person to be more restricted in his freedom of movement than European one, but we are where we are.
Though I believe while we have outdated and unfair system of belonging to some borders, it's better not to make it even worse by adding new layers of dependency on these IDs.
Wouldn't be better to add more opportunities equality instead of hardening it?
If this is the future, I'm going to say "fuck the internet" and return to the soil.
You claim to believe it's not and offer no counter point outside of you feel it in your gut and a desire to deflect and attack OP for making the point by calling the poster prejudice.
https://www.politifact.com/factchecks/2012/jul/11/eric-holde...
https://www.aclu.org/documents/oppose-voter-id-legislation-f...
https://www.usccr.gov/files/pubs/2018/Minority_Voting_Access...
https://www.washingtonpost.com/politics/courts_law/getting-a...
https://www.vox.com/xpress/2014/11/4/7157037/us-voter-id-req...
https://www.npr.org/2018/09/07/644648955/for-older-voters-ge...
https://rewirenewsgroup.com/2014/10/16/well-actually-pretty-...
https://www.theregreview.org/2019/01/08/shapiro-moran-burden...
https://www.theatlantic.com/politics/archive/2014/10/heres-h...
https://scholars.org/contribution/high-cost-free-photo-voter...
https://now.tufts.edu/2018/01/23/proving-voter-id-laws-discr...
We've allowed a lot of people to become really fucking lazy. That's the bottom line. Baby Boomers, some Millennials (not all), and a lot of Gen Z.
Generation X had no choice but to gain a strong knowledge of computers if they wanted to do anything on the Internet, because it was still difficult, it still required a little reading, and you couldn't just press the WPS button on your router to connect your new MacBook Pro.
Every single problem the web faces is that. Period.
A lot of people never had to learn jack shit, so they don't know jack shit. They can't tell the difference in a legitimate website versus one that isn't. They don't know how to read a web address. They can't figure out that irs.gov is legitimate and irs.4doad04ldud.com isn't. I have met people who are 50+ years old who have used Windows computers since they were 22 years old, but look absolutely goddamned dumbfounded when you tell them, "Just click on the Start button and go to Word."
Fuck.
Them.
Fuck every single one of them. We have tolerated lazy uninterested users for long enough. I'm not saying every computer user needs to be able to debug assembly code and fix their own driver issue by rewriting it from the ground up. I'm saying that as a society, we have progressed past the point where you can throw your hands up and say, "I'm JuSt NoT A CoMpUtEr PeRsOn!"
To quote Captain Jean-Luc Picard, "NOT GOOD ENOUGH! NOT GOOD ENOUGH, DAMMIT!"
And the entire industry across the entire planet and every single national, state, county, city, provencial, whatever government is going to have to get onboard, come together, and say, "Okay, here's a baseline set of knowledge about how computers and our communications systems work that every single human being needs to have."
You cannot "tech" your way out of this problem. Not without massive corporate and government overreach and invasion of people's privacy. Lazy shitty people are just going to have to be made to suffer until they stop being lazy and shitty. There are plenty of average IQ people who can grasp the basics of how their computer and the Internet work - but they're never made to. Well it's time to start making them.
The dumbing down of every single technological product and concept does our species no favors.
The operating system should properly prevent software from violating the security of the system. If you mean that you want to be able to run an OS that does that provide a level of security that is expected then you shouldn't be able to prove that insecure OS is secure.
No, there isn't. It's basically an OAuth login flow. The spec is publicly documented, anyone can register applications and check if the government is responding as desired, both by correctly requesting auth for the correct scopes in the government-hosted auth page, and by checking that the data returned from the gov matches what the spec promises.
I couldn't agree more, but you gotta apply the right leverage to the right problem, put the round pegs in the round holes and the square pegs in the square holes. Real digital identity does for the digital economy what credit cards did for the retail economy: dramatically reduce the cost of friction, and therefore dramatically expand, how much activity there will be. It is this reduction in friction which opens additional opportunities even to people with identities issued by less-favored governments. Separately, we can and should push to make qualified immigration simpler, faster, and for more applicants.
Neither of those require attestation.
>Look at the invasive software mechanisms that games use for “anti-cheat” if you want to see one possible eventuality.
A future where people can't cheat when playing with me is a positive direction to take computing.
>This is “Right to Read” territory we’re walking into.
I assume you are talking about "The Right to Read" by RMS. It is already illegal to redistribute ebooks if you don't have the rights to do so. We already live in that world. Unlike the essay as an industry we have chosen to focus on hardware based security instead of making debuggers illegal.
I am a bit opinionated about that, because I already saw lots of that in Russia with all these fancy "security" and "convenient" digital tools and how it ended.
Digital Id should be solved by some kind of WebOfTrust, private DIDs and somehow distributed reputation systems, not by centralized government databases. It's a straight way to tyranny.
Corporations and govs are actually the same structure. Look to healthcare, pharma, military it is so tight connected. Now IT is just part of the puzzle.
Th main idea as that I strongly disagree that a person must have an ID outside of some questionable country and that's more of an example. I personally traveled just because I wanted to travel a lot, it was before the war and stuff, but as I know currently lots of Russians, Ukrainians, Belorussians are changing countries to find the best for them. When you don't have home anymore, there is no reason to settle to the first place you visited.
BTW, 3 flights per year with 2-3 bags will cost you around 3k USD, you will probably overpay around 300-400 USD per month staying in Airbnb in low-cost of living countries like Thailand, so in fact the whole cost of moving will be around 7-10k USD per year. If you earn IT remote salary, you will probably save a lot.
Though you'll need a tax consultant to avoid breaking any tax law accidentally, but that's not so expensive outside of the EU and the US.
you dont have to know any keys just the structure of a valid key, then make things up according to spec
It's also worth considering where this stuff comes from instead of ascribing anything the other team says to superstitious fools and their invisible sky man.
Branding people like cattle wasn't invented in modernity. It's infamous Nazi behavior, and the Nazis weren't the first to do it either. It's so old that people centuries ago saw how bad it turns out and put a warning against it in their ancient book.
You don't have to believe in the devil to believe that history repeats and learn a lesson from the people who came before.
If you look at the history of the internet it's basically a story of decentralized protocols with a choice of clients being outcompeted by centralized services with a single client, usually because centralized services can control spam better (+have incentives to innovate etc, it's not just one issue).
Examples: USENET -> phpBB -> reddit, IRC -> Slack, ISP hosted email -> Gmail -> Facebook Messenger, SMS -> WhatsApp/iMessage, self-hosted git -> GitHub.
The reason spam kills decentralized systems is that all the techniques for fighting it are totally ad-hoc security-through-obscurity tricks combined with large dollops of expensive Big Data and ML processing, all handled by full time teams. It's stuff that's totally out of reach for indy server hosters. Even for the big guys it frequently fails!
Decentralized networks suffer other problems beyond spam due to their reliance on peers being trusted. They're fully open to attack at all times, making it risky and high effort to run nodes. They're open to obscure app-specific DoS attacks. They are riddled with Sybil attacks. They leak private data like sieves. Many features can't be implemented at all. Given all these problems, most users just give up and either outsource hosting or switch to entirely centralized services.
I used to work on the Gmail spam team, and also Bitcoin, so I have direct experience of the problems in both contexts.
Remote attestation (RA) isn't by itself enough to fix these problems, but it's a tool that can solve some of them. Consider that if USENET operators had the ability to reliably identify clients, then USENET would probably have lasted a fair bit longer. Servers wouldn't have needed to make block/allow decisions themselves, they could have simply propagated app identity through the messages. Then you could have killfiled programs as well as people. If SpamBot2000 shows up and starts flooding groups, one command is all it takes to wipe out the spam. Where it gets trickier is if someone releases an NNTP client that has legit users but which can be turned into a spambot, like via scripting features. At that point users would have to make the call themselves, or the client devs would need to find a way to limit how much damage a scripted client can do. So the decision on what is or is not "approved" would be in the hands of the users themselves, in that design.
The above may sound weird, but it's a technique that allows P2P networks with client choice to be competitive against centralised alternatives. And it's worth remembering that for all the talk of the open web and maybe the EU can do this or that, Facebook just did the most successful social network launch in history as a mobile/tablet only app that blocks the EU. A really good reason to not offer a web version is because mobile only services are much easier to defend against spam, again, because mobiles can do RA and browsers cannot. So the web is already losing in this space due to lack of these tools. Denying the web this sort of tech may seem like a short term win but just means that stuff won't be served to browsers at all, and nor will P2P apps that want to be accessible from desktops be able to use it either.
Anyway it's all very theoretical, because at this time Windows doesn't have a workable app-level RA implementation, so it's mobile-only for now anyway (Linux can do it between servers in theory, but not really on the desktop).
I imagine many elderly folks that haven't kept their systems current or updated may also face the same issue.
Google is loving this, I bet.
Fight.
This presents enormous barriers of entry to both hardware and software entrants.
And we've now reached the point that PCs come with Windows for the same reason you can't find a non-"smart" TV anymore. It comes preloaded with spyware, which has a market value to the seller, which makes that device cost less than one with only free software on it.
Sophisticated buyers then take the discount and wipe what it came with, which contributes to alternatives not being widely available, but unsophisticated buyers don't know how to do that and get stuck with the spyware.
I didn’t say any of that. You have no idea what I believe beyond that I don’t buy into the “mark of the beast”. Anything else you read into my comment is something you read in.
That you went straight to comparing my comment to Nazism seems a bit uncharitable.
Conversely, that system is not secure if the site conspires with the government, because the government could record the signature (or the token) and then compare it to the one the site has to violate the anonymity of a legitimate user. There are forms of encryption that prevent this (the user does a cryptographic operation on their own device that munges the data so the site can still verify the signature but can't tell which one it was), but now you need the government to implement that system -- and update it if any vulnerability is found -- and do a coordinated update of all the sites in the world with the new protocol that patches whatever vulnerability is found -- and do this rapidly and competently because in the meantime the system would have to be taken offline to avoid it being actively exploited.
Do Not Attempt. Failure inevitable.
Any assumption the client is "trustworthy" requires attestation. I was certainly being hyperbolic with my examples. Using a more concrete example of, say, a device's camera and LIDAR claiming a living human is interacting w/ the device would require software and hardware attestation with a chain of trust extending to the camera and LIDAR hardware. Without that one could connect emulated inputs to those devices and game the system.
> A future where people can't cheat when playing with me is a positive direction to take computing.
I agree, provided that the architecture of the anti-cheat relies on that infrastructure happening server-side. Any architecture that requires the client to be "trustworthy" requires attestation and runs afoul of freedom.
I think having anti-cheat is a poor trade off for user freedom on personal computers.
> I assume you are talking about "The Right to Read" by RMS. ... we have chosen to focus on hardware based security instead of making debuggers illegal.
You can make a literal interpretation if you'd like. My takeaway from "The Right to Read" is a cautionary tale about architectures of control being used to remove user freedom. That rings true to me irrespective of the mechanism employed in the story, or even that it deals with ebooks specifically. That Stallman didn't think about tamper-resistant hardware, e-fuses, and key material locked up in embedded processors doesn't change the message of the story.
Might that apply to the software geocar credits with saving their life? Without knowing more, we can't say. There's a good chance it applies to things like running open source operating systems and browsers.
I'm not comparing your comment to Nazism, I'm comparing universal identity systems to Nazi behavior, because that's what they are. Their primary use, the major thing they do that decentralized credentials systems don't, is to facilitate mass surveillance and authoritarianism.
My point is that this has been understood for a long time, and the people who say "mark of the beast" have a legitimacy to their concern that has been demonstrated throughout history, regardless of whether or not you believe the fine details of the allegory.
At which it comes back to not allowing anything but the most locked-down clients, and disempowering users... and still failing, bcecause all clients can be turned into spam bots with the most trivial application of autohotkey et al.
Just the domain is still a pretty major information leak.
> And before someone talks about the state knowing your browser history: they already can by calling up your ISP, and they would get a lot more information than this mechanism would provide.
Yeah, but they have to ask. This creates a system that requires preemptively sending them that information.
I took your particular reply as accusing me of being critical of religiosity-- specifically "...ascribing anything the other team says to superstitious fools and their invisible sky man."
I took your statement about "branding people" as a statement on this perceived accusation that I was speaking unfavorably about religiosity.
Your clarification that your were comparing universal identification to Nazism makes me read your comment in a different light.
- The OS can trivially expose to the app whether events are coming from real hardware or another app, information the app can then either report or not report.
- The attested user-agent string given can be extended to include information about any scripts that are driving it, e.g. script hashes.
And so on. Then these things can have reputations computed over them. If there's a script hash that shows up reliably in spam, and never shows up in ham, then you can auto-mark those posts as spam. If the scripts aren't known then messages can be throttled until enough users have voted on whether the messages are spam or not. All this is fairly straightforward to code up, again, in a theoretical world in which operating systems expose information like whether events are emulated or not (today they don't).
The trick is that clients don't have to be locked down. The tech is fundamentally about letting you prove true statements. Those statements can be as complex as needed to allow whatever level of customization and control is desired. The more malleable clients are the more complex it becomes to determine what is and isn't considered OK, but in a decentralized system that policy complexity is up to the end users themselves to decide. They can share logic in the same way USENET users used to share killfiles.
Anyway, my point isn't to try and design a full system here. It's research level stuff. Only to point out that this stuff brings spam/abuse control out of BigTech-only world back into the realm of small scripts that can be written and shared by users in a decentralized way.
And in a world that has zero outliers or unusual users. In reality, I guarantee my accessibility software would get flagged as emulated input (because it is) and marked as spam.
No, it can't -- see bellow; there's also no quantitative objective stated or communicated. Hence, it is not controllable, whether it achieved the stated objective or not. What would happen, if it doesn't achieve it? Nothing, because it was not promised clearly enough, just in some vague way.
But it happens to achieve different goal -- for example, even more concentrating the control over general computing into fewer hands.
Would it be rolled back, if it doesn't achieve the stated goal? Of course not; it will achieve the hidden ("it just happened, who could ever know, pinky swear") goal, and that's important. Not the pretend-goals that was used to sell it to the general public.
Now, why it won't achieve the stated goals: because spam is problem also with closed systems. Ever got a junk call? Users use only "approved" devices, and even if the system can put limits on the source, it also limits how the destination can protect itself. The important thing with spam, scams, etc. is, what whenever there is a possibility to make money, the scammers will find a way. Even with low-tech approach (like hire a bunch of human operators of the approved machines). They weren't stopped even when what they did was illegal, why do you think RA achieve what the law didn't? To make things worse, the closed nature made it more difficult for the victims to save evidence of the spam, scam.
So of course it won't reduce the scams. But it will make the situation worse for us all. And web losing to proprietary platforms? It will certainly lose, when it is turned into one of the proprietary platforms.
To make this work, I suppose it will finally be necessary for Windows to disallow all user-space code injection (e.g. in-process hook DLLs), including from assistive technologies. I guess this tightened security could be a per-app opt-in feature, at least initially. UI Automation on Windows 11 may finally be ready to take over the work that in-process injected DLLs (particularly from screen readers) previously did without performance regressions, though as far as I know, this hypothesis hasn't really been tested yet (or if it has, that happened inside the Windows accessibility team at Microsoft after I left). The trick will be to give the third-party screen reader developers a strong incentive to prioritize moving away from third-party code injection, without harming end-users in the process (i.e. not suddenly releasing a browser or OS update that breaks web browsing with screen readers).
What other changes or API additions do you think will be necessary to enable workable app-level RA on Windows?
It also enables more software to be popular because it will be cheaper to run sites and sites can be more profitable that before.
Failing attestation does not mean you get blacklisted. It means that you are not as trustworthy. Not every CVE breaks an OS's security model.
TLDR holdbacks might help with specifically the DRM component; but they can only go one of three ways:
- They can be effective at forcing sites not to rely on attestation, in which case there is no benefit to this proposal because everyone (including users of browsers like Chrome) will still be subjected to the same invasive backup strategies. You'll still be fingerprinted and tracked no matter what because even if you're using Chrome 1/20 times you send a request the website will just revert back to the original fingerprinting.
- Or if they aren't effective at forcing sites not to rely on attestation, well... then they haven't solved the DRM problem.
- Finally, attestation might be used to primarily decrease annoying behaviors, which will still in practice make browsing the web for anyone who doesn't use a browser with attestation so painful that they'll eventually switch. Think "you're not on Chrome, so you're going to see 9x the captchas you otherwise would see."
You can't simultaneously have "this allows us to trust the client" and "we can't rely on it." One of them has to give. At their best holdbacks would turn this into another tracking vector and would change nothing about the web for the better. More likely, holdbacks will allow sites that would previously be judicious about where they used captchas and blocks around the site to start spamming them everywhere -- because Chrome users will only see 5-10% of those annoyances. And at their worst, sites would just not implement the fallbacks because the attestation signal is still reliable enough.
Holdbacks call the entire motivation of this spec into question, since the whole point of holdbacks is to make it impossible for websites to get rid of the invasive "backup" walls and tracking and captchas that the spec claims to be trying to replace. Blocking ad fraud? Blocking automated requests? WEI only helps with that if websites can trust the signal and block browsers that aren't sending it; otherwise websites are right back to square one trying to prevent fraud. But if they can do better blocking based on that signal, then we're back in DRM territory.
----
Another point raised by another commenter: >>36884649
Implementing holdbacks in a way that actually prevents DRM is likely to be fairly challenging. In the most straightforward implementation, websites can simply retry the request until they get an attesation token or until they hit 10 iterations, at which point they'll ban you as normal.
Statistically profiling users and determining whether or not their browser supports attestation is likely to be fairly easy, unless Google has a much cleverer implementation of holdbacks than they've revealed so far in the spec.
This would be the worst case scenario -- holdbacks would be used as an excuse to push the changes through and sites would simply ignore them and block users based on aggregate stats: you haven't passed an attestation check in the past 30 minutes even though you made 20 different requests that should have had a token attached? Yeah, you're pretty likely on an "unsupported" browser.
Reach out to an attestor and discuss with them what the process is for them to trust you.
>How much will it cost?
It will likely be free. If not it will be significantly less than the cost of writing an OS.
>This presents enormous barriers of entry to both hardware and software entrants
Hopefully they are high enough that fly by night malicious actors do not bother with trying to get their insecure hardware and software to be trusted, but row low enough that good actors can prove that they can be trusted.
The Windows team would need to at least:
- Get apps using MSIX (package identity)
- Design an API to get an RA for an app that has package identity. Make a proper keychain API (or better) whilst they're at it.
- You don't have to block debuggers or code injection, but if those things occur, that has to leave a trace that shows up in the RA data structure.
- Expose to apps where events come from.
- Compile databases of machine-level PCRs that reflect known good configurations on different boards. Individuals can't do that work, it's too much effort to keep up with all the different manufacturers and Windows versions that are out there. MS would need to offer an attestation service like Apple does.
Some of that stuff is already there because they pushed RA in an enterprise context for a long time. I don't know how widely adopted it is though.
Sure, but that sounds useful.
>Any architecture that requires the client to be "trustworthy" requires attestation and runs afoul of freedom.
Okay, but I would give up freedom if it means there are no cheaters. Not all cheats can be detected server side. The cost of stopping name cheats server side is more expensive to do than stopping them client side. If the cost of anticheat is cheaper it means that games can be developed for cheaper incentivizing more and higher quality games to be made.
I don't really know what to tell you. This stuff does work extremely well, it's unambiguously the case. Google already use a software-only form of RA on the web and have done for years. It cut through spam like a knife through hot butter. They could already detect 10 years ago if a Python script was pretending to be Chrome, or if Chrome was pretending to be Firefox, or if IE was being driven by VBScripts or an IE WebView was embedded into apps that then manipulated the web page externally. No hardware chips or new web standards needed! But, the approach used is/was in the end just a neat hack, and it's guaranteed that spammers will eventually defeat it. Perhaps they already did. I guess there must be a reason why this proposal surfaces now, given the ideas aren't new.
> To make things worse, the closed nature made it more difficult for the victims to save evidence of the spam, scam.
I don't quite follow the logic here. Why wouldn't they be able to save evidence?
As an industry we are getting better at security and finding and patching vulnerabilities.
>Attestation does not prove that a device meets any security bar.
But it can prove that a device's software and hardware is running software and hardware that does pass your security bar.
>No, it doesn’t provide any guarantee other than the power that be are empowered to grant themselves and their friends privileged status while leaving everybody else without a device that can run the software they want.
Security doesn't have to be perfect in order to be beneficial.
While Spam is a problem and affects decentralized systems more easily (if they have a critical number of users), the cost of client attestation is just too high.
I am perfectly happy if the web and stays open and a lot of people go into the app space and stay there. I am happy for facebook and don't think I am missing out on the web. I don't use any apps for social media and exclusively use browsers. I wouldn't want a second app space on the web at all because the mobile environment is an ugly abomination of software crap.
If we have a form of RA, it will get worse for users and developers alike. It will be a far worse hassle than killing a bit of spam and we give the wrong players too much power.
If you're a 2023-web purist who's willing to just avoid whole services because they're not on your preferred platform, then hw-backed web RA would make no difference to you even if it could be implemented (which IMO it can't): you'd avoid the services that use it just like you already do today.
How would you not block debuggers if those aren't verified? This adds insane busy work for little advantages and again would make Microsoft the gatekeeper of hardware.
For which benefit exactly?
You didn't protect non-tech savvy users at all, on the contrary, you introduced a point of failure for their devices. Some have customized ones which would need to be verified. Doesn't sound like a good idea at all.
It is simply the wrong approach to focus on the negative, in this case spam or in general hostile bots.
The reason why it needs to be managed by the government is because legal contracts are ultimately enforced by government courts. Many things that, today, rely upon pen-and-paper signature (and Docusign-style electronic variants, which are just digital facades to the pen-and-paper reality), to get them enforced, require submitting more mountains of paperwork and physical appearances etc. We can't get out from behind that paper legacy, really start to explore contracts that can be disputed and enforced with simple online forms and no in-person appearances (everything from employment, to real estate / housing, to credit...) until the courts have a trustworthy to say, for this digital identity that signed that agreement, we know that it really was such-and-such a real person.
> It's a straight way to tyranny.
You'll disagree, but I would argue that it isn't more powerful tools that make government tyrannical, but a lack of education, poor culture, and a lack of checks-and-balances on government power. The government is supposed to have a monopoly on various parts of life, first and foremost a monopoly on violence (police, courts, and justice). "Democratic" but weak governments (consider e.g. Mexico, in the context of the drug wars) are ineffective at securing the blessings of life, liberty, and the pursuit of happiness; America has a history of strong governmental institutions that protect these rights. "Technology is neither good, nor evil, nor neutral, it simply is," and indeed, improving governmental strength by pushing past technical barriers is simply an orthogonal concern (IMO) to whether or not governments are just or tyrranical.
It is considered broken because there is a faster way than simple brute force to create a collision. The currently know approach is still computationally expensive.
It is correct to call it broken, but I don't see the implications for TMP at all. TPM is shitty tech in the first place in my opinion, but aside from that there is little practical relevance.
There are no problems with debuggers. For one, debugging an app that isn't compiled in debug mode is very hard. If you're at that point something has gone badly wrong somewhere already. For another, there would only be a problem if you're trying to debug a production build of the browser whilst simultaneously accessing a service that wants to measure your environment. That would be an extremely specific scenario that virtually nobody would ever encounter, especially not compared to the much more common scenario of being asked to solve horrible CAPTCHAs.
if we don't allow people who are contributing to the problem in any way or are benefitted by it, to oppose it, we are doomed to fail.
Asking people to not use Chrome isn't asking much, and yet people here can't even manage that.