I don’t understand why so many opinion pieces and news keep on saying that Web Environment Integrity could be abused and that’s why we should oppose it. This misses the point a great deal.
Implementation of Web Environment Integrity in browsers IS ITSELF AN ABUSE, because I have the right to go around the web without continually proving who I am, even less against a 3rd party.
It’s as if someone said that some officer (and not even a government one) should always be by your side when you go out, ready to certify who you are, whenever you speak with people on the street – and even with friends. Would you accept that?
Are we totally out of our minds??
I can only assume these opinion pieces are written by people who use Google for everything they do and trust them.
Dumb fucks, to quote Zuckerberg…
[This comment has been deleted by an automated system]
That works until you are forced to interact with a website that only works with it, either by work or school.
deleted by creator
There was a lawsuit regarding this just recently, where a student successfully sued over a room scan for an exam. It’s absolutely ridiculous and shouldn’t be tolerated by any student.
How would WEI work? What signals does my computer send to convince the other computers that my computer is doing what they want? Is it based on some “trusted computer” hardware level bullshit that’s already there? (I just want my computer to do what I want.)
Without having read anything about WEI at all: Microsoft already supports something similar by using Windows Hello (Edge). It’s using your TPM to make sure the hardware/OS wasn’t tampered with. On Android, this is comparable to safetynet/Play Integrity.
Will have to wait and see how Apple reacts with Safari. Mozilla dismissing the proposal is big, but Apple has the second largest mobile OS marketshare with iOS, and so Safari is very relevant for websites to support it.
Doesn’t Safari already have their own version of this?
They do indeed: https://httptoolkit.com/blog/apple-private-access-tokens-attestation/
From the article:
The focus here is primarily on removing captchas, and as such it’s been integrated into Cloudflare (discussed here) and Fastly (here) as a mechanism for recognizing ‘real’ clients without needing other captcha mechanisms.
Fundamentally though, it’s exactly the same concept: a way that web servers can demand your device prove it is a sufficiently ‘legitimate’ device before browsing the web.
Lmao, no. Google is out of their minds. Apple has zero interest in controlling browsers or ads.
https://money.cnn.com/2017/08/31/technology/business/apple-net-neutrality/index.html
From the article:
“We work hard to build great products, and what consumers do with those tools is up to them — not Apple, and not broadband providers,” Cynthia Hogan, VP of public policy at Apple
Prove it, then. Unlock the bootloader. Allow us to install our own apps. Let us install our own OS on the hardware. I get they don’t want to open source their iOS, that’s fine. They say “what consumers do with those tools is up to them”, but then they lock those tools down TIGHT. Actions speak much louder than words. They say those tools are ours? They need to show us that this is true.
Then what’s this? https://httptoolkit.com/blog/apple-private-access-tokens-attestation/
A part of Apple’s long term, multi-stage deployment to phase out passwords entirely. They announced it last year during WWDC and said it will be messy and not without hurdles, but they’re committed to having strong cryptography without need for password at all.
Related: https://www.wired.com/story/apple-passkeys-password-iphone-mac-ios16-ventura/
A far cry from what Google is trying to do or their long term plans (we all know Google is trying to siphon more ad revenue).
Google’s proposition is as bad for Apple as it is for the rest of us.
Honest to god doublethink right here.
I don’t think it’s related at all. You can implement passwordless technologies like FIDO2 and Webauthn without browser attestation.
A far cry from what Google is trying to do or their long term plans
It’s literally very similar technology though, and none of us know Apple’s long-term plans for it. It’s well-known in the digital ad industry that Apple are trying to increase the size of their ad network. Locking down tracking (app tracking transparency) is also advantageous to them as it only applies to third parties - Apple can still track users.
Passkeys (which are broader than just Apple) and this are not related at all. Regardless, Apple absolutely has interest in controlling browsers. Hell, they already do it on iOS, where you can’t use any rendering engine other than theirs.
The only reason they might be against this is because they feel they can’t control it the way they want.
Brave and Vivaldi (and edge) have no say in the matter, they are practically in the business of rebranding chrome for what it is and contributed to reinforcing goggle’s monopoly. I have absolutely no sympathy for them.
Microsoft are staying suspiciously quiet then. And what about Apple?
Apple already added basically the same thing about a year ago: https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/
Is this technically equivalent to Google’s proposal? Apple say that their version was developed in collaboration with Google, so it would be surprising for Google to go and deploy a second version of the same thing, were it not for the fact that Google always has two competing versions of everything.
And I guess the main reason people are more concerned about Google’s version is that they are so dominant in the browser market.
The details are a bit different. PATs use HTTP headers during a request while WEI is a JS browser API. But otherwise the general structure and end result are the same. A website requests an integrity check, an attester checks your device, and if the attester doesn’t like your device then you’re SOL.
Apple won’t do anything of the sort. They were in support of net neutrality and are committed to an open, free web. One of their chief complaints against Adobe back when Flash was at its all time peak as just that: it gave Adobe control of the web. They pushed for HTML5 and other alternatives.
Google is alone in this. However, I feel they can’t do it without Microsoft. At least not to the effect they are hoping so I totally see MS jumping on this as they have been firing on all cylinders with regards to “Windows as a service”. All they care about is building their own monopoly.
Apple already added attestation into Safari.
Edge is a Chromium browser isn’t it? Then again, so is Brave and the article indicates they are making a point of removing this stuff from their build. Safari is it’s own thing though afaik.
Brave is a chromium fork with custom stuff, they can just not implement it if they want.
There needs to be a unified fight against this, that involves not only browser companies but also the businesses running major websites. If it goes through and Google manages to persuade websites to use it, all the other browsers will be forced to implement it if they want to continue existing. And then no more freedom for web users.
You’re right. But it’s so much worse than that.
Imagine, for a minute, that this passes. If a website exists that a specific entity disagrees with (say… a whistleblower forum, or accounts of how Google is abusing its powers, or accounts of a Government is abusing it’s citizens), all that would need to happen, is for the “integrity authority” to deny access to that site, and it will be censored. Whereas now, a website has to be taken offline (in most cases) to be effectively censored, if this passes, the “integrity authority” would just need to say nay.
Imagine never hearing of the Snowden files, or George Floyd, or the Russian-Ukraine war. Not because they didn’t exist or didn’t happen, but because you ‘weren’t allowed’ to see them by an entity who benefits from you not seeing them or knowing about them.
If this passes, we would be -officially- entering a dystopia.
Won’t there need to be backwards compatibility with sites that don’t implement this? The default would have to be that the browser is allowed to see a site that doesn’t require attestation. So if the whistleblower or political site just didn’t implement this, would that be a way around it?
At first, maybe. But not ultimately. If you compare it to TLS, for example, if the site use TLS 1.0, your browser will simply not load the site. This web integrity thing is similar.
Another, maybe more relevant, example, is Flash. Once Google decided Flash will no longer be supported on their browser, Flash died. I actually don’t disagree with the killing of Flash, but the idea is similar.
I actually don’t disagree with the killing of Flash
I miss it sometimes. There’s still no good way to have lightweight vector animations that wen designers or animators can work on (no code required), that work the same cross-browser. There’s some JS libraries but they often need developer involvement (a designer can’t always set everything up themselves) and tend to be quite heavy libraries (which slows down the page, which reduces your ranking in search engines)…
I can’t honestly see how any other company can single-handedly stop Google if they go though with this. Google has the ability to strong arm this proposal by having Youtube and Google search dependent on Web Environment Integrity. There are enough alternative to web search but I can’t see how anyone can fight Google’s dominance in video hosting to stop them.
You would almost have to have every other major website intentionally break on Chrome to even the playing field, and if Google still don’t back down you are left with a divided internet.
If you oppose this, don’t just comment and complain, contact your antitrust authority today:
US:
https://www.ftc.gov/enforcement/report-antitrust-violation
EU:
https://competition-policy.ec.europa.eu/antitrust/contact_en
comp-greffe-antitrust@ec.europa.eu
UK:
https://www.gov.uk/guidance/tell-the-cma-about-a-competition-or-market-problem
France:
https://signal.conso.gouv.fr/fr/tel-internet-media/faire-un-signalement
Germany: @kartellamt@social.bund.de (anti-cartel bureau) of @BMWK https://www.bundeskartellamt.de/DE/Kartellverbot/Anonyme_Hinweise/anonymehinweise_node.html https://www.bundeskartellamt.de/DE/Missbrauchsaufsicht/missbrauchsaufsicht_node.html
Philippines:
https://www.phcc.gov.ph/file-a-complaint/
India:
https://www.cci.gov.in/antitrust/
https://www.cci.gov.in/filing/atd
Canada:
https://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/frm-eng/GHÉT-7TDNA5
The UK government won’t do anything, they’re probably all for this, assuming they understand it.
Brave can suck it too.
Why so?
They guy that founded brave only did so after getting fired from Mozilla for homophobia
WHAT!? That’s wild, and the first I’m hearing of this.
I heard this for the first time too, but it looks like they’re right https://web.archive.org/web/20191223181612/https://leafandcore.com/2016/09/03/brave-is-a-browser-that-could-save-the-web-but-its-from-an-awful-person/
I believe I remember they had a crypto thing going on
At this point, why don’t the companies who run Chrome derivatives work together to build a fork that evolves separately from Chrome? Edge, Vivaldi, Opera, etc. will never get the marketshare on their own to rival Chrome, but together, they could make a dent with a unified browser engine.
Alternative plan: why not use gecko? I know it’s more work to do so, but I would call that the lesser of two evils at this point.
Gecko (Firefox engine) already is worked on, why not contribute there instead of losing community? If anything why those browsers use engine that is controlled by a single company?