OK. Not surprising. The way a web standard works is that, when it's proposed, you start implementing it. It was hardly as imminent as people were acting.
It was terribly proposed. The idea has some interesting merits but, Jesus Christ, horribly proposed and so obviously abusable.
Google’s market position is shifting. Soon they won’t have the free-flowing treasure-trove of data they once had because of the death of third-party cookies. You can see it in the way they’re focusing more on sampled data. It not only saves them money on compute, but also allows them to do more with less. Meanwhile, the whole privacy sandbox initiative itself is practically a trojan horse for them to collect on the billions they’ve poured into Chrome. They want you logged in. They don’t want you to block ads. They want to “protect you” [from things that endanger their business interests]. Chrome is no longer safe.
If the past is any indication, this will comeback in a while with a different form. One of those times they'll get succeed. Chrome is the new IE with extra steps.
Couldn’t they just get around this by adding automatically installing fully sandboxed android apps (I’m thinking WebAssembly)? And making it so the download for a web view android app is smaller than 100k? And making them available on Desktop?
There's got to be an equivalent to Betteridge's Law of Headlines for HN comments: if a comment starts with "couldn't they just" and is followed by one or more immensely ambitious proposals, the answer is automatically "no".
Who wakes up in the morning excited to go implement 1984 style attestation? I cannot imagine being empowered with hard engineering skills and then wasting my precious little time on this earth toiling away at something so uninspiring. There are an infinite number of actually interesting problems to solve...go fix a compiler bug or write a cool GPU algorithm and stop fighting against freedom.
Because if you ignore all of the real world consequences of doing so, it does solve some problem. It’s the Jurassic Park issue, and what happens when deeply technical people get so caught up in the fact that they could do something that they fail to consider the externalities of doing so.
Of course in this case it’s a bit more than that, in that Google was deliberately and strategically aiming to use this to further monopolize its position and inweave itself into the fabric of the internet.
Well said. Also consider that some people are just trying to make a living while coping with children, aging parents, health, whatever.
It’s easy to preach that everyone should refuse to do work that is “bad” in some nebulous, long term way. Especially if you’re comfortable and can afford to quit as a matter of principle. But not everyone can do that.
Google employees can do that in my opinion. These aren't coal miners in small town Virginia with no options. They are (for the most part) tech elites who could work just about anywhere.
Yeah, but I can totally relate to getting lost in the sauce growing a freaking T-Rex (!?!?). Bonus points if it eats management. But even just the word "attestation" makes me want to beat up the office printer in a field.
> Who wakes up in the morning excited to go implement 1984 style attestation?
The problem with 1984 isn't just the power Big Brother wields, but the malevolence with which it is inflicted. Would it be the same story if Big Brother were benevolent?
This is why we want tech people to learn ethics and consider social impact. If you ignore (or are blind to) the massive social consequence of WEI, you can see all the problems it'd solve or help mitigate. Goodbye spam and LLM spam, revenge porn and traffickers can be tracked back, etc.
To be clear, this is not an endorsement of WEI, only that it's very easy to imagine the type of person who can passionately implement it.
The same way people work for the military-industrial complex, or for Big Oil: big wads of money. There are plenty of people whose morals are somewhat flexible, for the right price.
You can solve plenty of interesting problems in your spare time when you're able to retire at 40-50.
Google Play SafetyNet exists. Almost all native apps have anti-user libraries like this. Pen tests will flag your app if it can run in a jailbroken system or if it detected the user might have root access. The entire rest of computing is in hell world & people spend time actively eroding user rights just because, with no real threat vectors known.
If you want to run a website today you need to either
1) Implement your own authentication to filter out bots, even if the service could be otherwise public (permanently identifying all your users)
2) Pay some WAF provider like Cloudflare to sit in front of your service and send Captcha's (and while you are at it let them man in the middle all your users traffic somewhat defeating the purpose of TLS).
3) Be rich enough to scale your backend to deal with any DDOS/scraper
A cheap way to throttle or drop non-human traffic and bringing back the option of being able to spin up a couple of VPS's and host a website without involving a WAF seems like a cool problem to me.
Of course its more dubious coming from a company that already has the ability to do 3).
I doubt many engineers do. It's all little pieces that add up to fulfill a larger corporate strategy. I'm sure the designers of TPMs etc don't see themselves as part of a large scheme to fully lock down everyone's devices and have corporations decide exactly what people see and share. But their work is required for it.
it's obviously not the engineers that are making the decisions, and if you're being paid $x00,000 a year by Google, maybe you do have some enthusiasm about your work, 1984 or no
Never underestimate the variety of interests and goals in a company of 100,000 people.
I don't doubt this was something somebody thought was a good idea and was willing to invest their engineering career in pulling off. History is full of people who were excited about building the biggest bomb or a gun that could shoot space.
A core problem with the proposal is that it did nothing to address web extensions. So sure you know someone is using the real Chrome, but they could be using a web extention that scrapes stuff or acts like a bot. There needs to be a way for sites to verify they are on a real Chorome that is operating to specification, but also that no web extentions are able to interact with the page itself.
In the context of the original goals of WEI being good goals. I believe GP's point is that with Chrome extensions being unaccessible from the attestation standard, WEI wouldn't accomplish its goal.
Platforms they use having less spam. Their data not being in big datasets of scraped user information. Their accounts not being compromised from credential stuffing attacks. Not having to deal with cheaters in multiplayer games or games with high scores.
Way to be the dude to show up and argue, is it cruel and evil enough ?
You sir are in flagrant violating of rfc8890 & need to get your head screwed on straight. The browser is called a user-agent because it is grants the user agency. It does not represent the sites; it is the user. It should empower not restrict them. https://datatracker.ietf.org/doc/rfc8890/
RFC8890 is about IETF specifications. WEI was not an IETF specification. The relevant standards body would have been the W3C. I am not currently in the process of submitting a standard to the IETF. The IETF is not relevant here.
Regardless, attestation benefits the user as it allows the websites they use and share data with to be more secure. WEI didn't make sense because it didn't actually prove the integrity of anything.
IP, TCP, and QUIC are all IETF standards & in use here. The base of the pyramid, governing the internet as a whole, says the Internet is for end users. That doesn't seem in the slightest bit hard to see.
It's unclear that websites would be more secure by virtue of having a Google or Microsoft or Apple attested OS. What examples have we seen of users running their own OS contributing to a web host's security issues? Got anything? Probably not! WEI has always been of dubious use.
Your original claim that extensions needed to be blocked was an explicit anti-goal of web. Users obviously have a right to extensions, which allows for accessibility affordances, for example. Would you also propose turning off view source and the debugged? What other nastygram blocks of shit do you propose smacking users in the face with?
It feels like you are trying really hard to be obtuse negative & nasty to users, and throwing absurd ridiculous arguments out to anger people, who care about users.
>IP, TCP, and QUIC are all IETF standards & in use here.
The RFC is about the development of those standards. It is not talking about the usage of them.
>What examples have we seen of users running their own OS contributing to a web host's security issues?
For example there are scripts that take lists of email password combos and send network requests to attempt logging into these accounts. Then using these accounts the attackers do malicious actions. Platforms that make it harder or more expensive to automate things will have less people using them abuse services.
>Your original claim that extensions needed to be blocked was an explicit anti-goal of web.
If sites only want to allow input injection that comes from preapproved password manager extentions they should be able to get proof of if that's the case. The alternative to the browser blocking the extention is that the site could ask the user to disable the extention or just provide an error that the input came from an untrusted source. There are some different options in how this could be handled.
>Users obviously have a right to extensions, which allows for accessibility affordances
Yes, but my concern is mainly with the proof part on the server side. So the server can be sure that actions taken were not being done by an untrusted extention. Accessiblity also needs to be carefully considered as bad actors may use accessibility features to bypass security.
>Would you also propose turning off view source and the debugged?
No, I have not seen a big demand for keeping code a secret. For the relevant problems trying to hide the come is security by obscurity.
>What other nastygram blocks of shit do you propose smacking users in the face with?
I don't indented to smack any users. 99% of users will not even notice anything has changed, but attackers will realize that their job just got a lot harder.
>It feels like you are trying really hard to be obtuse negative & nasty to users
I feel if you had to deal with protecting a website from bad actors you would appreciate my viewpoint.
No, the problem was the attestation was not of the entire stack. By not attesting the web extentions someone could create malicous web extentions to bypass the security of the system.
As a reminder attestation does not steal control away from users. They are free to use whatever software and do whatever they want. They just will not be able to attest to a server that they were using a trusted stack in the case they were not.
Sure, if you have a fundamentally different view of the Internet as approved dumb terminals rather than devices communicating over protocols. Say it with with your chest. Saying you'll still be allowed to run your own programs here is like saying you'll still have free speech as long as you stick on the approved free speech zones.
On the internet users have never had total control over the websites they have interacted with. The owner of the website has the control. Attestation doesn't change this. Users control their machines and software and websites control theirs.
No, it doesn't. Gambling sites don't control people into becoming 18+. Being of the appropriate age is just proof the user gives before the websites offers service.
Similarly by having people prove what software stack they are using to a website, that website may be able to improve the user experience for everyone.
This isn't identity proofing! I believe websites shouldn't be allowed to discriminate based on software stack. Who decides what software stack is blessed? If it's about piracy and ad blocking, say it with your chest, don't say it's about my user experience.
It should be up to a site to be the one who chooses what stacks to trust and how much trust to put in them or what to trust them with. I do think a way to delegate a third party to manage what to trust would be useful so new browsers would only have to go to a few big players instead of every single site to get their browser trusted.
>If it's about piracy and ad blocking, say it with your chest, don't say it's about my user experience.
It can be about both. You specifically asked for ways it improved the user experience, so I gave you that.
