The reason we can still run Linux on our desktops and laptops today, is that Linux was already popular enough back when Secure Boot was specified, so that Microsoft could be convinced to allow Secure Boot to be disabled and/or user-specified keys to be enrolled (and also to sign the bootloader for Linux distributions which follow a specific set of criteria when Secure Boot is enabled). Had desktop Linux not been popular enough, Microsoft would have required all OEMs to not allow disabling Secure Boot or enrolling user-specified keys (as they later tried to do with ARM laptops).
In the present day, are alternative browsers popular enough that we can avoid the worst-case scenario? Do enough people compile these alternative browsers from source code (meaning each binary is slightly different) to make a difference?
I think Microsoft made it mandatory to allow disabling secureboot because they wanted their older OSs to work, didn't want devices getting bricked when a vendor poorly implemented it, and didn't want to get hit with another anti-trust suit. not necessarily in that order.
The first use case they mention is restricting ad fraud (and, presumably, ad blocking):
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
So if this goes forward, websites will be able to call the web environment integrity API to check you are a proper ad-watching human before serving content.
"Your contract with the network when you get the show is, you're going to watch the spots. Otherwise you couldn't get the show on an ad-supported basis. Anytime you skip a commercial or watch the button you're actually stealing programming."
Jamie Kellner's words still ring true today. When corporations make content available supported by advertisements, they are assuming a moral obligation on your part to see those advertisements. Violating that obligation is felony contempt of business model.
I would love to know the personal motivations and moral feelings of those who work on features like this. Are they naive about how these features will be used? Do they not care? Do they not have a personal sense of responsibility for contributing to the end of open, free computing? It's been a while since I took a Big Tech paycheck, but I don't remember being this willing to go build nightmare tech when I was getting one.
Google marketing exec: "We need to lock down web browsers so we can make more money by showing ads."
"Ad blockers need to be prevented. The new WEIE APIs will ensure that ad blockers aren't running and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEIE we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
Will anybody be able to do anything about it? This is not API for you and me. This is API for the big tech, for corporations, for Banks. They will use it, they will honour it. You may not use it, but because corporations will use it, it will become a standard. Three is no leeway. You have no control over big business. You will scream, they will do what they want.
So, in short: Google and other companies shamelessly polluted the web with ads and personalized ad driven content, and since regular folks use ad blockers, and ad manipulating people abuse the very system those companies fostered, there is now a supposed need to get the house in order... ...by force feeding us ads and trackers, bypassing whatever still allows people to browse sanely.
Absolute worst spec I've ever seen. Google needs to be loaded into a cannon and fired into the sun.
> How does this affect browser modifications and extensions?
> Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality: E.g. if the browser allows extensions, the user may use extensions; if a browser is modified, the modified browser can still request Web Environment Integrity attestation.
Then what's the point? I can make modified bot browser that commits ad fraud as long as I don't use a rooted Android phone?
I don't believe they're being honest with how this will be used. We need to legally regulate remote attestation.
> As new browsers are introduced, they would need to demonstrate to attesters (a relatively small group) that they pass the bar, but they wouldn't need to convince all the websites in the world.
Trusted computing is all about ensuring that your machine is trusted to run payloads and you can't observe or interact with them. Sad! I see why the free software people call it treacherous computing
> I can make modified bot browser that commits ad fraud as long as I don't use a rooted Android phone?
Yeah, this just incentivizes spammers to copy the parts of Chromium that do the attestation (or whatever browser has source available), and use that to pretend they're Chromium. There will always be workarounds. This seems to kill innovation and allow spammers to flourish.
I suppose I can understand an argument that they want to prevent scraping, but this is absolutely not going to stop that.
I'd go a step further. We need to ban it. It should be illegal to sell devices to consumers that already contain private keys, unless all of said keys are provided to the consumer at the time of purchase.
cesarb|2 years ago
In the present day, are alternative browsers popular enough that we can avoid the worst-case scenario? Do enough people compile these alternative browsers from source code (meaning each binary is slightly different) to make a difference?
throwawaymobule|2 years ago
akyuu|2 years ago
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
So if this goes forward, websites will be able to call the web environment integrity API to check you are a proper ad-watching human before serving content.
bitwize|2 years ago
Jamie Kellner's words still ring true today. When corporations make content available supported by advertisements, they are assuming a moral obligation on your part to see those advertisements. Violating that obligation is felony contempt of business model.
predictabl3|2 years ago
yencabulator|2 years ago
paulddraper|2 years ago
croes|2 years ago
000ooo000|2 years ago
https://hnrankings.info/36778999/
duckhelmet|2 years ago
I don't like you cause you contradicted me the last time, therefore I'm going to mod you into oblivion :]
dang|2 years ago
thesuperbigfrog|2 years ago
"Ad blockers need to be prevented. The new WEIE APIs will ensure that ad blockers aren't running and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEIE we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
renegat0x0|2 years ago
chicob|2 years ago
reportgunner|2 years ago
What about all the people who have an outdated browser and don't know how to update it?
edit: One of the goals addresses this[0]:
Continue to allow web browsers to browse the Web without attestation
nicolas_17|2 years ago
jchw|2 years ago
> How does this affect browser modifications and extensions?
> Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality: E.g. if the browser allows extensions, the user may use extensions; if a browser is modified, the modified browser can still request Web Environment Integrity attestation.
Then what's the point? I can make modified bot browser that commits ad fraud as long as I don't use a rooted Android phone?
I don't believe they're being honest with how this will be used. We need to legally regulate remote attestation.
> As new browsers are introduced, they would need to demonstrate to attesters (a relatively small group) that they pass the bar, but they wouldn't need to convince all the websites in the world.
It speaks for itself. Horrid.
thesuperbigfrog|2 years ago
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
This is the beginning of the further DRM-ification and enshittification of the Web.
hooverd|2 years ago
ollien|2 years ago
Yeah, this just incentivizes spammers to copy the parts of Chromium that do the attestation (or whatever browser has source available), and use that to pretend they're Chromium. There will always be workarounds. This seems to kill innovation and allow spammers to flourish.
I suppose I can understand an argument that they want to prevent scraping, but this is absolutely not going to stop that.
josephcsible|2 years ago
I'd go a step further. We need to ban it. It should be illegal to sell devices to consumers that already contain private keys, unless all of said keys are provided to the consumer at the time of purchase.
asdadsdad|2 years ago