this post was submitted on 03 Sep 2023
314 points (95.6% liked)

Technology

59472 readers
4837 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] elbarto777@lemmy.world 52 points 1 year ago (3 children)

The solution would be not to visit those sites that require this, right?

[–] Earthwormjim91@lemmy.world 33 points 1 year ago (2 children)

Well it’s already integrated into cloudfare and fastly. So good luck with that.

Pretty much all major sites use one of those two as a CDN.

[–] bobs_monkey@lemm.ee 6 points 1 year ago (1 children)

Wouldn't cloudflare's client (the website you're trying to visit) be the one to implement this, while cloudflare simply does the verification?

[–] Earthwormjim91@lemmy.world 10 points 1 year ago

No it would be cloudfare. That’s their whole business.

So, for example, right now if you visit a website using cloudfare as their CDN, and your browser looks “suspicious”, cloudfare will grab you and redirect you to a verification page to put a captcha in to verify that you’re human before they will direct you back to the website you’re trying to go to. That’s why people use cloudfare in the first place instead of trying to implement some verification themselves. It’s easier and cheaper to outsource to a specialist.

Attestation would just be a “fast pass” for users. If your browser looks “suspicious” then you would be redirected to cloudfare for verification. Instead of a captcha though, it would automatically negotiate with your browser that would present a token generated on device to cloudfare. Cloudfare would reach out to the attestor for that browser with that token to validate it. For safari it would be Apple, for edge it would be Microsoft, for other chromium browsers it would be Google. The attestor would look at the token and be able to say “yes this is a valid, unmodified version of macOS/Windows/ChromeOS/etc and likely to be a normal human” and you would be directed back to the website you want to go to instead of having to put a captcha in.

The danger is when these companies start to control attestation. If you have a modified OS? Sorry we don’t know if they’re human. And you’ll have to enter a captcha. Potentially, if your phone/machine is not the latest version? Sorry don’t know, enter a captcha. Using lineage instead of a licensed version of Android (like Samsungs skin, etc), sorry not validated, enter a captcha.

If attestation becomes mainstream, then it will be the default because it’s cheaper for the CDNs and everyone to do. But it puts the power in the hands of like 3 companies for attestation. And it’s very very likely they will start limiting attestation as a “feature”. Have a galaxy phone? Well if you haven’t upgraded in a few years and are no longer in recurrent supported devices list, sorry no attestation. And they only offer like 3-4 years of official support. So if you don’t want to enter a captcha every time you change webpages, better upgrade homie.

So naturally it will push your average consumer to just upgrading a perfectly fine device instead of keeping it. And it will discourage a ton of FOSS stuff because that will all be “unvalidated modifications” or won’t implement it. If Google implements it, that will be the nail because chrome has like a 70% market share and pretty much everyone will develop for that. So they’ll all develop with Google’s attestation in mind. If you’re using Firefox which won’t implement it, you’ll be entering a captcha every time. And that will push people over to the big companies.

Attestation is a MUCH bigger thing than people think. You don’t need to worry about every website implementing it. You only need to worry about like 3. Cloudfare and Fastly are two huge ones, which have already implemented it on an as available basis. Right now it’s just Safari but they have it available if Google and Microsoft implement it.

Google themselves are the third one since the way operate their own CDN for themselves and clients. If they implement attestation there will be immediately a huge chunk of the web using it. Like 70%+. Cloudfare has 20%+ of the market and Fastly is like 18%. Google makes up another huge chunk but I couldn’t find any figures.

That would be such a huge immediate usage that it would very rapidly become the default and would lock people into only the big companies.

[–] kitonthenet@kbin.social 6 points 1 year ago (3 children)

Ok, so I will not use them. This is acceptable to me

[–] Earthwormjim91@lemmy.world 26 points 1 year ago (2 children)

You’re using two right now lol.

Both Kbin and Lemmy world use Cloudfare as their CDN.

[–] elbarto777@lemmy.world 7 points 1 year ago (1 children)

If an instance enforces this, welp, I'll use a different one.

[–] Earthwormjim91@lemmy.world 1 points 1 year ago (1 children)

It wouldn’t be an instance. It would be their CDN. And your browser.

And any instance of significant size is going to have a CDN to help deal with the DDoS attacks and bots. Hell I would bet that outside of very carefully curated instances, all fediverse instances will start using CDNs here soon just because of bots.

And chances are they will use cloudfare or Fastly.

But there’s nothing to “enforce”. It’s not a “you must be attested or you can’t access” it will be “if you’re not attested you will have a captcha shown for most things”.

Cloudfare already does this. If your browser looks suspicious, and the website you’re visiting using cloudfare as a CDN, you’ll be redirected to cloudfare to enter a captcha before they’ll let you into the site.

Attestation removes that captcha part using a token generated by your device and validated by the maker of the browser you’re using. So you’d never even see the redirect at all, it would just take a second or two longer to connect.

People using heavily modified machines or browsers wouldn’t be attested and would have to enter a captcha. That’s about it.

[–] elbarto777@lemmy.world 1 points 1 year ago (1 children)

The captcha is a good compromise.

[–] Earthwormjim91@lemmy.world 2 points 1 year ago (1 children)

It is. Until you have to enter a captcha for every redirect. Then it will get real annoying.

[–] elbarto777@lemmy.world 1 points 1 year ago

Then I won't use those services if I get to that point. Like with the cookies. For the most part, I get out of my way to reject all cookies and "legitimate interest" requests. But sometimes I just don't want to do that and say "fuck it" and go somewhere else.

[–] kitonthenet@kbin.social 4 points 1 year ago

I don’t have any problem accessing them, which was my point

[–] herrvogel@lemmy.world 10 points 1 year ago (1 children)

If you're gonna make a conscious effort to not use cloudflare and fastly you might as well quit the internet altogether. You use those things all the time, mostly without even realizing it.

[–] kitonthenet@kbin.social -4 points 1 year ago

I realize exactly how much I use them, reread what I have written.

[–] elbarto777@lemmy.world 3 points 1 year ago

Right. It's sort of like a paywall site. I simply find what I need elsewhere.

[–] spokenlollipop@lemmynsfw.com 26 points 1 year ago (1 children)

Hard when those sites are things like your bank, your government official stuff pages, etc.

This attestation stuff is a "not such a bad idea in its basic principle" thing that will actually absolutely get abused everywhere in every way including being used to kill off browser competitors, enhance monopoly positions, etc.

It needs to be stopped now.

[–] _number8_@lemmy.world 2 points 1 year ago

what good does it do? why should the server see or care about anything on this side? spit out the damn content

what worries me is that 'web environment integrity' is the perfect bullshit smarmy business school name for it

[–] otter@lemmy.ca 11 points 1 year ago (1 children)

Getting a list together would be step 1

[–] elbarto777@lemmy.world 1 points 1 year ago

Would a list of "offenders" be necessary? I'd say a list of alternative sites that don't implement this BS would be better.