this post was submitted on 27 Jul 2023
284 points (97.7% liked)

Technology

59377 readers
4098 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] empireOfLove@lemmy.one 187 points 1 year ago* (last edited 1 year ago) (72 children)

It depends how websites choose to implement it, and how other browsers choose to implement it.

If Firefox et.al chooses not to implement browser environment integrity, then any website that chooses to require strict integrity would completely cease to work on Firefox as it would not be able to respond to a trust check. It is simply dead. However, if they do implement it, which I imagine they would if this API actually becomes widespread, they should continue to work fine even if they're stuck with the limitations on environment modification inherent to the DRM (aka rip adblockers)

Websites will vary though. Some may not implement it at all, others may implement a non-strict integrity check that may happily serve browsers that do not pass the check. Third parties can also run their own attestation servers that will report varying levels of environment data. Most likely you will see all Google sites and a majority of "big" websites that depend on ad revenue implement strict integrity through Google attestation servers so that their precious ads don't get blocked, and the internet will become an absolutely horrid place.

Frankly I'll just stop using anything and everything that chooses to implement this, since we all know Google is going to go full steam ahead with implementation regardless of how many users complain. Protecting their ad revenue is priority 1 through 12,000 and fuck everybody else.

[–] joe@lemmy.world 24 points 1 year ago* (last edited 1 year ago) (17 children)

I have a weak grasp of this, but a developer working on this responded to some criticism.

If the developers working to implement this are to be believed, they are intentionally setting it up so that websites would have an incentive to still allow untrusted (for lack of a better term) clients to access their sites. They do this by intentionally ignoring any trust check request 5% - 10% of the time, to behave as if the client is untrusted, even when it is. This means that if a website decides to only allow trusted clients, they will also be refusing trusted clients 5% - 10% of the time.

The relevant part of the response is quoted here:

WEI prevents ecosystem lock-in through hold-backs

We had proposed a hold-back to prevent lock-in at the platform level. Essentially, some percentage of the time, say 5% or 10%, the WEI attestation would intentionally be omitted, and would look the same as if the user opted-out of WEI or the device is not supported.

This is designed to prevent WEI from becoming “DRM for the web”. Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior.

Additionally, and this could be clarified in the explainer more, WEI is an opportunity for developers to use hardware-backed attestation as alternatives to captchas and other privacy-invasive integrity checks.

[–] opt9@feddit.ch 46 points 1 year ago (1 children)

And what happens when they decide to revoke that 5-10% after they got everyone onboard?

[–] joe@lemmy.world 3 points 1 year ago (1 children)

I mean, the same thing that is happening right now, right? The point would be that websites would not be built to only allow trusted clients-- it would still have to allow all clients. If they wanted to remove this 10% thing, it's not like the entire web would instantly stop being built to allow untrusted clients.

[–] opt9@feddit.ch 24 points 1 year ago (1 children)

the 10% sounds like bait. Once they've got everyone on board and things are running smoothly (for them), it will be muuuch harder to resist.

[–] joe@lemmy.world 2 points 1 year ago (1 children)

I'm not sure this is true (keep in mind: weak grasp). This 10% would push websites from specifically blocking untrusted clients-- but if they got rid of the 5%, it would not magically change all the websites to block untrusted clients. They'd still need to update to do this.

I don't want to come off like I'm defending this though-- I really just don't know enough to say.

[–] MaggiWuerze@feddit.de 1 points 1 year ago (1 children)

The vast majority of them would not change the default, and a simple mandatory update would change that to 0% without them having to do anything.

[–] vriska1@lemm.ee 1 points 1 year ago (1 children)

Do you think Google will implement this in the end?

[–] MaggiWuerze@feddit.de 1 points 1 year ago

As soon as they are in a position to do it

load more comments (15 replies)
load more comments (69 replies)