Aka corporations insist on control & want to make sure users are powerless when using the site. And Chrome is absolutely here to help the megacorp's radically progress the War On General Purpose Computing and make sure users are safe & securely tied to environments where they are powerless.
There's notably absolutely no discussion or mention of what kind of checks an attestation authority might give, other than "maybe Google Play might attest for the environment" as a throwaway abstract example with no details. Any browser could do whatever they want with this spec, go as afar as they want to say, yes, this is a pristine development environment. If you open DevTools, Google will probably fail you.
It appalls me to imagine how much time & mind-warping it must have taken to concoct such a banal "user motivation" statement as this. This is by the far the lowest & most sold-out passed-over bullshit I have ever seen from Chrome, who generally I actually really do trust to be doing good & who I look forward to hearing more from.
These are mega corporations and you aren’t the client. They aren’t making Chrome “for you”. They are for optimizing for Advertisers.
Generally I am pro Project Fugu & pro building bigger better web. Google spends an enormous amount of effort working on specs with w3c, wicg, and other browser implementers advancing incredibly good & useful causes. They spend huge effort enhancing DevTools so everyone can work the web.
Building a good & capable web is necessary for Google to survive. An open & capable web is the only sustainable viable alternative the world has seen to closed proprietary systems, which from history we can see have far more risks hazards & entailed pernicious or particular behaviors.
Generally Googles effort to make the web a good viable & healthy platform aligns with my vision. That they want to do good things & make a great connected world wide web because the web's thriving helps them run their advertising business typically does not create a big conflict for me. I'm usually happy with the patronage the web receives & I dread it ever drying up, and it saddens me people are so monofocused, so selective in focusing on only on bad, and I think that perception hurts us all.
You have to remember, from their point of view they are writing the web software and when a user agent is non-compliant, it gets in their way. UAs with weird quirks translate to impossible-to-reproduce bugs, so the default bias is in favor of standardization and regularity.
https://www.bleepingcomputer.com/news/security/451-pypi-pack...
"This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure."
The smoking gun is "intellectual property". In a conventional browsing session the website has no idea what the human user is going to do with copyright-protected information published on the website. Hence, it assumes good intent and grants open access.
In the case of an AI scraper, assuming you detect it reliably, the opposite is true. Bad intent is assumed as the very point of most AI scrapers is to harvest your content with zero regard for permission, copyright or compensation.
To make this work, Google outsources the legal liability of distinguishing between a human and a bot to an "attester", which might be Cloudflare. Whatever Cloudflare's practice is to make this call will of course never be transparent, but surely must involve fingerprinting and historical record keeping of your behavior.
You won't have a choice and nobody is liable. Clever!
Not to mention the extra new avenue created for false positives where you randomly lose all your shit and access, and nobody will explain why. Or, a new authoritarian layer that can be used for political purposes to shut down a digital life entirely.
All of this coming from Google, the scraping company.
I have a much simpler solution: it should be illegal to train AI on copyrighted content without permission from the copyright holder. Training AI is not the same thing as consuming information, it's a radically new use case.
This is the one I'd be worried about. Thought it was annoying to not be able to use banking apps on a rooted Android? Think about how annoying it will be when you can't do much of anything, even on the Web, unless it's from a sealed, signed Apple/Google/Microsoft image-based OS...
I realize the way Firefox's user share is going, it might not matter or they might feel they don't have a choice but I really, really hope Mozilla doesn't even remotely consider implementing this.
Online fraud and theft is exploding right now and the average person is simply not capable of securing a laptop so the companies have decided to only allow secure access through a phone which can usually be trusted to be malware free.
It has to stop somewhere. 100% security may reduce the banks' fraud costs but it isn't acceptable for personal freedom. "Choose a different bank then" only works until all they all adopt it.
As long as Windows users are allowed to remain as out of date on patches as they are, and depending on what the browser users as its attestation "source", I don't see how the browser and website can ever meaningfully establish the validity of the statement "the client is trusted to be malware free".
Apologies for the simple question, but wouldn't forks of popular browsers crop up without this attestation API implemented? Or is it a thing where websites themselves would potentially refuse traffic from browsers that didn't support it?
Wouldn't it be great if you never had to deal with another captcha?
I run a custom build of Firefox, on a (somewhat, still-ish) niche Linux OS, with the kernel and bootloader signed by my own signing keys. What could I attest with, that will make some banking website perceive me as a trustworthy client?
The second this becomes widely available, it won't mean "bypass captchas" - it will mean "can't bank unless you use up-to-date Android or latest iOS".
Gluttony, greed, envy, and arrogance. This is truly sickening.
There are no use case about these technologies being used by a dystopian country. No use case about enabling anti-competitive practices from incumbent companies. Seemingly little to no care or attempts to balance the longer term strategic impacts of these technologies on society, such as loss of innovation or greater fragility due to increased centralisation/monopolisation of technology. No cost-benefit analysis or historical analysis for identified threat actors likelihood to compromise TPMs and attested operating systems to avoid these technologies (there's no shortage of Widevine L1 content out there on the Internet). No environmental impact consideration for blacklisting devices and having them all thrown into a rubbish tip too early in their lifespan. No political/sovereignty consideration to whether people around the world will accept a handful of American technology companies to be in control of everything, and whether that would push to the rest of the world to abandon American technology.
The majority of the contributors to these projects appear to be tech employees of large technology companies seemingly without experience outside of this bubble. Discussions within the group at times self-identify this naivety. The group appears very hasty to propose the most drastic, impractical technical security controls with significant negative impacts such as whitelisting device hardware and software. But in the real world for e.g. banking fraud, attacks typically occur through social engineering where the group's proposed technical controls wouldn't help. There appears to be little to no attempt made to consider more effective real world security controls with fewer negative impacts, such as delaying transactions and notifying users through multiple channels to ensure users have had a chance to validate a transaction or "cool off".
[1] https://github.com/antifraudcg/use-cases/blob/main/USE-CASES...
[2] https://owasp.org/www-project-automated-threats-to-web-appli...
> Some examples of scenarios where users depend on client trust include:
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
So it's essentially Google further entrenching its tentacles in web standards in the most invasive ways with no regards towards privacy and user control. It's a shame what the W3C has degenerated into.
[1] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
It's web 2.0, user is a product.
Even in this very thread there are people saying this is not so bad because “it will help prevent fraud”
lmao.
It's "think of the children!" way of arguing for intrusions and surveillance.
It's morbidly amusing to see the browser referred to as a "user agent" here.
Not on behalf of the website.
> A user agent is a computer program representing a person, for example, a browser in a Web context.
https://developer.mozilla.org/docs/Glossary/User_agent
> Examples include all common web browsers, such as Google Chrome, Mozilla Firefox, and Safari
"Don't be evil" has really turned into "Google is evil"
This is already what is happening with SafetyNet on Android. For now most applications don't require hardware attestation so you can pass by spoofing an old device that didn't support hardware attestation but I'm sure that will change within a decade.
Look, it isn't that bad, but enough to make me do it. It's obnoxious.
Being able to trust the security of a client can protect against many attacks and it is up to web sites to evaluate what to do with into information that a client is proven to be secure.
You know, to ensure the 'integrity' of the 'web environment'.
Guess what, it wasn't free and now it's time to pay up.
They got tired of getting comments from mere web users that don't want this and locked down comments :P
The attitude of the W3C was basically "we either kiss the ring or Hollywood forks us". So I can totally imagine Tim Berners-Lee spinning in his nonexistent grave then too. That doesn't mean he's Stallman levels of freedom-or-death.
[0] AFAIK, Google bought Widevine, Apple uses FairPlay, and Mozilla originally used Adobe but now uses Chrome's Widevine library.
do they realize that you can use a custom certificate / patch the check routines? I don't think they quite realize what they are even suggesting.
>bewise@chromium.org
>sergeyka@chromium.org
