Is this technically equivalent to Google’s proposal? Apple say that their version was developed in collaboration with Google, so it would be surprising for Google to go and deploy a second version of the same thing, were it not for the fact that Google always has two competing versions of everything.
And I guess the main reason people are more concerned about Google’s version is that they are so dominant in the browser market.
The details are a bit different. PATs use HTTP headers during a request while WEI is a JS browser API. But otherwise the general structure and end result are the same. A website requests an integrity check, an attester checks your device, and if the attester doesn’t like your device then you’re SOL.
Edge is a Chromium browser isn’t it? Then again, so is Brave and the article indicates they are making a point of removing this stuff from their build. Safari is it’s own thing though afaik.
There needs to be a unified fight against this, that involves not only browser companies but also the businesses running major websites. If it goes through and Google manages to persuade websites to use it, all the other browsers will be forced to implement it if they want to continue existing. And then no more freedom for web users.
Imagine, for a minute, that this passes. If a website exists that a specific entity disagrees with (say… a whistleblower forum, or accounts of how Google is abusing its powers, or accounts of a Government is abusing it’s citizens), all that would need to happen, is for the “integrity authority” to deny access to that site, and it will be censored. Whereas now, a website has to be taken offline (in most cases) to be effectively censored, if this passes, the “integrity authority” would just need to say nay.
Imagine never hearing of the Snowden files, or George Floyd, or the Russian-Ukraine war. Not because they didn’t exist or didn’t happen, but because you ‘weren’t allowed’ to see them by an entity who benefits from you not seeing them or knowing about them.
If this passes, we would be -officially- entering a dystopia.
It’s kind of the opposite of this though, it’s not censorship. It’s not that you aren’t allowed to visit other sites, it’s that sites can choose to let you in or not.
The scary part is we don’t know what makes that decision, and from Google’s proposal is that it could just be anything they decide. So it’s not censorship, but it is saying “You aren’t playing by our rules (like by using an ad blocker, or you visited too many whistleblower forums, or we just plain decided we don’t like you) so you don’t get to use gmail/your bank/whoever decides to implement this”
That’s true. But the “integrity authority” has the power to censor. Maybe that’s not how it will be used now, but the infrastructure will be there and ready to use.
When I see these things come about, I’m always reminded of that quote, “Your scientists were so preoccupied with whether they could, they didn’t stop to think if they should”
Won’t there need to be backwards compatibility with sites that don’t implement this? The default would have to be that the browser is allowed to see a site that doesn’t require attestation. So if the whistleblower or political site just didn’t implement this, would that be a way around it?
At first, maybe. But not ultimately. If you compare it to TLS, for example, if the site use TLS 1.0, your browser will simply not load the site. This web integrity thing is similar.
Another, maybe more relevant, example, is Flash. Once Google decided Flash will no longer be supported on their browser, Flash died. I actually don’t disagree with the killing of Flash, but the idea is similar.
I actually don’t disagree with the killing of Flash
I miss it sometimes. There’s still no good way to have lightweight vector animations that wen designers or animators can work on (no code required), that work the same cross-browser. There’s some JS libraries but they often need developer involvement (a designer can’t always set everything up themselves) and tend to be quite heavy libraries (which slows down the page, which reduces your ranking in search engines)…
I still use Macromedia Flash 5 from time to time, to create quick animations to be used in videos. I haven’t found anything as easy to use. Maybe you know something? I’ve tried a few things, can’t remember the names, but paid stuff, free stuff, and FOSS stuff. MacF5 is easier and quicker.
Google can already do that. It’s called “safe browsing” and if your site ever gets on the wrong side of it good luck. It’s easier to get off a spamhaus registry than it
Apple won’t do anything of the sort. They were in support of net neutrality and are committed to an open, free web. One of their chief complaints against Adobe back when Flash was at its all time peak as just that: it gave Adobe control of the web. They pushed for HTML5 and other alternatives.
Google is alone in this. However, I feel they can’t do it without Microsoft. At least not to the effect they are hoping so I totally see MS jumping on this as they have been firing on all cylinders with regards to “Windows as a service”. All they care about is building their own monopoly.
Microsoft are staying suspiciously quiet then. And what about Apple?
Apple already added basically the same thing about a year ago: https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/
Is this technically equivalent to Google’s proposal? Apple say that their version was developed in collaboration with Google, so it would be surprising for Google to go and deploy a second version of the same thing, were it not for the fact that Google always has two competing versions of everything.
And I guess the main reason people are more concerned about Google’s version is that they are so dominant in the browser market.
The details are a bit different. PATs use HTTP headers during a request while WEI is a JS browser API. But otherwise the general structure and end result are the same. A website requests an integrity check, an attester checks your device, and if the attester doesn’t like your device then you’re SOL.
Edge is a Chromium browser isn’t it? Then again, so is Brave and the article indicates they are making a point of removing this stuff from their build. Safari is it’s own thing though afaik.
Brave is a chromium fork with custom stuff, they can just not implement it if they want.
There needs to be a unified fight against this, that involves not only browser companies but also the businesses running major websites. If it goes through and Google manages to persuade websites to use it, all the other browsers will be forced to implement it if they want to continue existing. And then no more freedom for web users.
You’re right. But it’s so much worse than that.
Imagine, for a minute, that this passes. If a website exists that a specific entity disagrees with (say… a whistleblower forum, or accounts of how Google is abusing its powers, or accounts of a Government is abusing it’s citizens), all that would need to happen, is for the “integrity authority” to deny access to that site, and it will be censored. Whereas now, a website has to be taken offline (in most cases) to be effectively censored, if this passes, the “integrity authority” would just need to say nay.
Imagine never hearing of the Snowden files, or George Floyd, or the Russian-Ukraine war. Not because they didn’t exist or didn’t happen, but because you ‘weren’t allowed’ to see them by an entity who benefits from you not seeing them or knowing about them.
If this passes, we would be -officially- entering a dystopia.
It’s kind of the opposite of this though, it’s not censorship. It’s not that you aren’t allowed to visit other sites, it’s that sites can choose to let you in or not.
The scary part is we don’t know what makes that decision, and from Google’s proposal is that it could just be anything they decide. So it’s not censorship, but it is saying “You aren’t playing by our rules (like by using an ad blocker, or you visited too many whistleblower forums, or we just plain decided we don’t like you) so you don’t get to use gmail/your bank/whoever decides to implement this”
That’s true. But the “integrity authority” has the power to censor. Maybe that’s not how it will be used now, but the infrastructure will be there and ready to use.
When I see these things come about, I’m always reminded of that quote, “Your scientists were so preoccupied with whether they could, they didn’t stop to think if they should”
Won’t there need to be backwards compatibility with sites that don’t implement this? The default would have to be that the browser is allowed to see a site that doesn’t require attestation. So if the whistleblower or political site just didn’t implement this, would that be a way around it?
At first, maybe. But not ultimately. If you compare it to TLS, for example, if the site use TLS 1.0, your browser will simply not load the site. This web integrity thing is similar.
Another, maybe more relevant, example, is Flash. Once Google decided Flash will no longer be supported on their browser, Flash died. I actually don’t disagree with the killing of Flash, but the idea is similar.
I miss it sometimes. There’s still no good way to have lightweight vector animations that wen designers or animators can work on (no code required), that work the same cross-browser. There’s some JS libraries but they often need developer involvement (a designer can’t always set everything up themselves) and tend to be quite heavy libraries (which slows down the page, which reduces your ranking in search engines)…
I still use Macromedia Flash 5 from time to time, to create quick animations to be used in videos. I haven’t found anything as easy to use. Maybe you know something? I’ve tried a few things, can’t remember the names, but paid stuff, free stuff, and FOSS stuff. MacF5 is easier and quicker.
Google can already do that. It’s called “safe browsing” and if your site ever gets on the wrong side of it good luck. It’s easier to get off a spamhaus registry than it
The businesses running major websites want this more than Google does.
Safari is its own thing, but so is Mozilla. It affects everyone, it affects the very landscape of the web.
Apple won’t do anything of the sort. They were in support of net neutrality and are committed to an open, free web. One of their chief complaints against Adobe back when Flash was at its all time peak as just that: it gave Adobe control of the web. They pushed for HTML5 and other alternatives.
Google is alone in this. However, I feel they can’t do it without Microsoft. At least not to the effect they are hoping so I totally see MS jumping on this as they have been firing on all cylinders with regards to “Windows as a service”. All they care about is building their own monopoly.
Apple already added attestation into Safari.
Yes, they added a standard written by Cloudflare that is currently used to avoid captchas.
Removed by mod
https://httptoolkit.com/blog/apple-private-access-tokens-attestation/