It looks very similar to the “secure boot” mechanisms in Windows and other commercial client OS.
Strikes me as very dangerous though on the web where there are so many paths for malware to get in and this could get in the way of plugging the holes.
It was also dangerous for your PC: as soon as people ceded the ability to led their parties control what we run on our devices--such as by "only firmware signed by Apple can run on my phone"--we lost this war.
> It was also dangerous for your PC: as soon as people ceded the ability to led their parties control what we run on our devices--such as by "only firmware signed by Apple can run on my phone"--we lost this war.
If that's how "we lost this war", then it was lost before it even started. Even before Apple released their phones, it was already the case that phone firmware came only from the phone manufacturer. That is: phones come from a different lineage than PCs, and were never as open as general purpose computers ended up being.
I mean, those were by and large fixed function devices and while phone calls are certainly a form of communication they aren't really networked devices. And... while it was technically possible to update the software on them, most people never did.
There were only a scant handful of years where there even existed phones where this could matter... but now this same mentality is being applied to every new category of device--all of which acting as general computing devices--based on these precedents.
No, it's similar to attestation APIs like android SafetyNet (now called Play Integrity API) that are used to check that "your ROM is valid according to Google".
Secure boot can protect you eg. against malware gaining write access and modifying your system. I see it as user protection, as long as you can sign the trust chain. This is what GrapheneOS is doing as far as I know.
A trust chain beginning at the bootloader is what will ultimately enable this API, though, because that's what SafetyNet/Play Integrity API relies on. If you don't have a locked bootloader, or you're not running stock Android, you won't pass SafetyNet/Play Integrity (at least the higher tiers of it).
This is pretty much the inevitable end-game of the web, in no small part funded by ad-based business models (as the analog gap pretty much destroys most attempts to use this stuff to do copy protection) and enabled by developers who have insisted we shove as much difficult-to-implement functionality (by which I am talking about CSS complex stuff, not powerful-but-easy-to-code APIs for OS-level access) into the browser as possible.
The result: there is now effectively one dominating web browser run by an ad company who nigh unto controls the spec for the web itself and who is finally putting its foot down to decide that we are all going to be forced to either used fully-locked down devices or to prove that we are using some locked-down component of our otherwise unlocked device to see anyone's content, and they get to frame it as fighting for the user in the spec draft as users have a "need" to prove their authenticity to websites to get their free stuff.
(BTW, Brave is in the same boat: they are also an ad company--despite building ad blocking stuff themselves--and their product managers routinely discuss and even quote Brendan Eich talking about this same kind of "run the browser inside of trusted computing" as their long-term solution for preventing people blocking their ads. The vicious irony: the very tech they want to use to protect them is what will be used to protect the status quo from them! The entire premise of monetizing with ads is eventually either self-defeating or the problem itself.)
> who is finally putting their foot down and deciding that we are all going to be forced to either used fully-locked down devices
The person who wrote the proposal[0] is from Google. All the authors of the proposal are from Google[1].
I've been thinking carefully about this comment, but I really don't know what to say. It's absolutely heartbreaking watching something I really care about die by a thousand cuts; how do we protest this? Google will just strong-arm their implementation through Chromium and, when banks, Netflix & co. start using it, they've effectively cornered other engines into implementing it.
This isn't new to them. They did it with FLoC, which most people were opposed to[2]. The most they did was FLoC was deprecate it and re-release it under a different name.
The saving grace here might be that Firefox won't implement the proposal.
I mean Firefox caved to support EME. This isn't the early days of the web anymore either, the enthusiasts are a small minority of global web traffic that this will probably succeed even with a large scale boycott.
I still remember the controversy surrounding EME, a LOT of people came out against it (including the EFF[0]); despite that, they still triumphed on[1].
DRM should be inconvenient and expensive. There have always been ways to implement DRM security theater for the comfort of content providers in board rooms.
The media ecosystem is not going to be enhanced by making DRM more restrictive. Netflix could completely deactivate all DRM today, and it would change nothing.
Apple completely abandoned their "FairPlay" iTunes music DRM because it became evident that it was not needed.
Apple in no way abandoned FairPlay. Every file on Apple Music, and iTunes Match is protected with it. And those greatly outnumber transactional sales through the iTunes store, by an order of magnitude. The customer picked the DRMed version, every time.
Good. DRM should be external to the browser, not integrated into it.
DRM is mostly security theater anyway. Until a few years ago, the Spotify client just left unencrypted mp3s cached locally. And they stopped DRMing music over a decade ago. People are willing to pay a reasonable price for first party content.
If a company insist on DRM, then they should be on their own.
If we make it too easy, then they will just use it everywhere.
Yes, but that is fairly recent! Did anyone even notice? For years, you could siphon every song you listened to and save it locally. But did it affect anything? I did it for a little while, but then found it wasn't worth the trouble.
So what if Netflix doesn't work?? That is the choice of Netflix. Big content will always want more control. Firefox will never be able to keep up. They will just do a mediocre job of working against their users.
Microsoft and Real Player pushed hard for an integrated ActiveX based DRM ecosystem over a decade ago. I'm so glad that Mozilla flatly refused to entertain such idiocy. I sure wish that Mozilla still existed.
Mozilla is now just a "pick me" [1] organization to big content. They should own being a browser that caters to users, not platforms. Because they will end up with nothing.
If done correctly, TPMs on every computer would be preloaded with signing keys (probably microsoft). The web browerser would then ask the TPM to sign the Platform Configuration Registers, which are a hash of a challenge nonce, the system firmware/kernel/configuration/etc. This signature is then sent (along with a description of the system configuration) to an external attester. This external attester validates that:
A) the claimed configuration is "secure" (trusted kernel, bootloader, browser, etc) and
B) The TPM's signature attests to the configuration.
The validator then generates its own signed message that can be sent to the server.
In practice, I think this is logistically unworkable in todays computing environment. But with enough big players pushing for it, I don't see anything fundamentally impossible.
Of course, but if Google did that it would allow Firefox to complain about Google's abuse of monopoly power. I'm not sure that is a path they'd risk going through.
Sites will just stop trusting that as an attester.
Anyone can write their own EME plug in that writes the files to disk. But it won't have the keys of any trusted module, because the reason sites trust them is because they don't do that. So it won't get accepted by anyone. Same here.
You do not and you cannot. It was written in stone once Chrome dominated the browser market. What Chrome (Google) wants, Chrome (Google) gets. Despite all the good engineering Google wants to sell ads, that's all there is to it. And the result is this proposal.
> The saving grace here might be that Firefox won't implement the proposal.
It's irrelevant and we are an irrelevant minority. Unless people switch to FF in droves the web is Chrome. And they won't because at the end of the day people just want to get home from their shitty jobs and stream a show. As long as that works everything else is a non-issue.
I was there too. People always say this, but just because a thing changed once does not mean it will happen again. In this case, the population scale alone has changed by over an order of magnitude.
Just doing some quick searching - the first numbers that come up when you search for "how many people used the internet in the year 2000" are on the order of 350 million or so. Comparatively, now, in 2023, Reddit alone has some 450 million users. It would seem right now that Tiktok has about three times the number of active users than there were total Internet users 23 years ago.
Additionally, there are literally hundreds of billions of dollars now resting on Chrome remaining the dominant browser.
Short of government intervention (or absolutely monumental fuckup on Google's part somehow), Chrome is here to stay.
Yes. The solution is very simple: uninstall Chrome and Chromium.
We are the people with the most influence on the tech. We are prescriptors. We are legion.
– Yes but Chrome is a tad faster and I have my bookmarks and my favorites extension and blablablabla…
— Then you are the root cause of the problem. If you are not ready to sacrifice an ounce of comfort to save the web, then you are the one killing the web.
Simple: install Firefox. Now.
(oh, and, by the way, also removes google analytics and all google trackers from the websites under your control. That’s surprizingly easy to do and a huge blow in Google monopoly. There are plenty of alternatives)
Please explain what you mean. It sounds like you have an important point that can only be found if people sit and carefully read several pages. Important points deserve to be stated more plainly.
The entire point of this spec is that your alternative browser wouldn't be able to attest to its "integrity" unless it was exactly as locked down as the other ones. If you have some kind of rebuttal to the shared context we all otherwise have, maybe you should be the one forced to state it more plainly.
> The solution is very simple: uninstall Chrome and Chromium.
No. Firefox, beyond being slower, also keeps constantly displaying ads… for itself. Want to open a new tab? “Big Browser cares about your privacy, read how!” I just want to open a new tab!!! I’m working! Restarting? “Discover what’s new with Firefox”, “Hohoho, we care about your privacy, LOOK HOW MUCH WE CARE! ALSO WE HAVE NO ADS!” Worse, they suggest to solve privacy that I use Mozilla VPN. VPNs don’t solve privacy. Also, it’s a paid ad for a paid product.
Mozilla had also a staunch political slant, going as far as firing a CEO for a donation he made to the opposing group years ago. There is nothing neutral here, if you are not a leftist, it’s dangerous to use or even give your participation to that ecosystem.
Mozilla has failed to become the no-ads, better-ethics, privacy-aware navigator (pun intended). They keep performing worse actions than Google all the time.
I surely do mean exactly that particular Waterfox. I've had my fair share of concerns back in the day when System1 acqui(hi)red Waterfox, but I haven't seen any suspicious behaviour whatsoever so I'm pretty confident it's fine for the time being.
Of course, if you know a better browser (that is not Chromium-based), I'll be happy to hear your suggestions!
There isn't a moral dimension attached to loving the right kind of people and gay and straight people are equally moral in pursuing relationships with significant others. On the other hand there is a moral dimension to trying to take away our fellow citizens rights. The CEO as the face of the org became unsuitable to his role when he acted publicly and objectively immorally in support of those who would gut the rights of his fellows
He wasn't on the wrong side of a political issue he was on the wrong side of decency and morality. This ought not to be a leftist position nor should we fear that the tyranny of excessive concern for others may be imposed upon us. Should we decide to use Firefox for evil as it were the privacy both endorsed and adhered to by Mozilla precludes them discovering it let alone stopping us.
The position of user of Firefox and public face of Firefox are inherently different positions and come with different reasonable expectations but I think you knew that.
> it’s dangerous to use or even give your participation to that ecosystem.
Please describe precisely the threat model you fill most applicable
> keeps constantly displaying ads
For a definition of constantly redefined to mean rarely when a new major version comes out.
> They keep performing worse actions than Google all the time.
The context here is that google tracks everything you do and regularly shares it with the government including under terms that are obviously abusive of user privacy and including to repressive governments, are in the middle of attempting to destroy ad blocking by pushing locked down environments in the name of security. A move likely to have massive implications that will be impossible to manage or control in repressive dictatorships even if Google themselves do nothing to directly assist with mass surveillance in Orwellian states. Merely building general purpose tools virtually guarantees bad usage by repressive regimes. By contrast Mozilla has? Tried to pimp their VPN to you as part of their new version notification...
It really sounds like the Brenden Eich debacle has colored your perception of the situation and perhaps you need to step back and evaluate the situation objectively.
Brendan Eich getting fired was like watching the original internet get murdered by progressives. Everything since then has been about how I thought that would go.
A guy gave a $3100 dollars to a political cause of his choice that was on the ballot, and people with this ideology drove him out of the company he founded that fought very hard for internet freedoms.
Since then, Mozilla/Firefox has largely become irrelevant and absolutely no longer has the same privacy concerns and respects.
He donated money in opposition of a law he didn't want to pass. He didn't take anyone's rights away.
>I was there too. People always say this, but just because a thing changed once does not mean it will happen again.
The problem is that the web standards have now grown so much that it is impossible to write a complete new web browser from scratch. Firefox is not coming back, because Mozilla seems to prioritize other things than code quality and the actual usability of their software.
And yes, I know that the SerenityOS developers are trying to do it, but while some very advanced things work "good enough" in their browser so that Twitter and Discord's web client works to some extent, the more basic things are so broken that their browser cannot even render basic HTML 3.2 sites properly.
Google's end goal is probably to "deprecate" HTTP 1.x and force everyone into using their own replacement for the protocol. Their protocol is going to be like the thing they call "HTTP2", an insanely complex protocol that is impossible to implement by a small developer team. In the end their own protocol becomes a "rolling release" protocol that only works with Google's own app, at which point they can completely stop releasing RFCs for it.
I was there too, in the 1.0 days, and still am. But these days are gone, Firefox is not coming back. Back then Firefox was immensely better than IE. As long as the other alternatives are just as good, there is no reason for the mythical "average user" to change over. Why bother if you can do everything in Chrome? We may understand the differences, ideological or technical, but good luck explaining that out there. There's a massive disconnect between user and technology and as a result people will live in the perfectly curated technological bubble that's been served to them.
the adblock "endgame" will be a self-hosted DNS system that blocks requests to ad-server urls (or return benign responses).
Then the game will switch to encrypted proxied traffic that you cannot block.
Then the adblocking software will switch to the GPU layer, and use machine learning and AI to wipe the region of memory in the GPU containing the ads (and replace it with something benign).
Then the next logical step from likes of google is a fully trusted computing environment - aka, you as an end user no longer control your own machine.
The browser... or the javascript running in it, served from the primary domain you are browsing will just do DNS over HTTP from within the browser, completely avoiding your dns filter
Yeah: the company that is all about locking down user devices and relishes in providing a DRM-ridden platform for developers to maintain complete control over their users is totally going to be against implementing this specification :/. I mean... it's possible? but any hope there is fully predicated on their hatred of Google and their distaste for the web.
I doubt Apple will be our savior here. Apple is in a great position to implement this spec: their secure enclave and the systems they've developed around it are practically the state of the art. Also Apple is in bed w/ traditional media. (Apple News, Apple TV, iTunes, etc.) Microsoft has been doing the same[1] for years w/ Pluton on the Xbox to protect their IP. Google has been doing this on Android using, dm-verity, SafetyNet, et al. Nintendo employs similar protections on the Switch with moderate success. (After the bootrom of the initial HAC-001 was patched on the production floor the only real option to attack a modern Switch is physically glitching the console.)
I suppose Apple may object on the grounds of being a "privacy focused" company, but I'll believe that when I see it. I'm not gonna sit here holding my breath for these megacorps to do the right thing.
Screenshotting Apple TV+ works fine for me on desktop Chrome, even with hardware acceleration enabled. I don't recall doing anything to circumvent normal behavior (not really in the habit of screenshotting things I'm watching).
> I doubt Apple will be our savior here. Apple is in a great position to implement this spec: their secure enclave and the systems they've developed around it are practically the state of the art.
You are probably right, but there is one self-interested reason why Apple might resist implementing this - Apple doesn’t like the web competing with apps, and this is basically giving the web a capability that right now only apps (effectively) have.
Perhaps you haven’t been paying attention but macOS Sonoma—currently in beta, shipping this fall—has the best web app support we’ve seen in a mainstream operating system.
You can put a web app on the Dock using the Finder’s “Save to Dock” command for virtually any website or web app.
Not only do you get service workers, push notification, web app manifest support, etc. web apps have first class support in the Finder, Spotlight, Spaces, Mission Control, etc. [1].
You only have to look at how they're (still) restricting PWAs to see they also have their own goals to preserve their walled garden and market share (as they should, it's a publicly listed company, but it's not the same as an open source alternative)
If my goal is to try to avoid vendors locking down what I can do with my computer, I don't think switching from Linux to MacOS is going to be an improvement.
It was fun while it lasted though, finally news sites that could be read on an average German mobile data connection.
For the uninitiated: Germany's mobile phone network has been ridiculously expensive and unreliable for decades. Everyone else in Europe has done it better, because no one else thought they could extort 60 billion euros from the providers for RF spectrum licenses - we're still paying for that blatant debt-shifting today.
You can by not using Google products.
Change the search for ddg or kagi. Change your email for proton.
Use Dropbox instead. Remove Chrome, live with iceweasel or Firefox.
It is not like you'll be loosing much. This is the time to change, while we still have other players in the market.
No, you can't - not until you get a significant part of the world's population to join your protest.
The point is that if chrome implements this, netflix, amazon, facebook etc might decide they'll use this feature and only permit browsers who implement this to use this site.
Even if the only browser that does so is chrome, that's fine because chrome's market share is big enough that they can ignore the rest.
Have fun using Firefox if half of the web locks you out or treats you like a second class citizen.
It may not be that easy as now that stuff like banks and government services have embrance it. If they or your work/school apps need it, you are screwed
I'm already using a separate device for "official" stuff. It's a fully Google/Microsoft managed phone that runs my professional life (work profile, LinkedIn, etc.) and accesses government and some financial services. It mostly sits in a drawer outside work hours and don't use it to browse or talk to anyone outside of work. It has SimpleX installed so it can send anything I need (eg. financial statements) to my personal phone, without even needing to store my personal phone number.
My personal phone, and my personal laptop and PC, run open source OSes and are as privacy-focused as I can make thrm. They're the ones I use to browse and talk to people, both on public and private platforms. They're the ones that have my photos, my books, my passwords, my movies and my music. (I don't use streaming services, except for YouTube via Newpipe.)
I do make sure that I always have at least one bank account with a bank that doesn't require SafetyNet or similar, and can therefore be accessed without needing the "official" phone. So far, all but one of my financial service providers work fine from my personal devices.
I think the dual-device approach will quickly become the only realistic one for individuals who want privacy in their computer use (which will remain a minority). I will even say that, although Google is doing this purely for the sake of ads and profits, it is not unreasonable to expect citizens to have an "official" online presence in the form of a highly standardised Internet client, without prejudicing their ability to use other ones. In the same way that you have an official residential address, without prejudicing your ability to have other mailboxes or live on the road.
> netflix, amazon, facebook etc might ... lock you out
Is this supposed to be a bad thing? It's almost made to sound like surviving without them would be tantamount to starving, but frankly we might be better served without them.
I see Facebook locking you out (no great loss there) but I'm less convinced about Amazon or Netflix. They're not advertising-based businesses, so are not suffering with bots-consuming-ads problem.
Put another way, my site is unappealing to bots, and frankly I don't care about bot traffic, because I don't have ads. So I don't feel the need to support this server-side.
Equally Amazon makes money selling goods, not ads. They don't need to know if its human or bot, they just need a credit card. [1] Netflix is subscription based, again doesn't care if its a "trusted device" or not. They want you make sure their content is available not blocked because my TV is "untrusted".
Sure, you'll end up using Chrome to use Google properties. But I don't really see the incentive for the non-ad-based Web to bother implementing this.
[1] it won't move the needle for fraud, fraud is easily done via trusted devices.
>Equally Amazon makes money selling goods, not ads.
Amazon is one of the biggest ad networks on earth. They made $40bn from advertising last year using all the personal data they get from their paying customers.
>Netflix is subscription based, again doesn't care if its a "trusted device" or not.
Oh but they do care very much. Netflix requires DRM in desktop browsers and its own app on mobile platforms. And they launched and ad based plan recently.
It's a mistake to believe that advertising is the main problem and direct payments are the solution. Making a payment takes away more privacy than advertising alone ever could and hands personal data to payment schemes and banks on top of everything.
> they'll use this feature and only permit browsers who implement this to use this site
we as tech early adopters and "leaders" in this space, we need to be telling family and friends to complain to those sites about such required support. If enough people complain to amazon that they don't want to use this google branded browser, i think there will be some pushback and the companies would be hesitant to drop support for firefox.
>The point is that if chrome implements this, netflix, amazon, facebook etc might decide they'll use this feature and only permit browsers who implement this to use this site.
Works for me. I don't need those sites/services. If they want to be actively hostile to me, I can vote with my feet/wallet.
I can't (nor do I wish to) control what other people do. Just what I do.
As it stands now, I block the bulk of scripts/ads/trackers/other spyware on my devices, and those who don't like that are free to block me from accessing their sites.
Maybe I'm missing something important here, but I don't need anything from Alphabet, Netflix, Meta or any other rapacious corporation. They can do what they like, and I will do the same.
>Have fun using Firefox if half of the web locks you out or treats you like a second class citizen.
If the above folks are who you consider "half the web" then, at least for me, nothing of value would be lost, as I don't use that garbage anyway.
You can move away now or wait until they lock you out (and thereby lock you out of all you OAuth sites) with no recourse. The endless cries for help in /r/GMail/ says it all.
OAuth sites will let you change your OAuth provider or even better switch to a local account on their site and use a password manager so you don't tie everything to an OAuth provider unless the site will accept a self hosted one.
What's the harm in giving some sketchy site a unique, random password only used with that site? (In contrast to letting them have your Google profile and all that comes with it)
The need to retain one unique random password per site (as opposed to having one extremely secure Gmail password with two factor authentication attached to it).
It's the old twin airplane principal from the hacker's dictionary: the virtue of putting all your eggs in one basket if the basket is built very well.
Something to consider when you save your passwords in Google, you can "forget" and reset your Google account password and all your passwords are still there. Compare that to a proper password manager where if you forget the master password (assuming sufficient complexity) nobody is getting those passwords back ever. So Google has full access to your passwords whenever it feels like it.
As the other commenter said, there's zero risk giving a dodgy site a randomly generated password used only for that site, the randomly generated password gives them no information or pathway to any other web site.
There's a degree of saying no and opting out and controlling your own shit that you can do.
Some, like owning a phone and getting tracked to many degrees is inevitable but others, like software on a computer, is quite easy to think about.
You don't need to be a majority to go a different path. Linux users everywhere know this. We never needed the "year of the Linux desktop".
There's usually ways around the designated box. Obviously, get ready to be called names for not bowing down to authority... But you can ignore them and move on.
Whatever happened to legislation? I bet most people here would have said the same about Apple's App Store monopoly on iOS, and yet the EU passed the DMA and the matter was closed.
There's no reason why the same can't happen here. The defeatism attitude helps with nothing and is part of the reason why this happens in the first place.
EU passing the DMA is literally the specific reason why google is unstoppable. They finally cracked the last significant holdout against chrome/chromium market dominance, now there is nobody left to oppose them in the browser market.
Chrome/Chromium is already above 75% marketshare and the EU doesn’t care, and is taking moves that will actively increase consolidation and monopoly control.
We’re literally in the thread where we’re talking about the anti-consumer moves that are resulting from that consolidation. This is what it looks like when Google flexes that monopoly control and tells you how it’s going to be. EU doesn’t seem to care.
> Chrome/Chromium is already above 75% marketshare and the EU doesn’t care, and is taking moves that will actively increase consolidation and monopoly control.
It took roughly 15 years for the EU to react to Apple's practices, and they have been anticompetitive from day one.
Chrome has caused no competitive damage to consumers or competitors (yet), give it time.
We could at least get everyone here to use Firefox. There's really no excuse for a technically minded person to still be using Chrome for their day to day browsing.
If you do eventually run into a poorly crafted webpage that doesn't work on Firefox you have the wherewithal to decide if you are simply not going to use that site or hop over to chrome just this once.
But the important thing is checking in automatically as a Firefox user in the logs of every other site online. Push Firefox marketshare up and at least some places will be hesitant to write off Firefox as irrelevant.
It is extremely disingenuous to claim the only browser to still refuse to block third party cookies by default, because it helps their ad partners, is "more secure".
The only way in which Chrome is more secure at anything appears to be securely forcing you to view ads via this API. And a shocking amount of malware fails to work when you use a running environment that 95% of society are not using.
So as someone who deals with enterprise software: Network effects.
Where I work, we treat Chrome as the malware it is: It's banned both by technical measures and security policy. We deploy Firefox, and begrudgingly deal with Edge when people insist on a Chromium-based browser. (At least Microsoft added some modicum of privacy settings here.)
Here's what I've learned over the past several years: Web developers are lazy. We're commonly told such and such app or service "only works on Chrome" or they'll "only support on Chrome". When we call for support, half the time we'll get told it's because we're not on Chrome, and I have to actually prove to them on an isolated machine that the issue occurs on Chrome so they'll shut the heck up and do their job. "Oh, I found an issue on our server" after I spent two hours trying to convince them their app works fine on Firefox.
In most cases, things "not working on Firefox" entails exempting a site from the popup blocker. In 2023, troubleshooting alternative browsers is usually... roughly that easy. But blaming your web browser is easy and lets them shift blame, so that's what they do.
But enterprise software companies have completely turned Chrome into the modern Internet Explorer: The only browser they'll even deal with. And since a lot of people buy Google's marketing that they know security and aren't completely clueless how security works (they are), people have by and large given in and installed Chrome.
> We could at least get everyone here to use Firefox.
That would accomplish nothing.
> But the important thing is checking in automatically as a Firefox user in the logs of every other site online.
No, that's not important. HN users are a tiny minority compared to the billions of people that use the web daily.
I'm sorry, there's no easy way to say this: Firefox is never coming back. The web of old is never coming back. It's over. Even if this particular proposal gets defeated somehow, a future similar proposal will make it through. There is nothing you or I can do about it. Google is more powerful than most governments, and they are vastly more powerful than any random group of like-minded people who get together on the Internet in the belief that they can accomplish something.
(3) has enough coherence to actually do something about it
It's not obvious to me that any of these apply. The EU is pushing -- in fits and starts -- towards self-reliance in its computing infrastructure, but at a slow pace.
Of these, number 1 is probably the most doubtful. The EU, however boring that line of thinking is, is still quite bureaucratic, and it's doubtful that measures to control this, might not be a priority of bureaucrats. After all, the regs I mention later are in the name of "less e-waste" (which is good, but besides the point). So something like "control web DRM" might not be as blatant and easily solved (your point No.3).
For number 2, the EU's new regulations above more easily replacable batteries, mandatory USB-C ports and such, in my eyes prove -- though not doubtlessly -- that they do care about walled gardens in tech.
Number 3 though, again, as I've alluded to before, doubtful. But possible in my eyes. Urgency is another thing you've mentioned, and -- let's say it again -- bureaucrats are not particularly known for solving a problem in the right time.
NB: don't misenterpret my use of 'bureaucrat[ic]' as a negative comment, it is just a fact, however boring.
See that's where I disagree. Rich governments like the EU or the US can and do have power to push regulations if they wanted to. Pretending we the people (in a broad sense), i.e. the state, have no power whatsoever to control the terms under which these companies operate within the state, is defeatist.
Bringing up "We, the people" here is ridiculous, regardless of the "sense". We have zero power. Zero. Protests, revolts, riots ... all make no difference anymore and making a cross on a piece of paper once every couple years, aka voting, doesn't give us power. Anyone believing that is a fool.
It certainly allows us to avoid the worst of 2 evils in any case and nudge the ship of state away from obvious rocks where extremist positions cause politicians to lose elections. Furthermore many states have a means for individuals to directly make law on matters that directly concern enough sufficient voters.
Firefox came into the mainstream because of power-user recommendations and the browser ballots.
It should be illegal for a significan platform (say 10mln users) to make its own browser, or any really, the unquestioned default. Users should be prompted on first use, giving a randomly ordered selection of any capable browser. If users can just click through it the choice should be random.
This is the only way to maintain healthy competition and ensure independent yet functional standards. Otherwise incentives will continue to centralize power.
>Firefox came into the mainstream because of power-user recommendations and the browser ballots.
But it was a completely different situation.
- There was a huge influx of new internet users who were all asking their techy friends which browser to use. This is not the case now. People mostly stick with what they know.
- FF was the better product for pretty much all use cases. If this proposal does go through, this will not be the case. It's nice that FF can block ads, but it's ultimately useless if the average user won't be able to access Netflix/Youtube/Facebook/their bank account. It will be an objectively worse browser.
Browsers are increasing in importance even today, not decreasing.
And as I said, the sustainable solution is browser ballots back by the force of law. It's worked where it's been tried.
Anti-trust based solely on narrow definitions of consumer harm on the other hand, serve only the capital owners. And they'll leverage and co-opt any and every popular and useful innovation: open source, community contributions, open standards, patterns light or dark, etc.
You're describing the old Firefox before they became Google's controlled opposition. Since 2011 all they have done is continuously stripped out every useful power user feature in a bid to turn into a shitty copy of Chrome; the last straw was gutting their powerful XUL/XPCOM extension system in favor of Chrome's far limited web extensions because muh security (and since then there's been more, not less cross browser malware). Today you can't even write your own extension for use on the main build thanks to forced extension signing (which ended up disabling everyone's extensions a few years ago due to an invalid certificate).
And that's before all their unethical tracking, in browser advertising and privacy violation over the years, that requires various 'hardening' about:config changes out of the box, or the erosion of configurable features with almost every release. Mozilla are woke hypocrites today, financially dependent on Google while claiming to be privacy champions and squandering their money on multiple other projects instead of focusing on Firefox.
The only browser that continues to be the old Firefox in spirit - the one that upended Microsoft's IE monopoly - is its hard fork, Pale Moon (which gets derided as oLd aNd iNSeCuRe by Mozilla fanboys). Doesn't need any 'hardening' because it doesn't snoop on you to begin with, and the latest versions have massively improved web compatibility while retaining support for the original powerful XUL extension system.
It may well be too late, given Google has absolute control over web standards and their policy of introducing draft features in Chrome and then making them part of the standard. Unless an anti-trust case is brought against them which explicitly mentions their browser engine and standards monopoly, and correctly points out that every other browser today is just a skin around Chrome while Firefox is controlled opposition. Every case against them seems to obsess on the search engine monopoly.
Sounds like defeatism. By writing such comments you only help Google and make people resign from doing anything. Good job...
It won't be easy, but it is not impossible to change the world. There are many, many intelligent people around. We just need to work together to achieve our goals.
BTW EU has shown, multiple times, that it is powerful enough to impose regulations on tech giants like Google, Facebook or Apple.
A defeatist attitude like this certainly predicts the future... If you're playing by the rules. And the rules were set by Google, so it's in your best interest to break them by actively harming Google. Restrictions in choice happen because people don't oppose the narrowing enough to make the corporations lose money. This might be one of the few times where targeted malware could be beneficial if it destroys Google's services and makes them too much of a risk to use. If somebody puts a latent trigger into a Javascript library that's widely used like Node.js that makes Chromium and only Chromium break then that would start a cascade effect of Chromium locking itself up more and more until it's impossible to use. You could even make cookie bombs, where you have two cookies, and when one expires before the other it triggers the surviving poisoned cookie to ruin Chrome's functionality by poisoning the browser agent. Google wouldn't be able to trust anything they didn't make themselves. You can force Google to barricade themselves in until it's impossible to reach them, and have them do it so fast that updating systems for developers and users would be too much of a pain to constantly keep up with. The downside is once you use a tactic like this then it's not just Google that wouldn't trust anything they didn't make themselves.
I use Vivaldi (not chrome itself but another Chromium browser) because I want PWA support on my Linux machine so I can have an app for outlook with notifications and Chromium browsers make that far more convenient than Firefox.
Essentially this doesn’t work because every email client I tried can’t handle the specific way my work email account does authorization and the login always fails. They also blocked POP/IMAP so that’s not an option either. No one else in a team of software engineers figured out a better way to access email so for now this is the best option
And lot of people here squeal like stuck pigs if you suggest anything other than the Chrome monopoly. HM is a constant barrage of demanding that legislators force the Chrome monopoly to be extended to iOS devices!
Doesn't Apple have some leverage here? They may not control the overall browser market but they mostly control the smartphone market (or at least the profitable segment of that market) and lots of those users prefer to use Safari.
I'm aware Apple implemented similar tech a while ago, but I have infinitely less confidence that Google would use it responsibly.
The proposal for Chrome, you don't, because there's no stopping it. See DRM, Secure Boot, all the rest of the shitshow pursuing "trusted environment". It'll never happen, but CEOs won't accept reality.
You can, however, embrace the rest: eg. keep serving your own content on http (along with https), gopher for retro compatibility, and because they are less prone to break.
Keep using your current device for browsing, and whatever refuses to serve you either leave it for good or keep a spare chromebook for all the "services" you can't avoid to use, like banking.
I don't have a better route. It's a bit like streaming: if I want resolution above 480p, I use a Chromecast with Android TV.
Generally agree but I don't think Secure Boot falls in this category unless the keys are locked in firmware (and in that case the firmware is the problem). Root passwords aren't evil either just because they can be withdrawn from the user.
> if I want resolution above 480p, I use a Chromecast with Android TV.
I am one who specifically does not want a resolution above 480p. Unfortunately, some TV services had decided to remove that feature and now it wastes disk space due to the higher resolution. I also want to be able to use an external caption decoder and recorder (in my case, the same device does both), so will use the composite video and not HDMI (which doesn't have captions).
Steven J. Searle wrote: "The sad fact of the matter is that people play politics with standards to gain commercial advantage, and the result is that end users suffer the consequences. This is the case with character encoding for computer systems, and it is even more the case with HDTV."
> keep serving your own content on http (along with https), gopher for retro compatibility, and because they are less prone to break.
Yes, it is reasonable. I think that "HTTPS only" is (mostly) no good, but having both is good. HSTS is no good.
I'm doing this again, but here's my shameless plug for the article I wrote 1 year ago now, "Remote Attestation Is Coming Back," which warned that this was coming to the web and had quite a discussion about that idea at the time:
> The saving grace here might be that Firefox won't implement the proposal.
As others have said, FF doesn't have a lot of leverage left to influence those type of decisions, but Safari might. Not sure what their position is on this proposal.
The one pager has a section on stakeholder feedback [0], but doesn't name them for some reason.
Looking at it in terms of leverage and market-share is a huge mistake that Mozilla keeps making. Mozilla doesn't have a platform like Google does. What exactly is Mozilla even competing for? Popularity?
They should hunker down and make the best browser they can, implementing their best web. It worked 20 years ago, and in many ways the circumstances are the same. We have tech monopolies proposing ludicrous "content security" mechanisms. Where would Mozilla have been if they tried making some sort of half baked "less evil" form of Microsoft Janus DRM[1]?
People are going to get sick of how intrusive DRM is becoming, and there should be an alternative waiting for them.
Every person who has content they thought they purchased "expire" and be erased from their device, or who can no longer use their expensive projector after the latest mandatory update.
I evangelized heavily for Firefox in the 1.x days. People were sick of IE6, and were glad to have Firefox. I worked at a computer store and probably converted 100+ people.
Mozilla and Wikimedia both have a reputation for wasting money by trying to branch out beyond their main product. Wikimedia is totally overfunded so wasting money doesn't threaten their survival but they've also been criticized for begging for donations that they don't need. Personally I don't see a reason to combine them.
Wikimedia is much much less shady than Mozilla in a bunch of ways. Some people might take issue with the way they spend their money, or the tactics they use to raise money, but I don't think I would consider them shady.
Full disclosure: I was employed as a software release engineer at the Wikimedia Foundation from 2015 through 2022.
> FF doesn't have a lot of leverage left to influence those type of decisions
FF didn't have leverage in 2005 but we're still somehow living in a post-IE world. Leverage and market share aren't a concern, community support is all that's needed. The issue is that Mozilla Corp have been rapidly burning community bridges at pace of late, topped off by the fact that 2005 Mozilla wasn't dependent on Microsoft for their income.
It scares me when people talk about forcing apple to allow non WebKit browsers on iOS. iOS is the only thing stopping chrome from actually winning the browser war.
Vote with your clicks. Google doesn't want me to install an ad-blocker on my phone, so I'm not browsing the ad-infested websites. And for the current integrity checks: If a site wants me to solve a captcha just to view it, I close the tab and never visit the domain again. In fact, I already close the tab when I see Cloudflare checking my browser. Let the corporate web die.
> It's absolutely heartbreaking watching something I really care about die by a thousand cuts; how do we protest this?
Death by a thousand cuts can also happen in the other direction. Even if we do not have a single decisive way to oppose this disastrous proposal, we can fight it in as many ways and on as many avenues as possible. Spreading the word about it widely is an important first step, so that those best placed to oppose it know that they should act.
Probably the privacy angle is best. Given that this uses an "attester’s public key", this enables to uniquely identify a given device repeatedly over time with no margin for error. It's essentially "perfect fingerprinting".
There's also the option that devices don't use a per-device key. If all the devices from a vendor use the same keypair, then this would be broken by just extracting the key from a single device (AFAIK, in the US this would likely not be legal to use).
1) You cannot all of a sudden provision content differently to a user who has an unapproved device with their preferred accessibility stack and/or hardware.
2) Even if attestation does not involve tracking, effectively forcing children into an ecosystem that tracks them can be deemed unlawful by the FTC. Providers cannot foreclose all means of access to content that are not in a tracking ecosystem, because it violates the rights of children.
The proposal is probably legally negligent because it does not exercise the ordinary standard of care expected of senior technologists. Providing a tool that affects hundreds of million of children and people with disabilities is not a joke.
The person who wrote the proposal[0] is from Google. All the authors of the proposal are from Google[1].
It astounds me that people would actually associate their real identities with stuff like this publicly.
how do we protest this?
The same way we protest politicians doing things against our desires? We know exactly who the perpetrators are, so perhaps we should all give them a piece of our mind. I absolutely don't condone violence, but exercising our right to free speech is always a good idea.
It was just one example, but Netflix is trash in web browsers anyway. Firefox should say no to all of this - it doesn't feel like it now, but saying no could birth alternative services that don't operate in such a manner.
Not technology related exactly, but until recent events I thought Reddit would survive and be untouchable. Now I'm wondering why I didn't join the fediverse sooner. There are rough spots but it will surpass centralized solutions.
We are at a turning point and should say no to all garbage. They need us more than we need them.
As long as online advertising is a primary source of revenue for many companies, the internet is going to increasingly have less degrees of freedoms.
Probably the only solution is to bring harsh legislation against the very existence of online advertising. I don't know what that legislation would actually look like and how it can be done ethically.. but the alternative is probably worse.
> and enabled by developers who have insisted we shove as much difficult-to-implement functionality (by which I am talking about CSS complex stuff, not powerful-but-easy-to-code APIs for OS-level access)
Interesting that fixing "how to center a div" is considered harmful, but WebSerialPort is actually very good?
> The result: there is now effectively one dominating web browser run by an ad company who nigh unto controls the spec for the web itself
I don't think this this reality. Google proposes a bunch of APIs that goes nowhere because the other browser vendors consider them harmful. Google's previous attempts at trying to drive more adtech into the browser have failed due to a lack of support from other browser vendors.
I think "who drives the web specs" is probably in the best situation possible. It's largely Google, Mozilla, and Apple who all have slightly different interests in what makes a good web platform, and the web ends up better for it.
> Interesting that fixing "how to center a div" is considered harmful, but WebSerialPort is actually very good?
It is certainly "interesting", but "true" nonetheless: one determined person--think Fabrice Ballard if you want an example--is in a great position to throw together a web browser and even implement ALL of the crazy API wrapper specs, but when if they aren't you simply don't need most of them to browse any given website.
But, as it stands, my only a-few-year-old copy of Safari can barely even browse the web anymore as it is missing some new corner case of CSS or web components or whatever and I just get blank screens a lot; the result: people have burned years of large teams into trying to maintain implementations of HTML/CSS and have given up.
The web should really just be a handful of really core specs for getting platform access--which of course have innovated over the years so you'd have all of canvas, WebGL 1/2, and WebGPU, which would take SOME effort but isn't like, INSANE--and then all of the layout should be done end-to-end in libraries.
The world NEEDED to be like this to prevent us from ending up with only a handful of web browsers that can only be maintained by giant companies: it needs to be sufficiently easy to build a web browser that we would end up with a ton of small implementations that would be difficult to move as a unit, forcing progressive enhancement as a permanent norm.
So... you prefer the end result we got, with there being only ~1.75 browsers in existence--and only 1 that truly matters to developers--where ~1.66 of them are owned by companies that would prefer to implement this specification? :(
I think, given your history, is that what you’re looking for is apps but distributed on the web. However I believe there is also a market for app clips of sorts that are meant to be more lightweight and have some default APIs available to them, for cases where people don’t actually want the overhead of apps.
How are you measuring this? Like, I would expect someone to want to ship e.g. WPF or something into the browser as their UI toolkit. Why would this fit in 5 MB?
Yeah this is really the endgame. I think the issue is systemic though, this is more than just ad money. Bots and automatability of the web was always an anomaly and a flaw, as the web was and is always designed for humans. Strict human verification was always a need. One can say we did achieve this with 2FA and such, but what is technology all about? Convenience. If it's more convenient, people will prefer remote assertion every day of the week: https://gabrielsieben.tech/2022/07/29/remote-assertion-is-co...
It is systemic, but I think you underestimate how deeply the adtech money and everything surrounding it is embedded in our mindset. It's essentially the Goodhart's Law taken to the extreme, where every single new iteration of the system brings in new middlemen, new misaligned incentives, then putting those middlemen between the person providing a service and the person who'd like to pay for it.
Here's an exercise: try to draw a diagram of all parties required to display a video ad on your page. I suggest starting with the OpenRTB and VAST specs. It's creepy.
The biggest shame here is that most people are convinced that we need advertising because otherwise people would not pay for content.
> we shove as much difficult-to-implement functionality (by which I am talking about CSS complex stuff, not powerful-but-easy-to-code APIs for OS-level access) into the browser as possible.
"powerful-but-easy-to-code APIs for OS-level access" are actual hard-to-implement-right functionality that is often pushed to browsers with very little discussion or considerations.
But the chance of a web page actually needing that functionality to render at all is rare for hopefully-obvious reasons. The status quo is that progressive enhancement is dead: a few-year old copy of Safari can now simply not browse much of the web anymore because it is missing some corner case of CSS or web components or whatever: I often am stuck at loading spinners or are simply thrown into a blank page... the best case is a client-side rendered 500 error on many pages.
It was critical for the web to be easy to implement the core of for a small team or even a single concerted god-tier developer--imagine Fabrice Ballard--and the current spec has failed so hard at this that even tech megacorps have thrown in the towel. People get upset about WebUSB... but that's not the API surface that is causing us issues. If I had to single-handedly implement all of canvas/WebGL/WebGPU and JavaScript/WebAssembly I could pull it off (noting I used to be a video game engine developer).
> But the chance of a web page actually needing that functionality to render at all is rare for hopefully-obvious reasons.
The chance of a page using something has no bearing on how dificault something is to implement.
> People get upset about WebUSB... but that's not the API surface that is causing us issues.
It's one of the hundreds of APIs, and yes, it causes issues, too. Because it also needs to be implemented, and it also adds to the complexity of the web browser.
No: it doesn't need to be implemented unless you actually want to do something with USB. Random websites aren't not working because you don't support USB. My iPhone doesn't support WebUSB even if I updated its firmware.
Yeah: it isn't shocking and can be quickly found using Google (as I just did now). (I have provided some extra links but am only quoting Brendan Eich as you seemed particularly interested in him saying the words himself rather than his team.)
> 1/ native C++/Rust code, no JS tags on page that have zero integrity. That means ability to use SGX/TrustZone to check integrity and develop private user score from all sensor inputs in the enclave; ...
> We already have to deal w/ fraud. That is inherent in any system with users and revenue shares or grants. We do it better via C++ and (under way) SGX or TrustZone integrity checking + OS sensor APIs, vs today’s antifraud scripts that are routinely fooled.
> What Brave offers that's far better than today's joke of an antifraud system for ads is as follows: 1/ integrity-checked open source native code, which cannot be fooled by other JS on page; ... (1) requires SGX or ARM equivalent, widespread on mobile.
They are also building an SDK and talk about using this tech to ensure the ads presented by their SDK in someone else's app are legitimate.
> Part of the roadmap (details in update) is a BAT SDK. Obviously it would be open source, but more: we would require Secure Remote Attestation (Intel SGX broken but ARM TrustZone as used by Trustonic may be ok) to prove integrity of the SDK code in app.
Again: the very tech they are excited about to make their ad-based business model work against people cheating and blocking their ads is the same tech that Google is going to use to make their ad-based business model work against Brave cheating and blocking their ads ;P.
You asked for sources, they gave you sources and now you complain about when those statements were made?
4 to 5 years isn't even that long for these kind of plans, but at the very least offer a good faith counter argument and state your case instead of vaguely begging the question and doing some hand waving about the age of the statements.
While the 'Web Environment Integrity API Proposal' is portrayed as a measure to enhance web security and prevent fraud, it poses potential threats to competition, especially for open-source browsers like ours. It may seem to protect the ad business model, but what it could lead to is the monopoly of Google Chrome, curbing the emergence of new competitors.
We are an open-source browser developer and these concerns deeply resonate with us. We understand the paradox Alphabet faces, yet we firmly believe the solution isn't about exerting "DRM" level control over a ubiquitous means of access.
We're committed to standing up for the future of the web. We don't just see ourselves as a browser company but as advocates for an open, fair, and free web. We invite you to join us in this endeavor. Visit https://github.com/dosyago/BrowserBoxPro today. Stand with us for an open, free, and fair web.
It's important to note that a browser that implements something like this is simply not a User Agent, in the most clear way - it's just not there to serve the User, it's there to serve the website. When you consider this, it's clear that this goes against the core principals of the WWW, making this an Anti-WWW feature, or better put, a regression.
Hopefully this will not be implemented, but still it's a good wake up call for those who still think that Chrome is more than an ads-delivery app with some browser functionality.
It feels like this cannot fly in the EU already though. And if they someone found a way around the regulatory, there will be amendments to shoot it down.
The entire premise of 'people want expensive to make websites, but don't want to pay for them' is already a bit flawed. I do pay for youtube to not see ads, I wish I could pay Google (and Meta) to not serve me ads on any site including Google search, they have ads on. That would make life a lot nicer. And I personally know no-one who would not sign up for that. But that doesn't happen, I guess because ads make more (not from me, but he)?
Brave is an advertising company, but we’re quite different from Google and others in this space. Brave's ad notifications are opt-in and engineered in such a way to protect and preserve user privacy. I'm not sure where you saw Brave engineers talking about ways to prevent users from blocking our ads—we don’t try to prevent users from blocking Brave Ads.
If you wish not to see Brave’s ad notifications, you can easily avoid them (by not opting-in in the first place, or by throttling/disabling-entirely). There are no special hoops to hop through, or technical incantations to utter. We believe digital advertising is better when it is built on user-first principles and consent.
If a user opts-in to Brave’s ad notifications, their device proceeds to routinely download-and-maintain a regional catalog of available inventory. The user's device then evaluates the catalog entries for relevance. User data is NOT sent off-device in Brave’s model. If a relevant ad entry is found, it is then displayed to the user in such a time and manner for minimal distraction. When an ad notification is shown, the user receives 70% of the associated ad revenue for their attention (no clicks required).
Again, if the user wishes to not see ad notifications, they can simply choose not to opt-in to viewing them. If the user wishes to not see the occasional sponsored image on the New Tab Page, they can turn those off from the New Tab Page itself with 2 clicks ( Customize › Show Sponsored Images). Importantly, the user is always in control. They decide whether ads will be displayed, and to what degree (e.g., the user can set a limit on ad notifications per hour).
Brave isn't interested in coercing users to view advertisements.
For now.
Remote attestation will devalue non-attested advertising. Once your stream of revenue dries up due to devaluation, that's when the executives will have a choice to make.
To begin with, pretty much every government employee in the world has some proprietary software developed within the country for security reasons. Old, even obsolete machines. Out of date software, unlicensed/unregistered software, etc, etc. Much of this is also true of banks.
This means if this is put in place as in the spec, it will affect banks and governments negatively. And as powerful as Google is, I don't think it will win over governments + banks.
But again, all the above could be nonsense, and Google will gatekeep the web. It found itself as the loser in the AI race, and it knows pursuing AI during the ongoing arguments on privacy and who owns the data AI is being trained on - the next best thing is to own the playground where the AI trains. That may not be an entirely bad thing either; sad, perhaps, but as this goes on, and browsing becomes a pain, maybe this will result in people just spending less time online? That's a good outcome in my books.
It's the ad-tech sector of the web declaring a secession from the internet, for ads can't live under the law of the open web. The new AdWeb is going to look like appstores: websites will need to pay to the adweb owners, and users will need to use smartphones or locked down browsers. As for the open web, it will stay and continue evolving free from money making concerns.
Good luck getting online banking to work outside Chrome and Edge.
If you call their support line to say something isn't working, they'll ask if you're using Chrome or Edge. If you aren't, they'll tell you to just use Chrome or Edge.
The literal attempt to censor web usage of Linux and BSD desktops, other FOSS clients, custom Android ROMs, etc with an open reasoning "to sell you ads".
Yeah I mean the first of their examples is literally:
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
I find it quite cute that they start with "users" as if it's a user demand but in the next sentence switch to "advertisers" --- the real target population.
Why stop there. Let's see who is behind the problem they're solving with item 2:
Some examples of scenarios where users depend on client trust include:
1. Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
2. Users want to know they are interacting with real people on social websites but bad actors often want to promote posts with fake engagement (for example, to promote products, or make a news story seem more important). Websites can only show users what content is popular with real people if websites are able to know the difference between a trusted and untrusted environment.
Not written in item two: And the people paying to promote the posts funding these sites want to know the promotions are landing on real consumers' screens.
It’s not impossible that google people who work there long enough are under a corporate delusion that users need something ads related that is aligned with business model of their paycheck issuer. They may sincerely believe it’s the only way forward, because otherwise it’s ruined for everyone.
As someone who lived in a city fully controlled by organized crime, I can tell you that eventually some people become fanboys of gang-law and start to unironically teach everyone how it’s better and more moral than actual law.
I mean, to be fair, that's their entire modus operandi.
You don't berate a kitchen for serving food, why would you look at any Google contraption from HTTP/3 to Chrome as anything but a vehicle for selling ads and/or mining data?
Google are clearly trying to add levels of indirection here to pretend it’s some kind of standards forming, instead of a dictatorship. There’s nothing “to be fair” about.
The largest subsection of the document is spent discussing how to prevent specifically this situation, and this is called out explicitly as a non-goal.
They didn't try hard enough. That section concludes "Established browsers would need to only use attesters that respond quickly and fairly to new browsers' requests to be trusted," so in the end, Chrome's monopoly lets it call all the shots.
I'm worried about this too, as we run a company that invests heavily in developing browsing technology that is powered by these browsers (like chromium) but liberates them in various ways (such as running headless in the cloud, and then having users connect to it remotely), or running in a "semi automated". Both of these things would possibly be flagged by these attestation guards, and would not be environments that "preserve the integrity of the ad business model and the dominant browser market". If you want to get involved in doing something about it, come and check out our open source browser work at: https://github.com/dosyago/BrowserBoxPro and get involved
Soon there will be a Plaza Web, for which you'll need an approved device for, like a Chromecast with Google TV, and the Old Web of communities, enthusiasts, and the like.
Whether you like it or not (and I certainly don't), you've gotta sort of admire the sheer vision of a fifteen-year project to build a browser so good it comes to monopolize the industry, all because you've had the foresight to realize that monopoly will be crucial to securing your position as the adtech hegemon. An underrated masterpiece of evil genius.
And I believe this strategy was how Sundar Pichai became CEO of Google. He oversaw the chrome project in the early days and its incredible success catapulted him up the management ladder at Google.
And tech people fell for it hook, line, and sinker.
It's completely and utterly irrelevant that Chromium is open source, because the web is a protocol, and having the source for an implementation of the protocol doesn't matter in the least when you don't control the protocol. You can't just fork Chromium and remove a feature, because websites expect the feature, and your browser won't work on them. You can't just fork Chromium and add a feature, because websites don't care about your tiny fork and won't use your feature. You can't fork Chromium, you have to fork the entire web.
> You can't just fork Chromium and remove a feature, because websites expect the feature, and your browser won't work on them. You can't just fork Chromium and add a feature, because websites don't care about your tiny fork and won't use your feature. You can't fork Chromium, you have to fork the entire web.
In some cases you can (although it may be difficult, because the code might be difficult too and maintaining with merging changes can make it difficult too).
You can remove features you don't want, possibly adding fake features in its place or those that access other features, e.g. the microphone access to instead access a file, etc.
You can add features that most people don't use even if you do use them. It can also be implemented in ways that are backward-compatible. Also, some features that are added are not features that the web pages will need to know anything about, because they are user features instead.
Nevertheless, some things cannot easily be forked in this way. For example, adding a "Interpreter" header to add support for additional file formats and make it compatible even with browsers that do not support it, cannot be made compatible unless you add a request header to specify its availability too I suppose, and then just complicates it.
Of course you can. Microsoft's Edge and Brave already add proprietary features like AI and reader mode, tab groups, video calling, crypto wallet etc.
Brave could add a custom CSS or HTML feature. Hell that was the status quo we came from ten years ago when each vendor had their own feature flags and implementation for WebRTC and proprietary video codecs, etc.
Brave already explicitly removes ads and blocks all kinds of things websites expect to work on Chrome.
I think you missed the point of the comment you’re replying to. Without market share, the custom feature will never be respected by the web. At best if web developers don’t have to do any work for it you might get something that you can maintain for a while.
In fact, Edge is a perfect example of "nobody caring about your tiny fork": No matter what Microsoft tried, the internet no longer cared about Trident and IE/Edge. The only way Microsoft could regain some semblance of existing was to turn IE/Edge into Chrome and play the internet game as Google dictates.
Nowadays Edge has some superfluous features that differentiate it from Chrome, but they are still superfluous. Underneath it's still Chrome, because the internet demands Chrome.
Still bummed they didn't go with gecko.
(I know chromium is the superior engine, but Microsoft could've pushed gecko development to new highs for sure)
That's exactly what we need to do. More specifically, we need to decouple the app web from the document web. Most of the value of the web to society lies in text, images, and video, in that order. We need a version of the web refocused around basic content with a spec simple enough for a small team to implement a browser for. A subset of HTML/CSS is probably the only way to succeed, since sites would need to work with current browsers. I think a few HTML tags + flexbox + fonts + colors would get you pretty far.
I wouldn't necessarily view it as malice from the beginning. It's entirely likely that early Chrome was really trying to solve usability problems in hosting complex applications like GMail. A goal that was attempted throughout history, as seen from the days of ActiveX, Java Web Applets, Flash, etc.
But capitalism does what it does best, and will happily take advantage of (and try to prolong) a natural monopoly situation even if the origins were genuine.
In fact this is why there are regulations around "utilities". They are also an area where a natural monopoly is the optimal, so they shouldn't be treated as a free market.
(Food for thought: Perhaps the Internet infrastructure should be a utility too? Browser makers could be forced to be non-profit, which would mean companies need to divest themselves of the "Internet business" if they want to do "business _over_ the Internet")
> I wouldn't necessarily view it as malice from the beginning. It's entirely likely that early Chrome was really trying to solve usability problems in hosting complex applications like GMail. A goal that was attempted throughout history, as seen from the days of ActiveX, Java Web Applets, Flash, etc.
I would say that the actual goal early Chrome was really trying to solve, was to prevent the browser monopoly of the day from being used against Google. It's similar to how Valve invested on Steam OS, as insurance in case Microsoft used its operating system monopoly to degrade the Steam experience relative to Microsoft's application store.
That's a fair take. Which kind of begs the question: How much innovation in tech is actually just people getting around limitations imposed by monopoly/high influence players?
There's been some wishy claims maybe perhaps users-scripting & debugging will be left intact, that the intent here is about other levels.
But there's basically no real actual meat to this specification. It's abstract: it doesn't really say what Web Environment Integrity is, it's up to the browser to determine, and the rules could keep getting more and more and more specific at the browsers leisure.
> I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend
Does it disturb anyone else that this is (a) in a personal namespace & (b) reason given for closing discourse being a single individual's need to disconnect from work at the weekend, when that person is employed by a large corp to maintain this spec which they are implementing in their product?
Surely Google as an org, if they're behind this, or at least a standards bodies own org namespace should both own this project, and also decision making around discourse, with any individual employees being free to leave the project un-answered outside of working hours?
This isn't some open source passion project someone's doing in their off time...
Sure you can fake the results of an attestation in your fork, but your fork would be using your own key to sign the response, a key that the site can reject.
Has that been extracted already? I have to admit I'm behind on the current state of browser DRM...
Also I wonder if in the future this would require attestation of the entire chain: secure UEFI validated by key burned in CPU, validates secure boot os that prevents "hacking tools", which validates secure Chrome, which attests secure websites...
The current state of DRM is that you have to find a hardware vulnerability in order to extract a certificate. With this you can now decrypt DRM content, but you have to be careful not to get that key blacklisted.
the TPM does the attestation of the entire running environment, starting with firmware, through the OS, through the browser all the way down to the website
This is a level or two below where my knowledge of the browser trails off, so I'll ask generally: how would this interact with things like the WebKit Content Blocker API?
Most likely all extensions and content blockers would be disabled for DRMed sites. Or maybe they'd be enabled but the browser would tell the site you have a blocker enabled and the site would refuse to load.
Step 1: Sites require a "secure" (read proprietary) browser like "Google Chrome", "Microsoft Edge", "Safari" or refuse to operate.
Step 2: "Secure" browsers change the behavior of their implementation of the Content Blocker API so an industry-accepted "secure" site lile Google Ads can opt-out of being blocked ("You wouldn't want a misconfigured content blocker to accidentally break a verified secure site right?")
Step 3: ???
(Force the users into a take it or leave it choice for whether they want to be part of the internet or not)
I don't understand how the Apple that introduced their Content Blocker APIs would choose to invest into this API to kneecap their own content blockers?
They wouldn't have to. Unless you use an iDevice you're not using an Apple made browser. (The content blocker API is WebKit so it's used across multiple browsers)
As for revenue from Apple users, they already want to have control over that and would be more than happy if Google and co voluntarily stopped serving their users so they can make ad money off of them on their own terms.
Either Apple will make their devices refuse to sign the attestation if you're using it, or Google will remove Apple from its list of trusted attesters.
Or (most likely) they will negotiate how to split the money. Maybe through some kind of safe advertising consortium.
Apple is just fine with collecting user data on platforms so long as they're the only ones doing it. Apple even runs its own ad network over its own app store.
If you ask anyone who works in advertising they always say Apple has by far the "worst" targeting options. They display ads in the App Store but the data they use to track is usually not very great.
The empire strikes again being driven by the insatiable greed. Just wait till its minions will fill up this thread with classical astroturfing and comments in vain of "We were waiting for this feature since forever!" and "It's for better security". I can also easily see how they massively downvote everyone who disagrees with the righteous direction of The Corporation. This is so Orwellian 1984.
Proposals like this demonstrate the utter failure of our ethics education in computer science.
In a field facing increasingly harder ethical questions every day, it’s important to start empowering our engineers to say “no” to ethically bankrupt things like this.
You might be disappointed. Ethics training can't force people with different political viewpoints to conform to yours; in fact it gives them better tools to explain their views.
I don't think any amount of ethics education will matter in the end in the face of the incentive structure that appeared in the industry.
Strong cultural norms (e.g. hacker culture) might help for a while. But incentive structures eternally erode opposition.
It could make it easier for developers to band together and try to collectively veto things like this. But corporations with money can always buy the expertise of people, have them undermine the community, create their own parallel communities and influence public opinion and legislators.
FAANG salaries supercharge people's cognitive dissonance. They will find ways to excuse, minimize and ignore their contribution to the current situation.
Even HackerNews developed a sub-subculture of people that were constantly going on threads and calling remote attestation worries as "FUD".
It's unclear how to preserve cultural norms that stand in the way of market dominance. The only thing I can think of is having competing interests in the market. But whenever these align -- hell breaks loose.
I highly doubt it, but I wonder if this will be the straw that breaks the camels back where general perception of Google flips to where they are viewed in the same circle as Comcast or EA.
Google is heading in that direction and their velocity is accelerating.
First I wanted to say client trust is one of the two things I‘d really like to see improved from a security standpoint but I think it‘s the wrong way around. Browsers should establish if they feel they operate in a trustworthy enough environment and decide to not work at all if they don‘t. Having the website initiate this check is a bit strange to me. (The other thing being more MitM and DNS Hijacking protection)
I see one more dangerous development imposed by this move: limiting access to web content for rival search engines. I'm sure that Google Robot will pass all "high security standards" and web integrity checks, while others won't be able to do so.
The underhanded way this is being proposed is really something else. It's hosted on a non-google github to provide distance, it's worded in a way that makes it seem like this is something that benefits users, when it's the absolute opposite of that. It subverts the whole concept of a user agent. This is a huge threat to our industry and we cannot allow this to happen.
It's not a "threat to" the industry... It literally _comes from_ the industry... Unless the tech industry is willing to lose one of its biggest sources of revenue, this is exactly what the industry wants...
What's strange to me is that the main author of the spec -- Ben Wiser -- seems to be against closed, wall-garden paradigms as he has written in a blog post "I just spent £700 to have my own app on my iPhone" [1]. In the post, he laments the state of the App Store monopoly on iOS and ponders returning to Android for the app installation freedom.
How can he reconciliate these views with this spec, which he is the main author of? Surely Ben sees the parallels?
He writes: "Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app."
I think it's very easy to treat people in such a binary manner. I get it.
What this guy's doing is shameful, but I've seen dozens of otherwise lovely people, working for charities, spending much more time on socially-important and useful work than 90% of the crowd here... and the same people would push barely legal (if not illegal) targeting on masses of people, arguing to push cigarette ads in markets that still allow it. Advertising is cancer and the current model is not sustainable.
What I'm (poorly) trying to say is: be angry, let everyone know that you're angry, make more people angry, but remember that focusing on this guy is a distraction from a bigger systemic issue and it actually helps organisations like Alphabet.
> I've seen dozens of otherwise lovely people, working for charities, spending much more time on socially-important and useful work than 90% of the crowd here
As if you personally know 90% of the people here? And how many of those 10% would never ever push advertising on anyone, would you guess?
It's moot anyway, you cannot compensate for a lie by giving someone a lot of cake, even all the cake in the world. It's apples and oranges.
> Advertising is cancer and the current model is not sustainable.
"Advertising" is just a shorthand for the concrete actions concrete individuals engage in. There is no "model" outside of hundreds of decisions people make every day. It's like blaming "capitalism" and pretending people just play the "game" as if that existed outside of those actions. For any person you could name, I can find you someone in the same situation who refused to do the evil thing.
Speaking as someone who worked in adtech and managed to spend almost a year getting paid to build an adblocker:
I can tell you that the machine is so big and the responsibilities diluted to such extent that no one really feels like they're making a morally dubious decision, it just sort of happens on its own, magically.
> How can he reconciliate these views with this spec, which he is the main author of? Surely Ben sees the parallels?
It's easy: he works for Google. Every single public-ish web developer and/or devrel from Google will spend inordinate amounts of time lambasting Apple, writing eaassays on how Apple cripples the web etc.
While Google has broken the web so badly that Apple would need several decades to come anywhere close.
Note: the moment they leave Google, they may slightly change their tune and criticise Google a bit. For an example, see Alex Russel of web components when he went to work at Microsoft after spending a decade making sure that web browsers are turly unimplementable: https://infrequently.org/2021/07/hobsons-browser/
Why isn't it a response to the question above asked? The question above seems to be saying that this API will be used to create walled gardens; the linked part of the design is about how to prevent the API from being used to create walled gardens.
I doubt it. As explained by GitHub user tbrandirali, the stated goals seem to be inherently contradictory. Quoting in part:
"This internal contradiction is further demonstrated by the fact that the proposed solution to prevent misuse by websites - holdbacks - is to simply sabotage the functionality of the system itself, by making attestation probabilistic. This is not a workable solution to the problem: if the holdback rate of requests is low enough, the denial of service to legitimate users will simply be a cost of business that websites will accept; if instead it is high enough, websites will not use this system as it does not provide meaningful enough information, even for analytics purposes, due to the high uncertainty. There is no goldilocks zone where this system is useful but not open to abuse by implementer websites. You're either implementing a feature that can - and most likely will - be used by websites to exclude unattested clients, or you're implementing a useless feature."
Why wouldn't a 10% holdback work? Would a company consider it "simply a cost of business" to block 10% of people at random? That's going to cause a huge amount of support load and probably a lot of negative press. 90% of data will still be good for analytics.
It doesn’t have very concrete answers. It’s really more of a couple of ie thoughts, with an exhortation for people to provide ideas on how to fix this. For example:
> Attesters will be required to offer their service under the same conditions to any browser who wishes to use it and meets certain baseline requirements.
What prevents this set of baseline requirements from being e.g. “the device is backed by a TPM from these four vendors”?
> Although a holdback would prevent the attestation signal from being used for per-request enforcement decisions, there remains immense value for measurement in aggregate populations. However, a holdback also has significant drawbacks.
“So, like, here’s a vague idea on how we might prevent this. However this idea has significant problems.” Not a very convincing argument?
> If the community thinks it's important for the attestation to include the platform identity of the application
“If we assume that we can’t actually solve this…”
Basically there’s not much in the way of answers there. Generally when you put out proposals with a history of significant pushback I’d expect the likely feedback to be addressed in more depth than this.
(I guess since we’re doing disclaimers I also work at Google but not on this.)
The intent may genuinely be to help decrease bot activities versus human activities.
Even the ad example is about not charging advertisers for bot views, which is a huge problem right now.
The problem is that a tool can often be used for evil as easily as for good, and the more the standard was used to block ad blockers over simply filtering out User Agent spoofing bots, the more this tool ends up evil.
And even if the limited scope in the proposal was the true intent, there's nothing preventing scope creep.
Though reading over it all, I do think the assumption of motivations in most of the comments here are misaligned. This does seem to be primarily focused on the issue of growth in bot activity and making it harder on bots to act as if human to servers.
Still, the spirit of who controls the client is very much at stake, and the comments here are ostensibly right that this is a measure that should not happen.
(And frankly, given the bubbling attitudes about enshittification coupled with the coming lowered barrier of entry for competition against software firms and content production, I think this is very much the kind of thing that may backfire horribly if forced though.)
This is meant to be a Play Integrity API proxy for the web.
Now, I'm not opposed to having a locked down device when performing actions like using a bank app.
However, Google is abusing this, because they force their adware and spyware into that device, so I can't have a secure, locked down Android device without that.
Ironically my bank app allows me to bypass the jailbreak detection screen at my own risk, but Mario Kart Tour and a parking app won’t and expect me to factory reset my device to use them (and Mario Kart doesn’t even tell you and just crashes)
Pretty much the entire premise in the title of his blog post is false for dramatic effect and you wonder how this man could stoop so low as to be duplicitous?
They've probably delusioned themselves that this is not evil. They are saving the internet from small businesses going under because their ads are being blocked!
It's time to break Google up. They're the AT&T and Standard Oil of our generation. Make Ads, YouTube, Search, Cloud, Chrome, etc. all independent companies. Demand that antitrust regulators do their damn jobs for a change.
counterargument: let's say the us gets in a real war with china, a massive conglomerate like google would probably make massive contributions to cyber/technological warfare that the individual pieces would have a hard time doing
i agree they should be broken up, but it might be the wrong time for it.
Google can intercept nuclear ICBMs? Because if they can't, nothing they do would really matter in a real war against China.
(And saying that actually "it would probably not escalate that far in a real war because... It just won't! " might be a common argument these days amongst war mongering lunatics to make war with China or Russia sound less batshit insane, but it's not an actual argument. It's just run of the mill "this time it's different!" cope that has been said before every blood bath. )
Can you give us an example of wartime contributions that require expertise across the verticals of browser vendor, advertisement marketplace, a remote home video/audio monitoring vendor, an OS vendor, and a productivity software vendor? How does integrating those verticals help in an attack or defense scenario any better than having those separated?
Google Cloud becomes a VC driven organization that slowly eats margin dirt against it's competitors until insolvency. There was no way for it to recover enough resources from the mothership before being split out.
Search trundles along ok, assuming it took search ads and a ton of core infra with it, but it never makes enough money to ship a decent product extension. It hopefully removes some products it can no longer afford margin on, which have long produced distorted results (albeit with good intention). It suffers slow brain drain, and users end up using multiple search engines for every search again because no one has good search quality. The monopoly breaks, but so does this part of the internet, bolstering apps and information sites ecosystems positions. Wikipedia is the only real winner we want in this space.
Display Ads goes like it just discovered faster than light travel, no longer held down by the ol ball and chain that is the entire rest of the company. They go much darker as they no longer have tons of goodwill organizing from the rest of the company, and increasingly join the bad actors. In 20 years they eventually join lexis level evil in terms of multi-directional user sharing.
YouTube heads off into the stratosphere along with Display Ads. They try to maintain a better public face, but having to spin up their own ad market solutions drops ad quality even further, margins suffer, but their position remains ossified and they slowly recover. They start to get a bit more agile, no longer disrupted every other year by some mandate from the mothership, they're better able to keep up with new markets and more rapidly crush new competition.
Workspace decays very slowly. All the AI stuff halts and gets ripped out as there's no one there to work on it. The drive product has to scramble to figure out how to rebuild without all the internal commodity infrastructure support. GMail gets unstable for a while due to the weight of the infrastructures sitting on many fewer shoulders. Global instability results of the rapid de-distribution of the system as the production infrastructure was sliced apart in a rush to meet forced division. The economy takes a big dive as a result, as half the world loses email access regularly, bills don't get paid, etc.
Photos spins out into its own thing, and dies rapidly, as selling the odd photo frame here and there just can't meet margin.
Chrome tries to get funding from Microsoft, eventually it gets purchased wholesale, but the core team gets ripped up and largely discarded. Who knows how the OSS products fare, it depends on the executives in Microsoft who win this purchase. Eventually the main product gets shuttered, with Edge being the only replacement.
The telco products all shutter immediately, with no recourse. Same with R&D.
AI tries to split out into it's own thing, but fails to find a business and suffers constant reputation problems. After 10y of trying it eventually shuts, the acquiring company however immediately spins up multiple successful products and makes a big dent in the now well established market.
Android spins out into its own organization. The first decade the heat of internal politics in new found vacuums crushes them, eventually they find footing and head back to their open core roots, get scrappy and do some new things. Along the way their size fluctuates as the market forks and fractures as it does, but Android manages to hold its position as the western center of its universe.
Chromecast, ChromeOS, Nest all suffer badly having no core ecosystem to ship anymore. They attempt to buddy up with Android which pushes them around trying to androidify everything, but resulting in poor UX and/or poor margins across the board. Eventually the all but ChromeOS shutter, and ChromeOS business also closes, but leaves behind an OSS gift that a core group of passionate individuals try to limp forward as best they can with the new Microsoft Edge overlords.
> Vultures make off like bandits, and amazon, apple, microsoft, and cloudflare are the biggest winners in the fallout.
In this world, Amazon et al get the same treatment. As for "vultures make off like bandits", welcome to market-based economics, these companies can compete if they don't want to die, and if they can't compete, then let them die.
I mean, is any of this supposed to sound bad, because it sounds like a more-unhinged version of the internet of old and I am here for it!
Add some internet chaos to go along with all the climate, finance and real-world chaos we’ve got going on in our lives already. Who knows what kinds of interesting and innovative ideas and technologies would bloom in this environment!
> The economy takes a big dive as a result, as half the world loses email access regularly, bills don't get paid, etc.
Now you have me excited for this possibility. Doubly so if people stock up on ingredients for high explosives first. Take what you can while the taking is good: no room for repo men. Year 0 now.
> feels like the 90s again
I can't wait.
> amazon, apple, microsoft, and cloudflare are the biggest winners in the fallout
Sadly, that's true. Google's remains can only be cannibalized by companies that are already Google-sized.
* The US would never kill its golden calf except as a last resort.
* The US standard for antitrust is consumer harm. Google implementing a thing that other companies have been asking for, any company can join and send their own attestation signals, and then those other companies in unrelated markets use the thing to maybe not support unapproved stacks which could reasonably include Android/Chrome won't fall on Google.
458 comments
[ 3.6 ms ] story [ 317 ms ] threadStrikes me as very dangerous though on the web where there are so many paths for malware to get in and this could get in the way of plugging the holes.
If that's how "we lost this war", then it was lost before it even started. Even before Apple released their phones, it was already the case that phone firmware came only from the phone manufacturer. That is: phones come from a different lineage than PCs, and were never as open as general purpose computers ended up being.
There were only a scant handful of years where there even existed phones where this could matter... but now this same mentality is being applied to every new category of device--all of which acting as general computing devices--based on these precedents.
Secure boot can protect you eg. against malware gaining write access and modifying your system. I see it as user protection, as long as you can sign the trust chain. This is what GrapheneOS is doing as far as I know.
To take your GrapheneOS example, apps wishing to support it must add GrapheneOS keys: https://grapheneos.org/articles/attestation-compatibility-gu...
If this proposal goes ahead, it's unlikely that you'll be able to convince site owners and/or ad networks to add the keys of your open source OS.
The result: there is now effectively one dominating web browser run by an ad company who nigh unto controls the spec for the web itself and who is finally putting its foot down to decide that we are all going to be forced to either used fully-locked down devices or to prove that we are using some locked-down component of our otherwise unlocked device to see anyone's content, and they get to frame it as fighting for the user in the spec draft as users have a "need" to prove their authenticity to websites to get their free stuff.
(BTW, Brave is in the same boat: they are also an ad company--despite building ad blocking stuff themselves--and their product managers routinely discuss and even quote Brendan Eich talking about this same kind of "run the browser inside of trusted computing" as their long-term solution for preventing people blocking their ads. The vicious irony: the very tech they want to use to protect them is what will be used to protect the status quo from them! The entire premise of monetizing with ads is eventually either self-defeating or the problem itself.)
The person who wrote the proposal[0] is from Google. All the authors of the proposal are from Google[1].
I've been thinking carefully about this comment, but I really don't know what to say. It's absolutely heartbreaking watching something I really care about die by a thousand cuts; how do we protest this? Google will just strong-arm their implementation through Chromium and, when banks, Netflix & co. start using it, they've effectively cornered other engines into implementing it.
This isn't new to them. They did it with FLoC, which most people were opposed to[2]. The most they did was FLoC was deprecate it and re-release it under a different name.
The saving grace here might be that Firefox won't implement the proposal.
[0]: https://github.com/RupertBenWiser [1]: https://github.com/RupertBenWiser/Web-Environment-Integrity/... [2]: https://news.ycombinator.com/item?id=26344013
[0]: https://www.eff.org/press/releases/eff-makes-formal-objectio... [1]: https://github.com/w3c/encrypted-media
WebAssembly exists as a replacement now, too.
DRM isn't going away.
The media ecosystem is not going to be enhanced by making DRM more restrictive. Netflix could completely deactivate all DRM today, and it would change nothing.
Apple completely abandoned their "FairPlay" iTunes music DRM because it became evident that it was not needed.
DRM is mostly security theater anyway. Until a few years ago, the Spotify client just left unencrypted mp3s cached locally. And they stopped DRMing music over a decade ago. People are willing to pay a reasonable price for first party content.
If a company insist on DRM, then they should be on their own.
If we make it too easy, then they will just use it everywhere.
And five years isn't "fairly recent".
One would also note Spotify is a failing business, and it was failing even harder then.
The majority of users had no idea and it didn't affect them at all. Nor is there any evidence that it had any impact on Spotify's business.
But in this case it could report "sure, this is a real user alright" by being its own attester, can't it?
Microsoft and Real Player pushed hard for an integrated ActiveX based DRM ecosystem over a decade ago. I'm so glad that Mozilla flatly refused to entertain such idiocy. I sure wish that Mozilla still existed.
Mozilla is now just a "pick me" [1] organization to big content. They should own being a browser that caters to users, not platforms. Because they will end up with nothing.
[1]: https://www.urbandictionary.com/define.php?term=Pick%20me
Today? Guess who Grandma's gonna call with "my Netflix isn't working"? And she won't care why, all she cares about is Netflix.
If done correctly, TPMs on every computer would be preloaded with signing keys (probably microsoft). The web browerser would then ask the TPM to sign the Platform Configuration Registers, which are a hash of a challenge nonce, the system firmware/kernel/configuration/etc. This signature is then sent (along with a description of the system configuration) to an external attester. This external attester validates that:
A) the claimed configuration is "secure" (trusted kernel, bootloader, browser, etc) and
B) The TPM's signature attests to the configuration.
The validator then generates its own signed message that can be sent to the server.
In practice, I think this is logistically unworkable in todays computing environment. But with enough big players pushing for it, I don't see anything fundamentally impossible.
Anyone can write their own EME plug in that writes the files to disk. But it won't have the keys of any trusted module, because the reason sites trust them is because they don't do that. So it won't get accepted by anyone. Same here.
Presumably this is because if it was, it would open Google to abuse of dominant position claims.
You do not and you cannot. It was written in stone once Chrome dominated the browser market. What Chrome (Google) wants, Chrome (Google) gets. Despite all the good engineering Google wants to sell ads, that's all there is to it. And the result is this proposal.
> The saving grace here might be that Firefox won't implement the proposal.
It's irrelevant and we are an irrelevant minority. Unless people switch to FF in droves the web is Chrome. And they won't because at the end of the day people just want to get home from their shitty jobs and stream a show. As long as that works everything else is a non-issue.
Heh. I was there when it was IE6, and people said the same.
Just doing some quick searching - the first numbers that come up when you search for "how many people used the internet in the year 2000" are on the order of 350 million or so. Comparatively, now, in 2023, Reddit alone has some 450 million users. It would seem right now that Tiktok has about three times the number of active users than there were total Internet users 23 years ago.
Additionally, there are literally hundreds of billions of dollars now resting on Chrome remaining the dominant browser.
Short of government intervention (or absolutely monumental fuckup on Google's part somehow), Chrome is here to stay.
But it still happened, against M$, who was the behemoth of the time, so things are never impossible.
We are the people with the most influence on the tech. We are prescriptors. We are legion.
– Yes but Chrome is a tad faster and I have my bookmarks and my favorites extension and blablablabla…
— Then you are the root cause of the problem. If you are not ready to sacrifice an ounce of comfort to save the web, then you are the one killing the web.
Simple: install Firefox. Now.
(oh, and, by the way, also removes google analytics and all google trackers from the websites under your control. That’s surprizingly easy to do and a huge blow in Google monopoly. There are plenty of alternatives)
Yeah, not for long. Go back and read the proposed changes.
I think the comment you originally replied to is trying to say "use the other browsers, even if they are not good for much".
No.
No. Firefox, beyond being slower, also keeps constantly displaying ads… for itself. Want to open a new tab? “Big Browser cares about your privacy, read how!” I just want to open a new tab!!! I’m working! Restarting? “Discover what’s new with Firefox”, “Hohoho, we care about your privacy, LOOK HOW MUCH WE CARE! ALSO WE HAVE NO ADS!” Worse, they suggest to solve privacy that I use Mozilla VPN. VPNs don’t solve privacy. Also, it’s a paid ad for a paid product.
Mozilla had also a staunch political slant, going as far as firing a CEO for a donation he made to the opposing group years ago. There is nothing neutral here, if you are not a leftist, it’s dangerous to use or even give your participation to that ecosystem.
Mozilla has failed to become the no-ads, better-ethics, privacy-aware navigator (pun intended). They keep performing worse actions than Google all the time.
"Who owns Waterfox?"
"System1 now own Waterfox, but Alex Kontos is still leading the direction of Waterfox and will be for the foreseeable future."
And who's owner, System1, states at the top of their page[1]:
"System1 operates the most dynamic Responsive Acquisition Marketing Platform
Connecting high intent customers with advertisers at scale"
[0]: https://www.waterfox.net/docs/faq#5-who-owns-waterfox [1]: https://system1.com
Of course, if you know a better browser (that is not Chromium-based), I'll be happy to hear your suggestions!
One tab with an ad opening when the browser has updated every few weeks or so is not what I would call "keeps constantly displaying ads".
He wasn't on the wrong side of a political issue he was on the wrong side of decency and morality. This ought not to be a leftist position nor should we fear that the tyranny of excessive concern for others may be imposed upon us. Should we decide to use Firefox for evil as it were the privacy both endorsed and adhered to by Mozilla precludes them discovering it let alone stopping us.
The position of user of Firefox and public face of Firefox are inherently different positions and come with different reasonable expectations but I think you knew that.
> it’s dangerous to use or even give your participation to that ecosystem.
Please describe precisely the threat model you fill most applicable
> keeps constantly displaying ads
For a definition of constantly redefined to mean rarely when a new major version comes out.
> They keep performing worse actions than Google all the time.
The context here is that google tracks everything you do and regularly shares it with the government including under terms that are obviously abusive of user privacy and including to repressive governments, are in the middle of attempting to destroy ad blocking by pushing locked down environments in the name of security. A move likely to have massive implications that will be impossible to manage or control in repressive dictatorships even if Google themselves do nothing to directly assist with mass surveillance in Orwellian states. Merely building general purpose tools virtually guarantees bad usage by repressive regimes. By contrast Mozilla has? Tried to pimp their VPN to you as part of their new version notification...
It really sounds like the Brenden Eich debacle has colored your perception of the situation and perhaps you need to step back and evaluate the situation objectively.
Why do you think that's acceptable?
Since then, Mozilla/Firefox has largely become irrelevant and absolutely no longer has the same privacy concerns and respects.
He donated money in opposition of a law he didn't want to pass. He didn't take anyone's rights away.
The problem is that the web standards have now grown so much that it is impossible to write a complete new web browser from scratch. Firefox is not coming back, because Mozilla seems to prioritize other things than code quality and the actual usability of their software.
And yes, I know that the SerenityOS developers are trying to do it, but while some very advanced things work "good enough" in their browser so that Twitter and Discord's web client works to some extent, the more basic things are so broken that their browser cannot even render basic HTML 3.2 sites properly.
Google's end goal is probably to "deprecate" HTTP 1.x and force everyone into using their own replacement for the protocol. Their protocol is going to be like the thing they call "HTTP2", an insanely complex protocol that is impossible to implement by a small developer team. In the end their own protocol becomes a "rolling release" protocol that only works with Google's own app, at which point they can completely stop releasing RFCs for it.
Then the game will switch to encrypted proxied traffic that you cannot block.
Then the adblocking software will switch to the GPU layer, and use machine learning and AI to wipe the region of memory in the GPU containing the ads (and replace it with something benign).
Then the next logical step from likes of google is a fully trusted computing environment - aka, you as an end user no longer control your own machine.
This is entirely predicted by Richard Stallman.
I suppose Apple may object on the grounds of being a "privacy focused" company, but I'll believe that when I see it. I'm not gonna sit here holding my breath for these megacorps to do the right thing.
[1]: https://www.youtube.com/watch?v=U7VwtOrwceo
True. Try to screenshot anything from Apple TV+ content. You'll get a black image.
If you subscribe to Apple TV, you are literally voting with your dollars for more of this crap. Stop giving them money!
You are probably right, but there is one self-interested reason why Apple might resist implementing this - Apple doesn’t like the web competing with apps, and this is basically giving the web a capability that right now only apps (effectively) have.
Perhaps you haven’t been paying attention but macOS Sonoma—currently in beta, shipping this fall—has the best web app support we’ve seen in a mainstream operating system.
You can put a web app on the Dock using the Finder’s “Save to Dock” command for virtually any website or web app.
Not only do you get service workers, push notification, web app manifest support, etc. web apps have first class support in the Finder, Spotlight, Spaces, Mission Control, etc. [1].
[1]: https://developer.apple.com/videos/play/wwdc2023/10120/
You only have to look at how they're (still) restricting PWAs to see they also have their own goals to preserve their walled garden and market share (as they should, it's a publicly listed company, but it's not the same as an open source alternative)
For example, they threaten to remove FaceTime and iMessage from UK iPhones if the government there changes the law on encryption [1].
[1]: https://www.macrumors.com/2023/07/20/apple-threatens-to-pull...
For the uninitiated: Germany's mobile phone network has been ridiculously expensive and unreliable for decades. Everyone else in Europe has done it better, because no one else thought they could extort 60 billion euros from the providers for RF spectrum licenses - we're still paying for that blatant debt-shifting today.
It is not like you'll be loosing much. This is the time to change, while we still have other players in the market.
The point is that if chrome implements this, netflix, amazon, facebook etc might decide they'll use this feature and only permit browsers who implement this to use this site.
Even if the only browser that does so is chrome, that's fine because chrome's market share is big enough that they can ignore the rest.
Have fun using Firefox if half of the web locks you out or treats you like a second class citizen.
Most users are more comfortable with computers that are toasters, not (hackable) general purpose machines.
The flexibility to hack implies the flexibility to be owned. Users don't want to get owned. They hate that so much they'd voluntary choose an owner
I can assure you most people don't think about their tech choices long enough to conclude anything like this.
My personal phone, and my personal laptop and PC, run open source OSes and are as privacy-focused as I can make thrm. They're the ones I use to browse and talk to people, both on public and private platforms. They're the ones that have my photos, my books, my passwords, my movies and my music. (I don't use streaming services, except for YouTube via Newpipe.)
I do make sure that I always have at least one bank account with a bank that doesn't require SafetyNet or similar, and can therefore be accessed without needing the "official" phone. So far, all but one of my financial service providers work fine from my personal devices.
I think the dual-device approach will quickly become the only realistic one for individuals who want privacy in their computer use (which will remain a minority). I will even say that, although Google is doing this purely for the sake of ads and profits, it is not unreasonable to expect citizens to have an "official" online presence in the form of a highly standardised Internet client, without prejudicing their ability to use other ones. In the same way that you have an official residential address, without prejudicing your ability to have other mailboxes or live on the road.
What, you think taking down the ad industry on the web is going to be painless?
Is this supposed to be a bad thing? It's almost made to sound like surviving without them would be tantamount to starving, but frankly we might be better served without them.
Almost no users want to be digital hermits. This protest approach has nobody following you up that mountain to the hermitage.
Put another way, my site is unappealing to bots, and frankly I don't care about bot traffic, because I don't have ads. So I don't feel the need to support this server-side.
Equally Amazon makes money selling goods, not ads. They don't need to know if its human or bot, they just need a credit card. [1] Netflix is subscription based, again doesn't care if its a "trusted device" or not. They want you make sure their content is available not blocked because my TV is "untrusted".
Sure, you'll end up using Chrome to use Google properties. But I don't really see the incentive for the non-ad-based Web to bother implementing this.
[1] it won't move the needle for fraud, fraud is easily done via trusted devices.
Amazon is one of the biggest ad networks on earth. They made $40bn from advertising last year using all the personal data they get from their paying customers.
>Netflix is subscription based, again doesn't care if its a "trusted device" or not.
Oh but they do care very much. Netflix requires DRM in desktop browsers and its own app on mobile platforms. And they launched and ad based plan recently.
It's a mistake to believe that advertising is the main problem and direct payments are the solution. Making a payment takes away more privacy than advertising alone ever could and hands personal data to payment schemes and banks on top of everything.
And then there's stuff like banks, government services, school services. You might not even be able to escape those ones.
we as tech early adopters and "leaders" in this space, we need to be telling family and friends to complain to those sites about such required support. If enough people complain to amazon that they don't want to use this google branded browser, i think there will be some pushback and the companies would be hesitant to drop support for firefox.
Works for me. I don't need those sites/services. If they want to be actively hostile to me, I can vote with my feet/wallet.
I can't (nor do I wish to) control what other people do. Just what I do.
As it stands now, I block the bulk of scripts/ads/trackers/other spyware on my devices, and those who don't like that are free to block me from accessing their sites.
Maybe I'm missing something important here, but I don't need anything from Alphabet, Netflix, Meta or any other rapacious corporation. They can do what they like, and I will do the same.
>Have fun using Firefox if half of the web locks you out or treats you like a second class citizen.
If the above folks are who you consider "half the web" then, at least for me, nothing of value would be lost, as I don't use that garbage anyway.
OAuth sites will let you change your OAuth provider or even better switch to a local account on their site and use a password manager so you don't tie everything to an OAuth provider unless the site will accept a self hosted one.
That includes password databases.
It's the old twin airplane principal from the hacker's dictionary: the virtue of putting all your eggs in one basket if the basket is built very well.
As the other commenter said, there's zero risk giving a dodgy site a randomly generated password used only for that site, the randomly generated password gives them no information or pathway to any other web site.
There's a degree of saying no and opting out and controlling your own shit that you can do.
Some, like owning a phone and getting tracked to many degrees is inevitable but others, like software on a computer, is quite easy to think about.
You don't need to be a majority to go a different path. Linux users everywhere know this. We never needed the "year of the Linux desktop".
There's usually ways around the designated box. Obviously, get ready to be called names for not bowing down to authority... But you can ignore them and move on.
There's no reason why the same can't happen here. The defeatism attitude helps with nothing and is part of the reason why this happens in the first place.
They considered it enough that Apple had a monopoly on distribution for apps for a device with ~50% marketshare in the US, and even less in Europe.
Imagine what they would do for something that has ~97%
We’re literally in the thread where we’re talking about the anti-consumer moves that are resulting from that consolidation. This is what it looks like when Google flexes that monopoly control and tells you how it’s going to be. EU doesn’t seem to care.
It took roughly 15 years for the EU to react to Apple's practices, and they have been anticompetitive from day one.
Chrome has caused no competitive damage to consumers or competitors (yet), give it time.
https://www.macrumors.com/how-to/how-to-bypass-website-captc...
If you do eventually run into a poorly crafted webpage that doesn't work on Firefox you have the wherewithal to decide if you are simply not going to use that site or hop over to chrome just this once.
But the important thing is checking in automatically as a Firefox user in the logs of every other site online. Push Firefox marketshare up and at least some places will be hesitant to write off Firefox as irrelevant.
Sadly, Chrome is substantially more secure than Firefox.
The only way in which Chrome is more secure at anything appears to be securely forcing you to view ads via this API. And a shocking amount of malware fails to work when you use a running environment that 95% of society are not using.
You are far safer on Firefox than Chrome.
Where I work, we treat Chrome as the malware it is: It's banned both by technical measures and security policy. We deploy Firefox, and begrudgingly deal with Edge when people insist on a Chromium-based browser. (At least Microsoft added some modicum of privacy settings here.)
Here's what I've learned over the past several years: Web developers are lazy. We're commonly told such and such app or service "only works on Chrome" or they'll "only support on Chrome". When we call for support, half the time we'll get told it's because we're not on Chrome, and I have to actually prove to them on an isolated machine that the issue occurs on Chrome so they'll shut the heck up and do their job. "Oh, I found an issue on our server" after I spent two hours trying to convince them their app works fine on Firefox.
In most cases, things "not working on Firefox" entails exempting a site from the popup blocker. In 2023, troubleshooting alternative browsers is usually... roughly that easy. But blaming your web browser is easy and lets them shift blame, so that's what they do.
But enterprise software companies have completely turned Chrome into the modern Internet Explorer: The only browser they'll even deal with. And since a lot of people buy Google's marketing that they know security and aren't completely clueless how security works (they are), people have by and large given in and installed Chrome.
That would accomplish nothing.
> But the important thing is checking in automatically as a Firefox user in the logs of every other site online.
No, that's not important. HN users are a tiny minority compared to the billions of people that use the web daily.
I'm sorry, there's no easy way to say this: Firefox is never coming back. The web of old is never coming back. It's over. Even if this particular proposal gets defeated somehow, a future similar proposal will make it through. There is nothing you or I can do about it. Google is more powerful than most governments, and they are vastly more powerful than any random group of like-minded people who get together on the Internet in the belief that they can accomplish something.
(1) Understands what this is about
(2) cares about its citizens' freedom
(3) has enough coherence to actually do something about it
It's not obvious to me that any of these apply. The EU is pushing -- in fits and starts -- towards self-reliance in its computing infrastructure, but at a slow pace.
For number 2, the EU's new regulations above more easily replacable batteries, mandatory USB-C ports and such, in my eyes prove -- though not doubtlessly -- that they do care about walled gardens in tech.
Number 3 though, again, as I've alluded to before, doubtful. But possible in my eyes. Urgency is another thing you've mentioned, and -- let's say it again -- bureaucrats are not particularly known for solving a problem in the right time.
NB: don't misenterpret my use of 'bureaucrat[ic]' as a negative comment, it is just a fact, however boring.
See that's where I disagree. Rich governments like the EU or the US can and do have power to push regulations if they wanted to. Pretending we the people (in a broad sense), i.e. the state, have no power whatsoever to control the terms under which these companies operate within the state, is defeatist.
Firefox came into the mainstream because of power-user recommendations and the browser ballots.
It should be illegal for a significan platform (say 10mln users) to make its own browser, or any really, the unquestioned default. Users should be prompted on first use, giving a randomly ordered selection of any capable browser. If users can just click through it the choice should be random.
This is the only way to maintain healthy competition and ensure independent yet functional standards. Otherwise incentives will continue to centralize power.
But it was a completely different situation.
- There was a huge influx of new internet users who were all asking their techy friends which browser to use. This is not the case now. People mostly stick with what they know.
- FF was the better product for pretty much all use cases. If this proposal does go through, this will not be the case. It's nice that FF can block ads, but it's ultimately useless if the average user won't be able to access Netflix/Youtube/Facebook/their bank account. It will be an objectively worse browser.
And as I said, the sustainable solution is browser ballots back by the force of law. It's worked where it's been tried.
Anti-trust based solely on narrow definitions of consumer harm on the other hand, serve only the capital owners. And they'll leverage and co-opt any and every popular and useful innovation: open source, community contributions, open standards, patterns light or dark, etc.
Otherwise Palemoon is as doomed to obscurity as Firefox, if not moreso.
Essentially this doesn’t work because every email client I tried can’t handle the specific way my work email account does authorization and the login always fails. They also blocked POP/IMAP so that’s not an option either. No one else in a team of software engineers figured out a better way to access email so for now this is the best option
And lot of people here squeal like stuck pigs if you suggest anything other than the Chrome monopoly. HM is a constant barrage of demanding that legislators force the Chrome monopoly to be extended to iOS devices!
I'm aware Apple implemented similar tech a while ago, but I have infinitely less confidence that Google would use it responsibly.
The proposal for Chrome, you don't, because there's no stopping it. See DRM, Secure Boot, all the rest of the shitshow pursuing "trusted environment". It'll never happen, but CEOs won't accept reality.
You can, however, embrace the rest: eg. keep serving your own content on http (along with https), gopher for retro compatibility, and because they are less prone to break.
Keep using your current device for browsing, and whatever refuses to serve you either leave it for good or keep a spare chromebook for all the "services" you can't avoid to use, like banking.
I don't have a better route. It's a bit like streaming: if I want resolution above 480p, I use a Chromecast with Android TV.
Measured Boot is essential for any attestation based scheme.
I am one who specifically does not want a resolution above 480p. Unfortunately, some TV services had decided to remove that feature and now it wastes disk space due to the higher resolution. I also want to be able to use an external caption decoder and recorder (in my case, the same device does both), so will use the composite video and not HDMI (which doesn't have captions).
Steven J. Searle wrote: "The sad fact of the matter is that people play politics with standards to gain commercial advantage, and the result is that end users suffer the consequences. This is the case with character encoding for computer systems, and it is even more the case with HDTV."
> keep serving your own content on http (along with https), gopher for retro compatibility, and because they are less prone to break.
Yes, it is reasonable. I think that "HTTPS only" is (mostly) no good, but having both is good. HSTS is no good.
That said, I haven't had the desire to watch TV for a long time.
https://news.ycombinator.com/item?id=32282305
As others have said, FF doesn't have a lot of leverage left to influence those type of decisions, but Safari might. Not sure what their position is on this proposal.
The one pager has a section on stakeholder feedback [0], but doesn't name them for some reason.
[0] https://github.com/RupertBenWiser/Web-Environment-Integrity/...
They should hunker down and make the best browser they can, implementing their best web. It worked 20 years ago, and in many ways the circumstances are the same. We have tech monopolies proposing ludicrous "content security" mechanisms. Where would Mozilla have been if they tried making some sort of half baked "less evil" form of Microsoft Janus DRM[1]?
People are going to get sick of how intrusive DRM is becoming, and there should be an alternative waiting for them.
Every person who has content they thought they purchased "expire" and be erased from their device, or who can no longer use their expensive projector after the latest mandatory update.
I evangelized heavily for Firefox in the 1.x days. People were sick of IE6, and were glad to have Firefox. I worked at a computer store and probably converted 100+ people.
[1]: https://en.wikipedia.org/wiki/Janus_(DRM)
Mozilla's revenue is proportional to usage so they need enough users to cover their development costs.
Wikimedia is honestly the only organization with the right ideology, the right business model, and enough money to do something like this sustainably.
Your username is the same as the initialism used internally to refer to the Wikimedia Foundation.. The WikiMediaFoundation: WMF
Full disclosure: I was employed as a software release engineer at the Wikimedia Foundation from 2015 through 2022.
FF didn't have leverage in 2005 but we're still somehow living in a post-IE world. Leverage and market share aren't a concern, community support is all that's needed. The issue is that Mozilla Corp have been rapidly burning community bridges at pace of late, topped off by the fact that 2005 Mozilla wasn't dependent on Microsoft for their income.
Death by a thousand cuts can also happen in the other direction. Even if we do not have a single decisive way to oppose this disastrous proposal, we can fight it in as many ways and on as many avenues as possible. Spreading the word about it widely is an important first step, so that those best placed to oppose it know that they should act.
https://awesomekling.github.io/Ladybird-a-new-cross-platform...
Perhaps, make a web page with something like:
Probably the privacy angle is best. Given that this uses an "attester’s public key", this enables to uniquely identify a given device repeatedly over time with no margin for error. It's essentially "perfect fingerprinting".
There's also the option that devices don't use a per-device key. If all the devices from a vendor use the same keypair, then this would be broken by just extracting the key from a single device (AFAIK, in the US this would likely not be legal to use).
1) You cannot all of a sudden provision content differently to a user who has an unapproved device with their preferred accessibility stack and/or hardware.
2) Even if attestation does not involve tracking, effectively forcing children into an ecosystem that tracks them can be deemed unlawful by the FTC. Providers cannot foreclose all means of access to content that are not in a tracking ecosystem, because it violates the rights of children.
The proposal is probably legally negligent because it does not exercise the ordinary standard of care expected of senior technologists. Providing a tool that affects hundreds of million of children and people with disabilities is not a joke.
It astounds me that people would actually associate their real identities with stuff like this publicly.
how do we protest this?
The same way we protest politicians doing things against our desires? We know exactly who the perpetrators are, so perhaps we should all give them a piece of our mind. I absolutely don't condone violence, but exercising our right to free speech is always a good idea.
Not technology related exactly, but until recent events I thought Reddit would survive and be untouchable. Now I'm wondering why I didn't join the fediverse sooner. There are rough spots but it will surpass centralized solutions.
We are at a turning point and should say no to all garbage. They need us more than we need them.
Probably the only solution is to bring harsh legislation against the very existence of online advertising. I don't know what that legislation would actually look like and how it can be done ethically.. but the alternative is probably worse.
Interesting that fixing "how to center a div" is considered harmful, but WebSerialPort is actually very good?
> The result: there is now effectively one dominating web browser run by an ad company who nigh unto controls the spec for the web itself
I don't think this this reality. Google proposes a bunch of APIs that goes nowhere because the other browser vendors consider them harmful. Google's previous attempts at trying to drive more adtech into the browser have failed due to a lack of support from other browser vendors.
I think "who drives the web specs" is probably in the best situation possible. It's largely Google, Mozilla, and Apple who all have slightly different interests in what makes a good web platform, and the web ends up better for it.
It is certainly "interesting", but "true" nonetheless: one determined person--think Fabrice Ballard if you want an example--is in a great position to throw together a web browser and even implement ALL of the crazy API wrapper specs, but when if they aren't you simply don't need most of them to browse any given website.
But, as it stands, my only a-few-year-old copy of Safari can barely even browse the web anymore as it is missing some new corner case of CSS or web components or whatever and I just get blank screens a lot; the result: people have burned years of large teams into trying to maintain implementations of HTML/CSS and have given up.
The web should really just be a handful of really core specs for getting platform access--which of course have innovated over the years so you'd have all of canvas, WebGL 1/2, and WebGPU, which would take SOME effort but isn't like, INSANE--and then all of the layout should be done end-to-end in libraries.
The world NEEDED to be like this to prevent us from ending up with only a handful of web browsers that can only be maintained by giant companies: it needs to be sufficiently easy to build a web browser that we would end up with a ton of small implementations that would be difficult to move as a unit, forcing progressive enhancement as a permanent norm.
Here's an exercise: try to draw a diagram of all parties required to display a video ad on your page. I suggest starting with the OpenRTB and VAST specs. It's creepy.
The biggest shame here is that most people are convinced that we need advertising because otherwise people would not pay for content.
"powerful-but-easy-to-code APIs for OS-level access" are actual hard-to-implement-right functionality that is often pushed to browsers with very little discussion or considerations.
It was critical for the web to be easy to implement the core of for a small team or even a single concerted god-tier developer--imagine Fabrice Ballard--and the current spec has failed so hard at this that even tech megacorps have thrown in the towel. People get upset about WebUSB... but that's not the API surface that is causing us issues. If I had to single-handedly implement all of canvas/WebGL/WebGPU and JavaScript/WebAssembly I could pull it off (noting I used to be a video game engine developer).
The chance of a page using something has no bearing on how dificault something is to implement.
> People get upset about WebUSB... but that's not the API surface that is causing us issues.
It's one of the hundreds of APIs, and yes, it causes issues, too. Because it also needs to be implemented, and it also adds to the complexity of the web browser.
Tell it to angry devs even here who lambast Safari and Firefox for not implementing Chrome's hardware APIs
Yeah: it isn't shocking and can be quickly found using Google (as I just did now). (I have provided some extra links but am only quoting Brendan Eich as you seemed particularly interested in him saying the words himself rather than his team.)
https://www.reddit.com/r/BATProject/comments/bw6sek/
https://www.reddit.com/r/BATProject/comments/b7rwbx/
> 1/ native C++/Rust code, no JS tags on page that have zero integrity. That means ability to use SGX/TrustZone to check integrity and develop private user score from all sensor inputs in the enclave; ...
> We already have to deal w/ fraud. That is inherent in any system with users and revenue shares or grants. We do it better via C++ and (under way) SGX or TrustZone integrity checking + OS sensor APIs, vs today’s antifraud scripts that are routinely fooled.
> What Brave offers that's far better than today's joke of an antifraud system for ads is as follows: 1/ integrity-checked open source native code, which cannot be fooled by other JS on page; ... (1) requires SGX or ARM equivalent, widespread on mobile.
They are also building an SDK and talk about using this tech to ensure the ads presented by their SDK in someone else's app are legitimate.
https://www.reddit.com/r/BATProject/comments/9yys6b/
https://www.reddit.com/r/BATProject/comments/97trex/comment/...
> Part of the roadmap (details in update) is a BAT SDK. Obviously it would be open source, but more: we would require Secure Remote Attestation (Intel SGX broken but ARM TrustZone as used by Trustonic may be ok) to prove integrity of the SDK code in app.
Again: the very tech they are excited about to make their ad-based business model work against people cheating and blocking their ads is the same tech that Google is going to use to make their ad-based business model work against Brave cheating and blocking their ads ;P.
4 to 5 years isn't even that long for these kind of plans, but at the very least offer a good faith counter argument and state your case instead of vaguely begging the question and doing some hand waving about the age of the statements.
We are an open-source browser developer and these concerns deeply resonate with us. We understand the paradox Alphabet faces, yet we firmly believe the solution isn't about exerting "DRM" level control over a ubiquitous means of access.
We're committed to standing up for the future of the web. We don't just see ourselves as a browser company but as advocates for an open, fair, and free web. We invite you to join us in this endeavor. Visit https://github.com/dosyago/BrowserBoxPro today. Stand with us for an open, free, and fair web.
Hopefully this will not be implemented, but still it's a good wake up call for those who still think that Chrome is more than an ads-delivery app with some browser functionality.
The entire premise of 'people want expensive to make websites, but don't want to pay for them' is already a bit flawed. I do pay for youtube to not see ads, I wish I could pay Google (and Meta) to not serve me ads on any site including Google search, they have ads on. That would make life a lot nicer. And I personally know no-one who would not sign up for that. But that doesn't happen, I guess because ads make more (not from me, but he)?
https://news.ycombinator.com/item?id=36823871
Got flagged and killed. :)
Brave is an advertising company, but we’re quite different from Google and others in this space. Brave's ad notifications are opt-in and engineered in such a way to protect and preserve user privacy. I'm not sure where you saw Brave engineers talking about ways to prevent users from blocking our ads—we don’t try to prevent users from blocking Brave Ads.
If you wish not to see Brave’s ad notifications, you can easily avoid them (by not opting-in in the first place, or by throttling/disabling-entirely). There are no special hoops to hop through, or technical incantations to utter. We believe digital advertising is better when it is built on user-first principles and consent.
If a user opts-in to Brave’s ad notifications, their device proceeds to routinely download-and-maintain a regional catalog of available inventory. The user's device then evaluates the catalog entries for relevance. User data is NOT sent off-device in Brave’s model. If a relevant ad entry is found, it is then displayed to the user in such a time and manner for minimal distraction. When an ad notification is shown, the user receives 70% of the associated ad revenue for their attention (no clicks required).
Again, if the user wishes to not see ad notifications, they can simply choose not to opt-in to viewing them. If the user wishes to not see the occasional sponsored image on the New Tab Page, they can turn those off from the New Tab Page itself with 2 clicks ( Customize › Show Sponsored Images). Importantly, the user is always in control. They decide whether ads will be displayed, and to what degree (e.g., the user can set a limit on ad notifications per hour).
Brave isn't interested in coercing users to view advertisements.
kinda abusing if you ask me
To begin with, pretty much every government employee in the world has some proprietary software developed within the country for security reasons. Old, even obsolete machines. Out of date software, unlicensed/unregistered software, etc, etc. Much of this is also true of banks.
This means if this is put in place as in the spec, it will affect banks and governments negatively. And as powerful as Google is, I don't think it will win over governments + banks.
But again, all the above could be nonsense, and Google will gatekeep the web. It found itself as the loser in the AI race, and it knows pursuing AI during the ongoing arguments on privacy and who owns the data AI is being trained on - the next best thing is to own the playground where the AI trains. That may not be an entirely bad thing either; sad, perhaps, but as this goes on, and browsing becomes a pain, maybe this will result in people just spending less time online? That's a good outcome in my books.
"Sorry, you can only access this website using this specific device with a browser compiled by Big Tech, it's for your own good."
Not surprising that this is all coming from Google, the world's biggest adtech company.
If you call their support line to say something isn't working, they'll ask if you're using Chrome or Edge. If you aren't, they'll tell you to just use Chrome or Edge.
They don't even try to masquerade it.
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
I find it quite cute that they start with "users" as if it's a user demand but in the next sentence switch to "advertisers" --- the real target population.
Some examples of scenarios where users depend on client trust include:
1. Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
2. Users want to know they are interacting with real people on social websites but bad actors often want to promote posts with fake engagement (for example, to promote products, or make a news story seem more important). Websites can only show users what content is popular with real people if websites are able to know the difference between a trusted and untrusted environment.
Not written in item two: And the people paying to promote the posts funding these sites want to know the promotions are landing on real consumers' screens.
Is... is the Verification Can actually going to happen? https://i.kym-cdn.com/photos/images/original/000/983/286/ea5...
As someone who lived in a city fully controlled by organized crime, I can tell you that eventually some people become fanboys of gang-law and start to unironically teach everyone how it’s better and more moral than actual law.
You don't berate a kitchen for serving food, why would you look at any Google contraption from HTTP/3 to Chrome as anything but a vehicle for selling ads and/or mining data?
<https://news.ycombinator.com/item?id=31835121>
<https://news.ycombinator.com/item?id=33210846>
It's completely and utterly irrelevant that Chromium is open source, because the web is a protocol, and having the source for an implementation of the protocol doesn't matter in the least when you don't control the protocol. You can't just fork Chromium and remove a feature, because websites expect the feature, and your browser won't work on them. You can't just fork Chromium and add a feature, because websites don't care about your tiny fork and won't use your feature. You can't fork Chromium, you have to fork the entire web.
In some cases you can (although it may be difficult, because the code might be difficult too and maintaining with merging changes can make it difficult too).
You can remove features you don't want, possibly adding fake features in its place or those that access other features, e.g. the microphone access to instead access a file, etc.
You can add features that most people don't use even if you do use them. It can also be implemented in ways that are backward-compatible. Also, some features that are added are not features that the web pages will need to know anything about, because they are user features instead.
Nevertheless, some things cannot easily be forked in this way. For example, adding a "Interpreter" header to add support for additional file formats and make it compatible even with browsers that do not support it, cannot be made compatible unless you add a request header to specify its availability too I suppose, and then just complicates it.
Of course you can. Microsoft's Edge and Brave already add proprietary features like AI and reader mode, tab groups, video calling, crypto wallet etc.
Brave could add a custom CSS or HTML feature. Hell that was the status quo we came from ten years ago when each vendor had their own feature flags and implementation for WebRTC and proprietary video codecs, etc.
Brave already explicitly removes ads and blocks all kinds of things websites expect to work on Chrome.
Nowadays Edge has some superfluous features that differentiate it from Chrome, but they are still superfluous. Underneath it's still Chrome, because the internet demands Chrome.
That's exactly what we need to do. More specifically, we need to decouple the app web from the document web. Most of the value of the web to society lies in text, images, and video, in that order. We need a version of the web refocused around basic content with a spec simple enough for a small team to implement a browser for. A subset of HTML/CSS is probably the only way to succeed, since sites would need to work with current browsers. I think a few HTML tags + flexbox + fonts + colors would get you pretty far.
But capitalism does what it does best, and will happily take advantage of (and try to prolong) a natural monopoly situation even if the origins were genuine.
In fact this is why there are regulations around "utilities". They are also an area where a natural monopoly is the optimal, so they shouldn't be treated as a free market.
(Food for thought: Perhaps the Internet infrastructure should be a utility too? Browser makers could be forced to be non-profit, which would mean companies need to divest themselves of the "Internet business" if they want to do "business _over_ the Internet")
I would say that the actual goal early Chrome was really trying to solve, was to prevent the browser monopoly of the day from being used against Google. It's similar to how Valve invested on Steam OS, as insurance in case Microsoft used its operating system monopoly to degrade the Steam experience relative to Microsoft's application store.
I'd guess not an insignificant amount.
We could be here saying "Google was genius releasing Google Plus - that stopped Facebook etc. in their tracks and now they own social media"
But there's basically no real actual meat to this specification. It's abstract: it doesn't really say what Web Environment Integrity is, it's up to the browser to determine, and the rules could keep getting more and more and more specific at the browsers leisure.
> An owner of this repository has limited the ability to comment to users that have contributed to this repository in the past.
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
Surely Google as an org, if they're behind this, or at least a standards bodies own org namespace should both own this project, and also decision making around discourse, with any individual employees being free to leave the project un-answered outside of working hours?
This isn't some open source passion project someone's doing in their off time...
I never thought I'd see a CoC being used as ammo against this, but it's excellent.
Sure you can fake the results of an attestation in your fork, but your fork would be using your own key to sign the response, a key that the site can reject.
Also I wonder if in the future this would require attestation of the entire chain: secure UEFI validated by key burned in CPU, validates secure boot os that prevents "hacking tools", which validates secure Chrome, which attests secure websites...
Truly royally screwed at that point...
the TPM does the attestation of the entire running environment, starting with firmware, through the OS, through the browser all the way down to the website
Step 2: "Secure" browsers change the behavior of their implementation of the Content Blocker API so an industry-accepted "secure" site lile Google Ads can opt-out of being blocked ("You wouldn't want a misconfigured content blocker to accidentally break a verified secure site right?")
Step 3: ??? (Force the users into a take it or leave it choice for whether they want to be part of the internet or not)
Step 4: Profit
As for revenue from Apple users, they already want to have control over that and would be more than happy if Google and co voluntarily stopped serving their users so they can make ad money off of them on their own terms.
Apple is just fine with collecting user data on platforms so long as they're the only ones doing it. Apple even runs its own ad network over its own app store.
https://news.ycombinator.com/item?id=36785516
In a field facing increasingly harder ethical questions every day, it’s important to start empowering our engineers to say “no” to ethically bankrupt things like this.
Strong cultural norms (e.g. hacker culture) might help for a while. But incentive structures eternally erode opposition.
It could make it easier for developers to band together and try to collectively veto things like this. But corporations with money can always buy the expertise of people, have them undermine the community, create their own parallel communities and influence public opinion and legislators.
FAANG salaries supercharge people's cognitive dissonance. They will find ways to excuse, minimize and ignore their contribution to the current situation.
Even HackerNews developed a sub-subculture of people that were constantly going on threads and calling remote attestation worries as "FUD".
It's unclear how to preserve cultural norms that stand in the way of market dominance. The only thing I can think of is having competing interests in the market. But whenever these align -- hell breaks loose.
In fact, their first example (!) outlines how this would be appealing to advertisers because they can attest a real human is viewing the content.
Giving more control to corporations and less control to individuals.
Google is heading in that direction and their velocity is accelerating.
I’d have a field day grilling the CEOs of Big Tech companies over stuff like this that only serves to kneecap their current and future competitors.
It's not a "threat to" the industry... It literally _comes from_ the industry... Unless the tech industry is willing to lose one of its biggest sources of revenue, this is exactly what the industry wants...
There are lots of other smaller players in the tech industry who are against monopoly-building hostilities like this.
How can he reconciliate these views with this spec, which he is the main author of? Surely Ben sees the parallels?
He writes: "Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app."
It's honestly comical and a little sad.
[1]: http://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-o...
It can be reconciled with love for money and total lack of moral fiber.
Aka « I don’t give a shit about my actions destroying every one, as long as I go get paid »
What this guy's doing is shameful, but I've seen dozens of otherwise lovely people, working for charities, spending much more time on socially-important and useful work than 90% of the crowd here... and the same people would push barely legal (if not illegal) targeting on masses of people, arguing to push cigarette ads in markets that still allow it. Advertising is cancer and the current model is not sustainable.
What I'm (poorly) trying to say is: be angry, let everyone know that you're angry, make more people angry, but remember that focusing on this guy is a distraction from a bigger systemic issue and it actually helps organisations like Alphabet.
It’s not generally easy, but I think I’m in the position to say that.
The guy has the choice of company to work with and has the choice in the company and what department to work in.
As if you personally know 90% of the people here? And how many of those 10% would never ever push advertising on anyone, would you guess?
It's moot anyway, you cannot compensate for a lie by giving someone a lot of cake, even all the cake in the world. It's apples and oranges.
> Advertising is cancer and the current model is not sustainable.
"Advertising" is just a shorthand for the concrete actions concrete individuals engage in. There is no "model" outside of hundreds of decisions people make every day. It's like blaming "capitalism" and pretending people just play the "game" as if that existed outside of those actions. For any person you could name, I can find you someone in the same situation who refused to do the evil thing.
as long as they get their $1280 bonus they don't care
even if they're destroying their future employment prospects
I can tell you that the machine is so big and the responsibilities diluted to such extent that no one really feels like they're making a morally dubious decision, it just sort of happens on its own, magically.
It's easy: he works for Google. Every single public-ish web developer and/or devrel from Google will spend inordinate amounts of time lambasting Apple, writing eaassays on how Apple cripples the web etc.
While Google has broken the web so badly that Apple would need several decades to come anywhere close.
Note: the moment they leave Google, they may slightly change their tune and criticise Google a bit. For an example, see Alex Russel of web components when he went to work at Microsoft after spending a decade making sure that web browsers are turly unimplementable: https://infrequently.org/2021/07/hobsons-browser/
― Upton Sinclair
> Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop.
Ben, you've thought about the impact your proposal would have on Linux laptop users, right? Surely you sometimes use your laptop for banking, right?
Disclosure: I work at Google but not on this.
It's just an open question, and as such, it does seem it's an afterthought, when it should be front and center if anyone care for an open web.
"This internal contradiction is further demonstrated by the fact that the proposed solution to prevent misuse by websites - holdbacks - is to simply sabotage the functionality of the system itself, by making attestation probabilistic. This is not a workable solution to the problem: if the holdback rate of requests is low enough, the denial of service to legitimate users will simply be a cost of business that websites will accept; if instead it is high enough, websites will not use this system as it does not provide meaningful enough information, even for analytics purposes, due to the high uncertainty. There is no goldilocks zone where this system is useful but not open to abuse by implementer websites. You're either implementing a feature that can - and most likely will - be used by websites to exclude unattested clients, or you're implementing a useless feature."
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
> Attesters will be required to offer their service under the same conditions to any browser who wishes to use it and meets certain baseline requirements.
What prevents this set of baseline requirements from being e.g. “the device is backed by a TPM from these four vendors”?
> Although a holdback would prevent the attestation signal from being used for per-request enforcement decisions, there remains immense value for measurement in aggregate populations. However, a holdback also has significant drawbacks.
“So, like, here’s a vague idea on how we might prevent this. However this idea has significant problems.” Not a very convincing argument?
> If the community thinks it's important for the attestation to include the platform identity of the application
“If we assume that we can’t actually solve this…”
Basically there’s not much in the way of answers there. Generally when you put out proposals with a history of significant pushback I’d expect the likely feedback to be addressed in more depth than this.
(I guess since we’re doing disclaimers I also work at Google but not on this.)
Even the ad example is about not charging advertisers for bot views, which is a huge problem right now.
The problem is that a tool can often be used for evil as easily as for good, and the more the standard was used to block ad blockers over simply filtering out User Agent spoofing bots, the more this tool ends up evil.
And even if the limited scope in the proposal was the true intent, there's nothing preventing scope creep.
Though reading over it all, I do think the assumption of motivations in most of the comments here are misaligned. This does seem to be primarily focused on the issue of growth in bot activity and making it harder on bots to act as if human to servers.
Still, the spirit of who controls the client is very much at stake, and the comments here are ostensibly right that this is a measure that should not happen.
(And frankly, given the bubbling attitudes about enshittification coupled with the coming lowered barrier of entry for competition against software firms and content production, I think this is very much the kind of thing that may backfire horribly if forced though.)
Now, I'm not opposed to having a locked down device when performing actions like using a bank app.
However, Google is abusing this, because they force their adware and spyware into that device, so I can't have a secure, locked down Android device without that.
But bank apps won't implement it because the market share isn't large enough. This is a great showcase of the issues with the new proposal as well.
[1] https://grapheneos.org/articles/attestation-compatibility-gu...
"Google to explore alternatives to robots.txt".
[1] https://blog.google/technology/ai/ai-web-publisher-controls-...
[2] https://news.ycombinator.com/item?id=36641607
i agree they should be broken up, but it might be the wrong time for it.
throw ads at them?
but I'm afraid the Chinese already know how to make them
(And saying that actually "it would probably not escalate that far in a real war because... It just won't! " might be a common argument these days amongst war mongering lunatics to make war with China or Russia sound less batshit insane, but it's not an actual argument. It's just run of the mill "this time it's different!" cope that has been said before every blood bath. )
It seems more likely to be fought in Taiwan conventionally then on either country’s turf.
Google Cloud becomes a VC driven organization that slowly eats margin dirt against it's competitors until insolvency. There was no way for it to recover enough resources from the mothership before being split out.
Search trundles along ok, assuming it took search ads and a ton of core infra with it, but it never makes enough money to ship a decent product extension. It hopefully removes some products it can no longer afford margin on, which have long produced distorted results (albeit with good intention). It suffers slow brain drain, and users end up using multiple search engines for every search again because no one has good search quality. The monopoly breaks, but so does this part of the internet, bolstering apps and information sites ecosystems positions. Wikipedia is the only real winner we want in this space.
Display Ads goes like it just discovered faster than light travel, no longer held down by the ol ball and chain that is the entire rest of the company. They go much darker as they no longer have tons of goodwill organizing from the rest of the company, and increasingly join the bad actors. In 20 years they eventually join lexis level evil in terms of multi-directional user sharing.
YouTube heads off into the stratosphere along with Display Ads. They try to maintain a better public face, but having to spin up their own ad market solutions drops ad quality even further, margins suffer, but their position remains ossified and they slowly recover. They start to get a bit more agile, no longer disrupted every other year by some mandate from the mothership, they're better able to keep up with new markets and more rapidly crush new competition.
Workspace decays very slowly. All the AI stuff halts and gets ripped out as there's no one there to work on it. The drive product has to scramble to figure out how to rebuild without all the internal commodity infrastructure support. GMail gets unstable for a while due to the weight of the infrastructures sitting on many fewer shoulders. Global instability results of the rapid de-distribution of the system as the production infrastructure was sliced apart in a rush to meet forced division. The economy takes a big dive as a result, as half the world loses email access regularly, bills don't get paid, etc.
Photos spins out into its own thing, and dies rapidly, as selling the odd photo frame here and there just can't meet margin.
Chrome tries to get funding from Microsoft, eventually it gets purchased wholesale, but the core team gets ripped up and largely discarded. Who knows how the OSS products fare, it depends on the executives in Microsoft who win this purchase. Eventually the main product gets shuttered, with Edge being the only replacement.
The telco products all shutter immediately, with no recourse. Same with R&D.
AI tries to split out into it's own thing, but fails to find a business and suffers constant reputation problems. After 10y of trying it eventually shuts, the acquiring company however immediately spins up multiple successful products and makes a big dent in the now well established market.
Android spins out into its own organization. The first decade the heat of internal politics in new found vacuums crushes them, eventually they find footing and head back to their open core roots, get scrappy and do some new things. Along the way their size fluctuates as the market forks and fractures as it does, but Android manages to hold its position as the western center of its universe.
Chromecast, ChromeOS, Nest all suffer badly having no core ecosystem to ship anymore. They attempt to buddy up with Android which pushes them around trying to androidify everything, but resulting in poor UX and/or poor margins across the board. Eventually the all but ChromeOS shutter, and ChromeOS business also closes, but leaves behind an OSS gift that a core group of passionate individuals try to limp forward as best they can with the new Microsoft Edge overlords.
Users find their data...
In this world, Amazon et al get the same treatment. As for "vultures make off like bandits", welcome to market-based economics, these companies can compete if they don't want to die, and if they can't compete, then let them die.
Add some internet chaos to go along with all the climate, finance and real-world chaos we’ve got going on in our lives already. Who knows what kinds of interesting and innovative ideas and technologies would bloom in this environment!
Now you have me excited for this possibility. Doubly so if people stock up on ingredients for high explosives first. Take what you can while the taking is good: no room for repo men. Year 0 now.
> feels like the 90s again
I can't wait.
> amazon, apple, microsoft, and cloudflare are the biggest winners in the fallout
Sadly, that's true. Google's remains can only be cannibalized by companies that are already Google-sized.
* The US would never kill its golden calf except as a last resort.
* The US standard for antitrust is consumer harm. Google implementing a thing that other companies have been asking for, any company can join and send their own attestation signals, and then those other companies in unrelated markets use the thing to maybe not support unapproved stacks which could reasonably include Android/Chrome won't fall on Google.