But a possible way to defeat it is what I do now --- keep two devices. One that meets their requirements for cases where it is absolutely needed and another for everything else.
When it comes to a game of chicken it's better to not just seem like you won't move, but to throw out the wheel entirely.
Of course it's dubious if it applies here, especially because the playing field doesn't feel quite equal, but I think the most effective thing we can do is simply refuse to use websites that require a custom built user agent to access.
Heck maybe we've already mostly lost the battle to keep the internet usable with curl, let's at least try to keep some of the other options open.
The Web will cease to be an open system, and will become a glorified fax machine and cable TV network. Those few who care will turn to more esoteric, incomplete, user-unfriendly but open systems. Eventually one of those systems will gain popularity with nerds, academics, and weirdos. They'll fill it with information and media they compile and create in their spare time, and it will interoperate in useful ways that for-profit corporate networks can't. Over time it will gain popularity and "normal" people will start using it too. Money will start to pour in, the network will fill up with garbage, and then corporations will come in and take it over and lock it down.
Except in the age of hyperinformation, you will see such fringe systems pump and dump on the time frame of a few months, not decades like it used to. You would pray that it would not happen and the thing that you are using right now will not gain that kind of attention.
Just talking about subcultures/communities that I've been a part of. Several of them only have a minimal presence on the public web, having moved to a network of private sites. A couple of them have assembled what amounts to a "shadow internet" that uses the internet for an encrypted communications channel but provides its own mailservers, IM servers etc. that don't interact with the internet proper.
And, locally, there have been two ISPs set up (one by me and my friends) that aren't meant for public use, but to supply service to smaller groups. The one I set up was to supply internet service to a remote neighborhood that isn't likely to get reasonable commercial internet in the near or medium future.
Those two ISPs supply internet access, but they also operate an intranet that is mostly decoupled from the public internet.
All baby steps, and nobody is 100% "off the grid", so to speak, but it's a trend that started long ago and seems to be gaining a bit of momentum.
My prediction is that the web will ultimately be just for commercial use (it's already 90% there), and there will be a whole bunch of tiny networks -- that may or may not portal to the internet -- that will fill the needs that the internet is increasingly unable to fill.
ISPs will not be letting that traffic through. So no little romantic underground. No cycle; the internet is happening just once, and we're in it. The assumption that everything is necessarily part of a little epicycle of history somehow mashes together Whig history and and an inert nihilism. Don't worry, nothing matters?
We're not in a movie. When they close the open internet, there will be no reason for them to open it back up. Everybody's Playstation will still work. Facebook will still work. Twitter will still work, but it will be all blue checks.
In the future they may not even sell general purpose computers to the public that can access the internet. The network will kick them off as unsigned machines. Maybe they won't let anything on the internet that is capable of running illegal or unlicensed encryption.
The open systems will have to be physical places where we go meet each other, and don't bring our phones. Of course, they could make you carry your ID in your phone (for a few years, there'd just be a $100 charge for a physical ID until they eventually just phased them out), or make you carry cash in your phone, so how could you meet up in person if they didn't want you to?
If we're talking cyberpunk dystopias, we'd have to resort to hand-soldered audio couplers that use our locked-down phones as modems. Once the next Android/iOS update detects and blocks unauthorized binary carriers, we'll have to steganographically hide our traffic in fake voice calls. Crappy baud rate, but good enough for encrypted text. Augment with sneakernet and local hard-wired networks running under lawns and dorm room carpets.
Although in this grim future where all communication is monitored and censored, people like you and I will probably be up in the hills in the rebel camps, and open networking protocols might be low on our list of priorities.
Now I kind of want to build one just for the challenge. Analyze what frequencies can get through, and reverse engineer the phone company's codec so I can send a pirate signal, like a phreaker of old.
Fun fact: You can no longer do such a project in software on stock Android. They locked down the voice audio API.
This is bad but how is it going to affect the usefulness of my personal web site, that will never use that API to check who's reading it, not or human? Same thing for a lot of sites, probably the vast majority of them.
That is because without https, there is no guarantee that the site requested is bring delivered as the site intends. For example, an ISP could insert data or scripts into the page.
And monkeys could fly out of my butt. Not everyone has the same threat model.
Faced with a choice between a vague future threat that might happen (an adversarial ISP or other MIM attack) and a certain future threat that will happen if we let it (incumbent gatekeepers locking down the Web), I'll take my chances with the former, and opt for less gatekeeping rather than more.
It's not a "might happen." ISPs, especially in places like hotels and other public WiFi spots, were replacing ads on sites with their own ads. I don't know if they did anything more nefarious but they were probably also snooping and logging to at least some degree.
"That is because without Web Integrity, there is no guarantee that the site requested is being delivered as the site intends. For example, a browser extension could remove ads or modify content on the page."
See where this slippery slope is heading? We DO NOT want what "the site intends". We want to be in control of the content we consume.
Then make laws to force your ISPs to be neutral carriers and prosecute any pulling shit. Most of the world doesn't have this problem yet we are still forced to waste countless of cycles and man-hours on TLS for public read-only content.
I never had ads on my site and if it disappears from search results, no problem. I'll give the URL to the very few people that might be interested to browse it. I probably know all of them, plus a number of bots.
They may also flag your site as "unsafe" and will refuse to display it with scary warnings and hidden overrides that the average user will not be able to access it. This already exists btw. Also in Firefox, using Google's blacklist.
HTTPS has a lot to do with that. let's encrypt is free, but requires things common users dont have, such as control of a domain, as it is if google can see your stored certificates it could exclude you from a site based on "sites you hang around with"
Personal sites likely wouldn't be affected directly. What this will affect is the ecosystem of browsers that people are willing to use. My prediction is that it will slowly strangle independent browser development, which will turn the web into something akin to the Android/iPhone duopoly. This is kind of already the case with browser engines, but because this is DRM, it would extend that same effect to the actual distributed binary (e.g. you can't visit your bank with Chromium on a Debian box, since that wasn't compiled and signed by Google).
> Same thing for a lot of sites, probably the vast majority of them.
Once Google gets this in place, it can then perform these checks through their ads SDK and demonetize traffic from visitors that don't pass the check. This will create an incentive for any site owner that wants to make money through ads to enforce that visitors must use an approved browser. Basically the DRM equivalent of 'Please disable your ad blocker'.
> Basically the DRM equivalent of 'Please disable your ad blocker'.
An interesting observation I've had in my own browsing behaviour is that the majority of sites I visit are time wasting visits. If any site presents the above message (or the equivalent - 'sign up to read' like Medium does), I find I just navigate away and do something else.
The bigger concern for me like you call out - major institutions like banks enforcing a separate company's requirements on me in order to interface with them.
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked.
Because of this. If we're at the point where you need to get permisssion and approval to verify that the platform you're using is acceptable, then the gates are up and the free web is no longer free at all.
> If we're at the point where you need to get permisssion and approval to verify that the platform you're using is acceptable
I guess it has been the case from the good old CGI era? I do remember all those private forums that required me to wait for several days until they can "verify" my identity and "approve" my registration. The control always has been at the hand of platform. The difference is that now attacks are much more sophisticated (GPT-4 powered!), while defense line is left at a pretty miserable state.
But I don't feel like Google has the luxury of letting it's image burn like this. TURTLEDOVE is already a huge semi-sound but immensely scary change, MV3 is a disaster of high order and hasn't responded with anything but a stream of bandaids to challenges like Mozilla's far more capable Background Pages proposals. But I think the reputation damage here is vastly higher, as there's basically nothing being offered here to most users, or, if this spec goes through, ex-Web users. This effort is just an abominable horror show, and at some point, it feels like Google/Chrome have to stop being so blinders-on as to treat this as a merely technical discussion.
The last time these debates went down, where there was an incredibly contentious spec that got shipped, it basically took the Web creator Tim Berners-Lee using his w3c authority to stamp "ship it" on the spec. https://www.techdirt.com/2017/03/01/tim-berners-lee-endorses...
More importantly, a company of the size, scope and sophistication of Google trying to hide its fundamental redefinition of how people access the web, behind “it’s only a technical change” is unacceptable.
As if something with multiple downstream non-technical effects, is only a technical change
As if you can minimize and dismiss everyone’s fears and concerns as hollow, invalid and irrelevant by waving the magic wand of tis only a wee technical change, to be sure, to be sure
As if everyone’s protests and arguments against can be instantly hosed down, because aye, you guessed it laddie, it’s only a technical change
It’s almost as if the folks at Google think people are so stupid that not only do people not know what they’re talking about, but they’ll actually believe the lie and fall for that deception…
It’s almost as if Google was trying to gaslight the public about this…
If they end up groveling about this, I don’t think “in retrospect, we could have communicated this better” is going to cut it. This is a company the size, scope and sophistication of Google. This is not their first rodeo. They know exactly what they’re doing, and they mean to do it…
This defies my Occam's Razor view. You seem to be assuming Google is an extremely well connected organism with vast coherency: each limb knows what the others are doing, they are working together in close fashion, & doing things for ulterior motives.
This is such a horrific & bastardly case - of creating unparalleld rank awfulness hither-to-fore unimaginable - that I am tempted to agree. And I do think there probably was some cross-pollination on this idea (which I personally would characterize as unlike the vast majority of things happening on the Chrome team).
But I still think there's a very necessary "reel it in" counter-response that has to happen here. It was me who characterized this as "only a technical change". Google is trying to shift how the web works & knows it, with this change, and that's clear, and their explainer indeed rather twists words somewhat to make it sound like it's for the user: but it is also imminently clear they seek to shift of the web works in a wide way, and they're not cloaking that behind anything or as simply technical: they're wrong & immoral & awful, but up front about what they're doing, and they're not presenting it subtly.
I linked Yoav Weiss's post with some disdain (for rebuffing), but I think a lot of these rules hold true in most circumstances, and I think even under duress many should be respected to the degree possible. But reciprocally, I've already advocated (in the HN thread) that sometimes I don't think constructive replies are appropriate or possible. When we are working to define the only open accessible shared hyper medium humanity has, there is a higher degree of engagement necessary, which also has to permit explosively deconstructive argumentation sometimes. That was my main critique: that Yoav is sheltering Chrome unjustly from the minefield of conflict he created (or more generously, let be created).
No, I’m using Google rhetorically. Sure you could be more specific and say the Google Chrome team, or whoever is actually discretionary responsible for this, and the chain of command that authorizes them with that power within the org… but I think, bothering with such specifics would make the message less effective so I didn’t.
Also, I don’t think it’s necessary. Google is responsible for whatever its parts are doing; a corporate entity. And people are right to expect that if they get something from Google then it’s caused by Google.
Also, I think it’s wrong and too early to be diluting or shielding Google behind the pedantic hairsplitting that, “oh you see it’s not actually google at fault here, um, it was probably some guy that works in a basement somewhere, you know, his views not reflected by ours and so on…” it’s not necessary to provide them that shield or confusion at this stage.
He may work at google, you may work at Google, I may work at google; we don’t know. And it’s not important. What’s important is that Google is at fault here. (I don’t btw)
Magnitude of the malfeasance is so great they deserve to be held to account for it, and a simple label of Google is sufficient.
Also, Occam’s razor? I think it’s unnecessary to invoke the preposterously exaggerated strawman of some ghastly and convoluted conspiracy here, when their actions directly align with, and can be efficiently implemented by, their business. It’s a simple thesis: Google is at fault and they meant to do it. They know it’s bad and therefore are selling it deceptively.
It’s neither convoluted nor complex in any way. In fact, if they’d tried to engage with this technically in a way that accounted for acknowledged and respected the fears and concerns people raised in response, then I think they would’ve ended up with a solution that is more convoluted, and complex. In this we have the curse of simple evil.
I think it’s drinking the gaslit Kool-Aid to pretend “oh no, it’s an accident, it’s incompetence, they didn’t mean to.” This is directly (if harmfully and unethically) supporting their business interests. They meant to do it. That’s the simplest explanation. That’s Occam’s razor.
> You seem to be assuming Google is an extremely well connected organism with vast coherency: each limb knows what the others are doing, they are working together in close fashion, & doing things for ulterior motives.
Nah dog, you're overcomplicating it. All it requires is a person or two in a management chain to recognize the hint of long term business potential in a technical change. It doesn't have to be a sure thing, or a big thing, the bare minimum is that they just notice a business model that could be enabled, and choose to explore it. Then once the company takes on the initiative, some combination of communication and intuition spread the understanding of what they're doing across some of the buisness. For the wider scale, all the rank and file need to do is play dumb, or be legit unaware, about the obvious incentive they're working towards.
That's not a vast complicated conspiracy. That's every single business' outward-facing messaging strategy.
When parent poster talks about the "size, scope and sophistication of Google," the point doesn't have to be that they're meticulously coordinating. The point can simply be: there's no fucking way they're not playing dumb.
This is my problem with people using Occam's Razor to understand business decisions. They often assume the idea that someone could be employed in business development and spend months championing and refining an idea is a level of complexity that must fail to a more simplistic explanation. But we know that shit happens all the time.
Google seems to be escalating the speed of its efforts to restrict its user base to the completely non-technical, but Apple and Facebook already own that market.
It also sounds like they're promoting yet another way to make "the internet" slower, more bloated, and have greater impediments to usage.
This proposal only impacts "the web", which has already been going downhill for years now due to unsustainable ad-reliant business models. The internet is fine.
I wish I could agree. The internet isn't in nearly as bad of shape as the web is, that's true. But it doesn't look nearly as healthy as it used to, as more and more services are moving to the web and abandoning the internet.
For the vast majority of people, the internet is the web, as well as mobile apps. The latter are already out of the control of users. Today, we at least have browsers that we can mostly force to do what we want (like stop downloading and displaying ads), but WEI will end up restricting portions of the web to users running browsers that do what the web servers want, not what their users want.
And for most people in the world, that is "the internet".
The distinction is important in my opinion because it means that our technology stack isn't necessarily captured to the root by hostile interests. In these respects, a better world is possible without having to dig everything up and start over, for now.
While I agree with the other people in this thread pointing out that the web practically is the internet for the average user, I think this is an opportune moment to mention that Gemini exists, free of any kind of mass surveillance or advertising. It's like the web prior to Eternal September. I even have my own Gemini capsule[0] which has a live web mirror[1] statically generated from the former's content. Granted, Gemini is vanishingly obscure and relatively inaccessible compared to the web, but it's still cool that it exists.
Are you referring to Google Maps automobiles connecting to open WiFi networks? Because to be fair, those networks were wide open, and they were being advertised.
I don't see how advertising an open WiFi network is much different from advertising an open house. In both cases you should expect visitors.
I disagree. An open WiFi network that is not being advertised would be similar to leaving a door unlocked or the shades open. When that network is actively advertised it ceases to be an open blind, and moves into open house territory.
If you are advertising that your door is unlocked, and the precedent is to enter unlocked doors - as it is to connect to open networks, then yes. Permission in such a scenario is implied.
You make these analogies attempting to equate an advertised open WiFi network to an unlocked home, while ignoring the precedent around both of those things.
It is expected that people connect to your advertised open WiFi network. It is not expected that people wiggle your doorknob to check if it's unlocked or not. If you put a sign on the door advertising, "the door is unlocked!" then I wouldn't be surprised when someone mistakes that for "come in".
I think that depends a bit on context. If I am at home, and my neighbors are advertising an open Wi-Fi network, I’ve never taken that as an invitation to connect and use it. However, if I’m at coffee shop Foo and I see “Foo Guest” advertised, then sure…
No it doesn't. Imo, that would be both poor etiquette, and a violation of trust.
While I do remember hearing about Google Maps vehicles connecting to open WiFi networks in the news, I don't recall hearing about private credentials being published. Was that the case? I thought it was just a map of open WiFi networks that was published with basic details such as SSID?
Edit: I found the article (2010, holy cow does time fly). It looks like they did collect payload data for non-encrypted traffic. Even though the data wasn't published in any way, I must agree that they went too far. I would have no issue if they were to simply verify that they could connect and record basic info such as SSID, but collecting payload data from network requests was inappropriate.
To be clear, my stance on the matter is that it is 100% okay for anyone to connect to any open WiFi network.
I don't find it particularly troublesome that maps of open WiFi networks exist.
I do not, however, think that it's okay to behave maliciously, or inappropriately on open WiFi networks.
My earlier response to your comment about hoovering plain text passwords didn't properly acknowledge the bad behavior that took place. I concede that you are correct, it was rude and insidious behavior.
Seems like this is going to get a lot of pushback. It might not go through. But remember whether it goes through or not isn't the important thing. The fact that Google wants it to is what matters.
Correct. If the pushback is successful, rest assured that the reprieve will be temporary. At best, they'll come back around with some tweaks and changes to blunt the more egregious aspects, but it will come back.
The "privacy sandbox" stuff is a perfect example of this process.
> Correct. If the pushback is successful, rest assured that the reprieve will be temporary. At best, they'll come back around with some tweaks and changes to blunt the more egregious aspects, but it will come back.
Yes, they might even intentionally have started with proposal so over-the-top that people who are now protesting may feel that they won when some time afterwards Google presents slightly less creepy second iteration this. And the ones who don't will be cast as radicals who don't want to engage in good-faith discussion while Google seemingly proposes a reasonable compromise. Besides, would anybody please think of the child... err... banks with webpages!
This feels like a reincarnation of Microsoft Halloween documents but all in the open... How corrupt our industry became that this doesn't cause the same uproar... Google truly morphed into what it fought in the beginning.
The Chrome team have used "the Open Web" as a euphemism for what is to all intents and purposes Google's great ad supported walled garden. That so few people see this for what it is is amazing, and then they get all surprised when Google act to preserve it and close the capability gap with native platforms.
It's an incredible hubris to pretend to gatekeep the whole Internet. Google´s being doing a pretty hansome profit, maybe not the meteoric rise they were used to before 2020, but still nothing to warrant such desperate measures to secure future profits.
When Microsoft did this with IE, they did it with proprietary and undocumented APIs. The fact that this is an open spec, discussed in an open forum, using well established and standard technologies is what ensures it can never be positioned against users in any meaningful way.
To me it looks like SGX for the web. Maybe it will introduce some neat and weird capabilities, but at the end of the day, it will be trivial to bypass at scale if it ever positions itself as being harmful to users.
Let's say example.com decides to require attestation from the {MS, Apple, Google} providers, and that they attest to only Chrome without extensions. You can't forge the attestation because cryptography. You can't fail to provide it (because they'll just refuse to send the bits). You can't use a "malicious" attestor because example.com won't trust it.
What's the trivial bypass I'm missing? How does a freely accessible standard impact the ability to bypass things in any way?
TPMs can be emulated. Also basically every hardware platform can be placed into a hardware debug mode that allows live debugging of the underlying operating system. Keys can also be extracted from hardware. If even one supported platform leaks a key (and in this doomer fantasy world all platforms must be supported right?) then the attestations can be bypassed. It only needs to be bypassed once to be bypassed everywhere, basically forever.
EME is a great example. It's been around for over a decade now. In what way has it negatively impacted users? Is piracy any harder than it was? EME has been built into Chrome since long before it was an official W3C spec, which it has been for six years now. People lost their minds when EME was getting standardized, yet here we are. This same nonsense is playing out with WEI, yet people haven't seemed to learn a thing.
> The goal of the project is to learn more about the person on the other side of the web
…
The intro says this data would be useful to advertisers to better count ad impressions, stop social network bots, enforce intellectual property rights, stop cheating in web games
Go f yourself, Google. Browser’s purpose is to serve me web pages, not to learn about me.
I use Firefox on desktop and mobile, I use DDG, stopped using Google Analytics but I sadly still use Gmail and Android. I degoogled the east things (e.g. GA and Chrome) but getting totally rid off Google is hard.
Sometimes impossible in my case. Google Drive is always used in any collaborative project; so is Google Colab and Google Meet. And I still have the instinctual drive to reach for Google Translate/Maps, because it's so easy to access (physically and mentally).
You can still disable EME if you don't want it. That's a lot harder to do on other browsers.
I would probably have dropped Firefox back then if it was the only browser that I couldn't watch Netflix in, and I wouldn't be the only one. I don't think Mozilla can bear the loss of userbase.
Right. That's why Mozilla can't meaningfully stand up against these forces anymore. It's not that they don't want to, it's that they don't have the market strength.
thats because mozilla simply stopped having any interest in browsing whatsoever.
They now have an interest in limited edition color drops and with their bespoke charactaristic allowing users to select color that best resonates with them.
You and I, as mere mortals, may not know what this means, but rest assured, mozilla does.
The market share of firefox is so low and there are already a ton of popular websites that don't work on firefox. Mozilla will very much be forced to follow along here.
And if they don't give in, Firefox users will stop being able to access Google properties, and then probably others like video and music streaming sites, and possibly even the larger news outlets. Banking sites might get in on the action, being led to believe that doing so will increase security.
Mozilla are proposing IPA[1] which is designed to track user interaction with ads and product marketing, and track any conversion that occurs (e.g. users end up purchasing something).
If you are shown a product ad whilst browsing searchengine.example and then later look up the product at reviews.example, then end up making a purchase at shop.example, your browser sends all of these events to an aggregation service that allows shop.example to understand (at least in aggregate, assuming you trust the cartel running the aggregation service) that you were exposed to their product at searchengine.example and further exposed to their product at reviews.example.
That makes zero sense. If they ever did that they would lose all their market share overnight, and they know that. Google has always been good about letting people have full control over their devices, despite building incredibly locked down UX.
It would be trivial for them to build a Chromebook, or Android phone, or browser that you can't flip into dev mode, but they've never done that, even though many of their competitors in the space regularly lock users out of their devices.
That is what would happen if they made adblocking impossible in chrome today, minus all the people who don't use AdBlock and happen to be numerous enough to be Google's entire business.
In a world with attestation, you can't browse any website unless you are using Chrome or another attested browser. The New York Times would refuse to serve content to unattested user agents. That is what would make everyone use Chrome.
The scariest part is that it's not just the browser --- remote attestation goes right down to the hardware with things like the TPM, so if even one piece of your software is not "approved", you'll be locked out.
> The New York Times would refuse to serve content to unattested user agents.
You forgot one thing – once a copy of the content is server to AT LEAST one attested user agent – what prevents him from sharing his copy with unattested users?
It is easy to see that if something will make getting the content harder – it will immediately find the path of least resistance. This is the reason any new Netflix title is available for free an hour after the premiere. And the harder Netflix will try to fight this - less time will pass before their content is stolen and re-translated for free. Exactly same will happen to New York Times if they refuse to serve - someone would serve a copy instead of them – because there is now demand created for such copy.
i dont need debug tools in the browser - if the bytes of encoded content are getting transmitted to the socket on my machine, there is no realistic way to prevent me from taking and replicating them, i don't see how some software inside the browser can have any effect on this, because the browser has zero idea where these bytes can go after they hit the socket. A good analogy would be filming your screen manually - computer has no idea of this filming and in no way can prevent it, because it cannot act on a real world around it, the same applies for browser, i can take a document, video or sound from any page without involing the browser
> because the browser has zero idea where these bytes can go after they hit the socket
The attestation uses a secure enclave in your processor with a secret key you can't access to verify that secure boot is on, you booted a signed OS, the OS is in locked-down mode, etc.
No secure enclave of registers or hidden secret keys can help, because a person can utilize the lower-level physical world around the processor to manipulate it (e.g sending electrical currents from a programator device manually). But that is a last resort, there are simple software attacks available already to fake as many "attested" devices as needed (for the same DRM system of Android). It will only bring more jeopardy to the "integrity"
See that's exactly the issue why I hate this. You can always circumvent it, worst case with an electron microscope and some acid. So all it really does is prevent the average user from gaining control over their own hardware.
And for tech-minded people it doesn't fundamentally change anything, it just means that it now takes more time to do the same than before
True, a cat-and-mouse game going on forever. Anyways, I don't believe they can succeed in walling such a monstrosity of technologies as the web, just by controlling some parts of it, even significant parts like the browser or search. It is only something governments can do by requiring a passport scan each time you open a connection (which is closing when you eject the passport from the scanner)
This is why Risc-V being developed in China and other countries and exported elsewhere is ironically a good thing at the base-level of computing. The chinese computers will require China's bugs, whereas exported good will NOT have it, otherwise it won't be bought.
I assume it's something like the old Protected Media Path.
For example, if you try to screenshot a Netflix video all you screenshot is a dark-pinkish square, because the video is probably added by the graphics card at the last moment.
It will be, as always, incrementalism. Tweak this little requirement here, then maybe two versions down the road lock this down, then a couple years later bring the hammer down before anyone can react. "Move fast and break things..."
I am using various browser extensions which make browsing a better experience for me like Dark Reader to make all webs dark. Sometimes I write userscripts for TamperMonkey to add missing functionality or get rid of some annoyance. That all will probably be impossible thanks to this attestation BS. :S
Don't you think people will inevitably crack the software side of things (as has been done with the lower levels of Widevine)?
The end game is probably integration with a TPM that produces the token, or at least whatever part of it verifies that the chrome binary is genuine and that there is no forbidden software running on the client machine.
The end game is probably integration with a TPM that produces the token, or at least whatever part of it verifies that the chrome binary is genuine and that there is no forbidden software running on the client machine.
That is exactly the goal of this, and why it needs to be opposed fiercely.
Google will degrade their services for non-DRM browsers. They have a long history of "oops" with UA sniffs and serving slow buggy alternatives to Chrome-only JS.
You'll be filling in captchas 10 times a day, getting randomly locked out of your Google account in the name of security, and whatever new feature they add to their services, they'll find an excuse to require the DRM for it.
That doesn't make any difference. There will be websites that will only allow people using approved browsers to access them. Instead of whatever you expect, you'll get a link to download Chrome (or whatever), and possibly install $COMPANY's attestation software.
Then, people will DDOS the attestation endpoints because why not.
It honestly boggles the mind that the same company I used to respect twenty years ago has morphed into the evil monster that is modern Google. A tragic fall from grace.
Such is the fate of all companies. Companies need to be allowed to die in order to facilitate competition, but because of a failure of antitrust regulators to do their jobs, giant companies have been allowed to leverage their war chests to perpetuate themselves by gobbling up competitors and prolonging their own demise, to the detriment of us all.
Google needs to be broken up, and the other tech giants too. Bring back competition to the market or we'll continue marching towards Blade Runner corporate dystopia.
While I don't love this API's idea, I understand why they're doing it, and the API it describes really just sounds like any Captcha API today.
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.
The problem with Captchas today is that there are a lot of services you can use to bypass them. You send the token to a human, human gives you the solution-token, and you pass that to Google.
I can see why they want to make this more protected. As a user, if this lets me solve captchas less for certain sites, I'm OK with that. Of course, I don't think this API should be used for the entire web, but I definitely understand its use-case.
One key difference to Captchas is that since this new system requires no user input, the "cost" of a website requesting attestation is a lot smaller. So it will probably be used more widely.
Captchas only let you verify that the user is human, this API lets you do more: it lets you verify that your web application is going to run unmodified and that the user is going to see what you want him to see, _everything_ that you want him to see and nothing else.
Unlike captchas with this you can remove adblockers, greasemonkey/stylus edits, extensions adding download links to your youtube videos, etc, from the picture.
> Exactly how the rest of the world feels about this is not necessarily relevant, though. Google owns the world's most popular web browser, the world's largest advertising network, the world's biggest search engine, the world's most popular operating system, and some of the world's most popular websites. So really, Google can do whatever it wants.
This is the point that company breakups start to make a lot of sense.
When Google can do something that every one of it's users hates and none of us can do anything about it, they perhaps have too much market power.
> When Google can do something that every one of it's users hates
I don't think this is remotely the case. Quite a few tech-savvy people I know (some of them software developers) use Chrome and mostly don't care about whatever Google does with it. I mention "manifest v3" and get a blank stare. I talk about advertising and ad blockers, and most people don't care, with some of them not even using ad blockers.
We really live in a bubble, here on HN. Most people think of privacy as some abstract thing that they have little control over, and are mostly fine with that. And some are even also fine with government erosion of privacy, in the name of "save the children" style arguments, and of corporate erosion of privacy, in the name of getting free stuff in exchange for their personal information.
It's a sad state of affairs. If most people really did care strongly about these sorts of issues, then I think it would be baffling why we haven't seen more change here -- after all, Firefox is a perfectly viable alternative to Chrome that very few people use. But the lack of change is no surprise: most people don't care.
I'm a tech-savvy person and I consider Manifest v3 an improvement (improves security + performance), and Firefox implements it as well as things like declarativeNetRequest[1].
Manifest v3 itself is an improvement and is probably non-controversial. I can't see why anyone would think deprecating manifest v2 along with removing webRequest is a good thing. The latter is what everyone is mad about when they talk about "manifest v3". I'm not sure whether you're trying to making a nitpick point about the difference between the two, or you legitimately think the latter is a good thing.
Can you expand on the security improvements of v3? This is the first I've heard this.
As for performance... That sounds dubious. Declarative blocking surely will be faster than v2, but what is being blocked by v2, I would imagine, is generally way slower than the difference between v2 and v3. At the end of the day, I don't see the performance of my browser negatively impacted by uBlock Origin, I see it saving CPU, bandwidth, memory, privacy, etc.
I'd be willing to bet that whatever isn't blocked by v3 is sifnificantly slower than whatever supposed slowness there is with v2 (in general).
Multiple bubbles on HN. Obviously, most of us are complicit in some techbro business conventions today that, 30 years ago, would've gotten us shunned by our peers, and reported to the authorities.
(Not that current phenomena weren't foreseen. SF writers had already been all over it. Anecdotally, Internet-savvy techies were often informed by various forward-looking thinking and by world history, and tended to act like stewards rather than exploiters.)
I can still block content in any way I see fit on Gecko-based applications, not so much on Blink-based things. There are many things about Firefox-the-browser and Mozilla-the-organisation which could do with an overhaul but as it stands it is still my go-to browser. I only use Blink-based things to test and for those (annoying) sites which insist on it in which case I first try Bromite, then Ungoogled Chromium. If it still does not work it is not worth visiting. I do not have Chrome installed on any device and have never felt I was missing out.
I don't buy this. I'm sure most iphone users don't care when you ask them about privacy or manifest v3 as an abstract concept, but remember what happened when Apple tried to push a U2 album to them? They lost their collective shit. They may not write blog posts about privacy or donate to the EFF, but they have deeply personal relationships with "their" phone and they absolutely hate being reminded that it isn't really theirs.
If this weren't true, Apple could just start inserting ads into every iphone's Safari window tomorrow, and Youtube could serve the ad in the same stream as the video to defeat adblockers, and they'd make a bunch of extra money with no downside. The fact that they don't do this suggests that Apple and Google understand this: people only tolerate restricted platforms that do a convincing job of pretending to be unrestricted. In practice, this means that step 1 of Google foisting off user-hostile stuff on us is getting Firefox to include it too, which is presumably why they spend so much money on it.
No one I knew really cared much about the U2 album except that it was a bad album and they didn't want it in their collection. From the people I know there no one upset about the power dynamics - everyone who complained would have been 100% happy if Apple had given them an album they liked.
And also, in a bug I'm not sure was entirely on Apple, when plugged into many car stereos iTunes would start playing the first song in your library, so users were annoyed because everythime they'd plug their phone into their car to charge it would start playing a 3rd tier U2 album.
>when Apple tried to push a U2 album to them? They lost their collective shit
and that's exactly it. putting something in your music library is a hugely more visible and tangible thing than all the nebulous privacy concerns the internet wants me to be afraid of. nobody gives a shit if google or apple or facebook or whoever else introduces some techical measure that could be used for nefarious things. they only care if that api is actually used for nefarious things. as long as the argument is "well if google implements X, then it would potentially allow them to do Y*, that's a failing argument.
like it or not, people actually do trust the big tech companies. as long as they aren't actively abusing that trust in ways that people care about, things like "google wants to know if you're a real person or a bot" aren't going to cause a whole lot of outrage. most people can understand that letting fake people pretend to be real is bad, and that preventing that is probably a good thing.
> as long as the argument is "well if google implements X, then it would potentially allow them to do Y", that's a failing argument.
It's similar to privacy 'dead bodies'[1], where users want to know actual concrete examples. I keep a collection of them in a larger directory of web pages about privacy, about instances where 'nebulous' privacy aspects meet reality and users are impacted and upset by it.
[1] Term used by a law professor in Daniel J. Solove's "I've got nothing to hide" and Other Misunderstandings of Privacy
I care, and I've basically stopped using my iphone for anything because the web is an abysmal experience full of ads even with the maximum amount of ad blocking possible on iOS. I hate the iPhone and the only reason I haven't switched back to android is that it seems to manage to, somehow, still be even worse. We are well and truly on the other side of the enshitification event horizon on mobile, and it looks like Google is doing it's best to make sure the web keeps up on the desktop too.
Until Apple allows other browser engines, everything is still limited to the same set of blockers you can get in safari. None of them are remotely good enough compared to ublock origin. My current phone probably has around 6-12 months of life left in it, and if Apple doesn’t have a solution by then I’m dropping the iPhone and either going with a de-Googled android build or giving up on smart phones altogether.
Not trying to get you back on your iPhone but I can tell you that 1Blocker + NextDNS do wonders when it comes to blocking ads on the web using iphones. Granted, sometimes some sites do break for weird reasons but i'm happy to live with that if it means I get to avoid ads. Hell, it even manages to block ads on mobile youtube.
My personal experience with ad blocking on iOS is that it’s both far less effective overall than ublock origin, and still manages to break a lot more sites. I have 0 tolerance for ads though- so even a 99% success rate on a site is unacceptable to me and I’ll just not use that site on my phone. Maybe 2/3rds of sites fail by that criteria for me. If ublock origin on my desktop computer also fails, then I don’t use the site at all- but that’s a vanishingly rate occurrence.
This is exactly the take that Google, and companies interested in setting up WEI-enabled web sites, will adopt. When you're talking about business, technical details that will affect a tiny minority of nerds simply doesn't matter. What matters is what value can you capture from the lion's share of the market? And how much is it gonna cost you to support the tiny minority that remains?
Back in the 90s, much of the web was designed for Internet Explorer exclusively. A bit later, Flash took off. Both of these posed problems for users of niche browsers and operating systems, but from a business standpoint, nobody was complaining.
> when Apple tried to push a U2 album to them? They lost their collective shit.
Yeah, Apple was toast after they did that. Their share price in 2014 when they did that was $24, and immediately afterwards it rose to $33 over the next 12 months. And since then, it's just been one long slow decline to almost $200 a share, as their global mobile market share has gone from the 24% it enjoyed in 2014 to the measly 29% it enjoys today.
You’re forgetting a 4:1 stock split in August 2020, so it’s even worse ;-)
I think this illustrates that people only worry about this kind of thing if it gets shoved into their face.
The privacy thing is OK as long as it’s only used for the good. For example, I think nobody would object against a world where every killer would be caught within an hour to get a fair trial.
However, such a world also would be one where every traffic offense could be fined, and where powers that be could find some dirt on anybody in their email history, presence on on-street cameras, etc. Worse, it would take relatively few people to pull that of.
That’s something I think nobody wants, but it’s abstract until it affects you, so few people worry about it.
By this argument we should defund the police because they could be used for oppression. Forgetting the reality that they are also stopping thousands of crimes every single day.
Privacy absolution is never what most people signed up for.
Where did I make the argument that “we” don’t want to give up any privacy? I’m only claiming “we” don’t want to give up all privacy.
Also, “the police” are thousands of humans. That makes it harder to use the police for oppression than if “the police” were a bunch of computers and robots.
If somebody proposed the latter, I think lots of people would object.
> after all, Firefox is a perfectly viable alternative to Chrome that very few people use
I don't use Firefox because it's slower than Chrome and because their behavior regarding limiting which extensions are available in phones, requiring signed extensions, Firefox Pocket, ads in new tab page, etc, does not exactly give me confidence that Mozilla truly has my interests in mind. In fact I bet they'll implement the nightmare DRM API once it's done swiftly and without complaint lest their money flow suffer.
If Mozilla ever decides to stop screwing around, clearly position themselves as an ally of the consumer, clearly express support for adblockers and put resources into making the browser faster and better and more customizable instead of whatever makes their CEO richer then I'll switch to Firefox even if it is a bit slower or has some flaws.
In the meantime uBlock works right now in Chrome which makes it usable, so since Chrome is the fastest right now, Chrome it is.
uBlock Origin doesn't work on mobile Chrome. I don't understand this perspective. At the very least you would want to use an alternative Chromium browser on Android, even if you weren't willing to install Firefox. You're upset about not being able to run every extension and so you're running none of them?
Look, I will absolutely criticize Mozilla for some of its policies. Pretty much every issue you've raised there is spot-on, in fact I'll go a step further and remind everyone that Pocket was kind of supposed to be Open Source by now, and it still isn't.
But it's cutting off your nose to spite your face to use Chrome. Google is less receptive to criticism than Mozilla is, has worse extension APIs and is more restrictive of how extensions get installed, has worse privacy features, allows for no extensions on phones, is more directly tied into an advertising network, and is actively trying to make the web worse.
Use Firefox.
I am not telling you to be complacent or to ignore Mozilla's problems, I am telling you not to lend support to the browser that is actively trying to make the web worse. We're all very happy for you that you're very principled about not just picking the better of two bad options. We're happy that you have those standards. But we're less thrilled about your policy of picking the worst of two bad options. At the very heckin least you're not even going to use a Chromium fork? You're just going to make the worst browser choice you can make for the Open web?
That's true, I was talking about desktop, I probably should have not mentioned the phone extension thing.
In Android I use Bromite (a Chromium fork) which I should probably replace since it's fairly outdated at this point.
But you're wrong about me not using Firefox out of spite, the real reason I don't use it is because it is (or apparently was according to the other replies) slower to the point it is noticeable, at least on my desktop (and even more so on my old phone). The rest is just why I don't support them despite being worse.
Will you at least consider switching to a DeGoogled Chromium fork? Yes, it would still be the same browser engine, but there are a lot of features in Chrome proper that Google uses to help contribute to its ad network and data collection.
Firefox may not be _as_ fast as Chrome, but it's a fairly negligible difference nowadays. rendering speed hasn't been a limiting factor for a while, and i feel like network latency and poor application optimization has been more the culprit there. you can only squeeze so much blood from the optimizing inefficient JS stone, and no amount of rendering engine optimization will ever fix shitty backend API response times
Firefox fails because there is no actual industry pressure to build a better browser. you simply can't sell a browser alone anymore: the free offerings have been good enough since the early 2000s.
Safari only needs to be good enough for iOS users to not abandon the platform entirely, and the ecosystem wants to push you into native apps anyway (Apple wants their IAP cut).
Chredge is, well, _there_, but basically just a minimum batteries included that maybe funnels some set of users into other Microsoft offerings, but it isn't the core product.
Chrome is, well, Chrome.
Firefox is comfortably supported by Google funding as an antitrust action shield. there's no real pressure for them to try and beat Chrome in market share because they're explicitly paid to be minority market share, and aren't really going to lose that share because they already have all of the "intentionally don't want to use Chrome" market. Mozilla faffs about making also-ran internet services (idk, whatever the heck that VPN offering was, etc.) because they fundamentally can't lose their main revenue stream so long as Google wants to avoid antitrust action, and have no real pressure to offer a competitive product.
> limiting which extensions are available in phones
As opposed to chrome, which doesn't allow any extensions on mobile
> requiring signed extensions,
So does chrome
> ads in new tab page
Chrome is made by a company whose main business is selling ads ...
> clearly express support for adblockers
Mozilla has long shown support for ad blockers for example, uBlock origin was the first extension aupported on mobile, Mozilla has no plans to drop the blocking WebRequest API, largely because it is needed for sophisticated ad blockers like uBlock origin, etc.
I don't agree with everything Mozilla has done, but I still think Firefox is better than the alternatives.
this argument is inadequate because it only examines and explains one side of a multi-part system. The users of consumer electronics as a mass at a point in time is not sufficient, even if well described, to explain important changes of the system over time.
When you talk about communications technology adopted at a societal scale, changes in norms and routine have ripple effects. Most certainly one of those is a change in asymmetric power relations by central communications companies, versus the user of their systems who get strictly limited information views of what is happening with their phone calls or emails.
When you have asymmetric power relations with market advantage and secondly literal surveillance at stake, a unilateral change in the service agreement is not a small "oh well" matter.
This single statement "people do not care" does not show all the players, and most especially does not show the players making decisions, the management of the companies making more money or new revenues with new decisions.
>Firefox is a perfectly viable alternative to Chrome that very few people use.
The problem is that it isn't.
Do you know why Firefox managed to usurp IE6 in the first place? Because it won the adoption and appeal of tech enthusiasts and professionals. Mom and pop (read: the general population) switched to Firefox from IE6 because their tech nerd kids installed it for them, and the enterprise largely moved off of IE6 dependence because the general population moved off.
But the Firefox today is not the Firefox that defeated IE6. Mozilla steadily eroded and destroyed every single thing tech enthusiasts and professionals loved about Firefox, to the point it practically became just a Chrome ripoff. At that point, why bother? Chrome's right there, the real deal.
Not to mention Mozilla happily takes money from Google with no shame at all so their CEO can get her fat paychecks.
Firefox is not a viable alternative, Firefox is literally controlled opposition to pedantically argue Chrome is not a monopoly. Not even the Intel and AMD x86 duopoly is this blatant.
Firefox did not defeat IE6. That was Chrome. Firefox has basically been a fringe browser since Netscape imploded.
The original reason Google started the Chrome project was that the stagnation of IE6 was a barrier to implementing the web software they wanted to build. At least that's what they told us.
This is true. As someone who had a work time card I could fill out on Solaris using Firefox. This the new time card website came out that was “ie” only and we had to log onto a virtual NT server do our time card. Ugh. It was a nightmare. Then slowly Firefox came back. It was short lived majority but I still use it. I rather like it.
The "death knoll" was dev tools for chrome - they hired the firefox guy who was doing better work, then you couldn't lift an arm without hitting some web dev thinking they were cool for using chrome.
Firefox got better dev tools and mozilla did random crap for a bit, meanwhile brain-dead devs insisted on continuing to use chrome. When the devs supported it, they started favoring the googlified things.
Honestly it's a terrible browser - we are back to the bad old IE days (almost).
It's a small difference, perhaps, but its "my" browser in a way chrome will never be. Blink sucks.
Also, not a clue what you are on about - I don't have an issue with firefox. Chrome is basically for dealing with google stuff, and for the rest of the web I don't care about them.
Sometimes Drive stops working for me, trying to download something results in a redirection loop.
Clearing the cache sometimes fixes it. I suspect the Firefox anti tracking settings but I haven't bothered to test it.
If I don't want to be tracked, I won't use chrome. If I don't care then I'll use it.
Just like I'll have some conversations on WeChat but if I want to talk about Chinese politics maybe I'll do that on another platform.
I don't really see the erosion in the corporate space. The erosion of privacy is happening at the government level. With "forced backdoor" laws and/or just outright forking the internet backbone (ala PRISM). I've never really understood "Corporate erosion of privacy"... It's opposite, Privacy is literally a USP of Apple products. They had to back out changes that hinted at an erosion of that trust with the on-device processing of Photos for cloud-sync. People are more aware than ever.
"Exactly how the rest of the world feels about this is not necessarily relevant, though."
This quote is from page 2 of the article. It is common for certain HN commenters to remind us that HN is a bubble. True. However, the author of this article is not necessarily in this bubble.
But, honestly, what difference does it make whether HN is a bubble or not. Google is a bubble. The Register, another entity outside the HN bubble, calls Google "The Chocolate Factory".^1 Does it matter that Google is a bubble.
1. Of course it's also common for certain HN commenters to try to broadly dismiss all journalism, on a news aggregator site no less. Maybe there is a pattern here.
Would anyone outside the HN bubble try to discredit the observations about so-called "tech" companies mabe by those inside it. (Besides those with vested interests in so-called "tech" companies.) All evidence I've seen since 2009 points to the contrary.
The reason HN is a bubble is because people here actually get and interested in real tech news.
If a journalist would explain these news to the masses AND the news has a way to reach the masses.
These days these kinds of news do not make it to broadcasted news and most people do not watch the old broadcasted news.
The news currently get people attention from the news feed on Android and Apples phones.
Those feeds recommend only the kind of content you usually interact with. No many people gets tech articles. And you can even argue that there is some extra filters on what news get on the feed in first place.
I have to disagree with Firefox... in terms of functionality and configurability it's by far and away my preferred browser but in terms of performance it just crunches to a crawl on my Mac. Load times of pages are absolutely fine but changing tabs crunch , scroll down the webpage judderfreeze whereas Edge is just silky smooth.
Maybe it's an extension or three I'm running but I just want to use the bloody thing not sit there and figure out what extension is not working nicely (and then potentially find out it's none of them) on one platform but is fine on another.
Every so often I go back and have look to see if it's improvised but it hasn't in the last few years for me.
Did that and weirdly nothing seems to be excessive... indeed the Macs own performance monitor doesn't suggest anything is particular excessively using cpu or ram but here it is juddering away especially when scrolling pages.
Three year old Mac btw... everything else runs pretty well... if I get a chance I might fire up Firefox in Parallels and see if it's a Mac issue
When you write "about:performance" to your address bar, and press enter, you should access to the internal performance monitoring page of Firefox. That should list every tab and extension by RAM use and power impact.
I use brave, arc, firefox, chrome, and safari. Safari is the best performing. 'tis a shame that other web browsers are unable to use it as their rendering engine.
Yeah, because you called it manifest V3, not gimping adblockers, which is what it actually was. How many of Google's users love that they're gimping adblockers?
Same for Web Environment Integrity API. Nobody knows what those jargon terms means. That's part of how enshittification works. If everyone knew how badly they were being fucked, this would never work.
I actually don't understand it well. What does it mean? I can't browse the web from xubuntu any more? I believe it's scary, but can't seem to actually sell myself on that.
If it's so bad, why can't we bring a monopoly lawsuit against them over chrome/chromium? This is pretty similar to what Microsoft did, isn't it?
The problem with remote attestation is that there's no bound to exactly how bad it could become. If you can get enough of the internet on browsers that support remote attestation, to the point where it's an acceptable loss to simply reject anyone who does not have a browser that does support remote attestation, you can theoretically assert full control over the end user.
What will actually happen? Nobody knows for sure. The most likely outcome is that you will not be able to do banking, watch Twitch streams, etc. on anything other than Chrome, Firefox and Edge, on Windows and macOS. Linux will probably be relegated to the legacy web that does not enforce remote attestation. Alternate browsers like Librewolf, Brave and Mullvad Browser will just disappear as if they never existed. You can not browse Tor on clearnet websites anymore, as if you really could anyways. Etc, etc.
> If it's so bad, why can't we bring a monopoly lawsuit against them over chrome/chromium? This is pretty similar to what Microsoft did, isn't it?
Microsoft of today is doing things blatantly in the open, that Microsoft of 199x would never dream of doing. The difference now is that all of the major computer manufacturers are basically going the same way, just at different rates.
But that's the catch, company breakups are extremely hard to perform especially when you're talking about such a giant company being tackled by an organization that only has ~400m in funding. Especially when they can point to the other giant companies as defense against claims of monopolist behavior. See Google using Microsoft, Apple, and Amazon as a reason for why their ad business should not be broken up in the January lawsuit.
On top of all this, a lot of users don't care, which is a problem itself, but also leads to an even harder time trying to navigate a company breakup. The convenience is too great for them, and it's too easy for the above noted companies (alongside other giants like Walmart) to shift public opinion.
You'll be very pleased to hear that it is going to happen soon with two antitrust cases against Google, one for search dominance [0] and the other for their ad business [1] with the former going to happen this year in September. So there is a start on that.
So get a front row seat and get ready for what is to come in September this year to witness the beginning of the end of a company once adored by hundreds of techies finally getting broken up to pieces.
I think one of the major problems preventing a tech breakup is that every politician has a portfolio in an index fund and they all know how top heavy in the same seven tech companies that portfolio and the SP500 is. You have the people that should be breaking tech up afraid to do so because their own personal finances would suffer. I don’t know how we get around that problem. It involves personal integrity and putting your own gains below the greater good- both things politicians aren’t known for.
Even if Google were forced to partition off employees and give up control of Chrome, they would still be allowed to be an influential force that gets a seat at the Chrome decision-making table, just the same as Meta, Apple, etc if they were to want it.
How would this have changed the existence of the Web Integrity API?
This line is what makes me roll my eyes whenever I hear someone say "Safari is the new IE". Safari missing a couple of features few websites use is far less of an issue than the dominant browser company can just invent new "standards" that make the web actively worse for everyone. (Sorry, I should say "everyone except for the scummy advertisers".)
Safari is just Apples Opera (before they went Blink and made themselves irrelevant).
They aren't great, just another proprietary browser. Every time I've used it has been sub-par. It reminded me a lot of Opera in that it was very opinionated, even if it tried to offer some feature. Apple makes money off of apps, not websites, though, so it makes sense they don't invest much into their browser.
Safari has the fastest JavaScript engine. In many respects, Safari's implementation is top notch. Apple makes money off phones and people use Safari a lot on phones. I don't understand why people think Apple don't invest on Safari.
Because people are in arms about Web Integrity API, but a lot of the same people will crucify Safari (and Firefox) for not implementing a bunch of Chrome-only non-standards (like the plethora of hardware APIs)
Subpar on what? That’s the important part. For my non-techie family, it seems to do everything they need WHILST saving a lot of battery life. If that’s the criteria, it’s a great browser.
I’d never use it due to lack of uBlock Origin and good dev tools, but it’s hard to argue with the speed and battery efficiency on macOS.
Google owns the world's most popular web browser, the world's largest advertising network, the world's biggest search engine, the world's most popular operating system, and some of the world's most popular websites.
Their hold on these claims are extremely tenuous. No one would be surprised if Firefox, Bing, or iOS resurged and killed Google’s offering, for example.
Microsoft is way too busy shooting themselves in the foot with Bing and OpenAI along with telemetry and all the tracking/dark pattern crap they do on Windows or any of their offerings.
They're quite happy scrambling for the crumbs as it is.
The reason why Google hasn't been and won't be is that everything they make is "obstensibly" open-source. (Minus the advertising network)
Google Chrome is "open source".
Android is "open source".
ChromeOS is "open source".
Nevermind the truth being more "open source" with proprietary bits (the bits that matter).
So the opening argument often is; well, someone else can enter the market and do what they do. But that's missing the trees for the forest (and the devil's in the details).
At this point, the "open-source" parts are just legal arguments that they can throw in courts whenever they are attacked for antitrust behavior, nothing more.
They know that making it so tedious means it will only be used by a handful of hobbyist and nothing more significant.
Doing stuff their customers hate is the default MO of most tech companies. There's very little recourse.
For example, when Apple makes a user-hostile hardware change, every major Android vendor will copy it in a matter of months[0]. The only thing you can go to after that is niche Chinese phone makers that will cause you a bunch of other pain.
I'm basically completely disconnected from Google at this point. My phone requirements forced me to get a phone without Google Play Services, and I live in a country where Google is not dominant. The only thing that still pops up is YouTube occasionally. (Also it would be nice if I could get my old Google Photos archives exported from Photos, but the export in Takeout keeps erroring! Oh well...)
[0]: Back when I worked at Google, there was a mailing list thread on a big internal engineering mailing list, where somebody point-blank asked "Did we remove the headphone port on the Pixel because Apple did?". The answer from the product team was a whole bunch of wishy-washy word soup, amounting essentially to "Yes".
Did you try different export options? I recently had to do one export and it kept failing but exporting using another option worked. I don't remember which one but it was either email or drive.
There are some weird implications of this and I don't think the economics point to a viable futures:
1. Unlike EME (the controversial web DRM backed by Google that was standardized somewhat recently), the Web Integrity API requires a third-party service, which involves maintenance costs, as well as development costs to constantly adjust to the arms race against all the hackers who really want to thwart these tests.
2. In a "functioning attestation industry", many attestation servers would compete on price to validate users, making the network efficient and robust. I struggle to see this becoming reality because decent attestation would require very complicated techniques for each supported browser, and there is only 1 company that does both significant browser development and also wants to run an attestation server.
3. In a monopolized attestation industry, Google would be the single point of failure for all DRM-protected media on the internet. Google's down? So is Netflix, Hulu, HBO, etc. because they can no longer validate that their users are running an approved version of Chrome. This also give Google an incredible amount of leverage over other companies, because they can change fees and policies unilaterally and there are no alternative games in town. Companies have an incentive not to put themselves in that position.
If the entire media industry coalesces around Google Chrome as the only supported browser for media on the internet, and bestowed this incredible market power and leverage upon Google, then it could work. I find it hard to believe that this will slip past every significant regulatory body on Earth, and any significant gaps in market control would make the scheme unworkable.
Dunno. I've got three browsers on the laptop. I usually use Chrome but if it's annoying I'd switch to one of the others. Likewise search and I don't use their OS.
I remember Google+ when they ignored feedback on users hating aspects of it and tried to force it on us using their dominant position and it didn't go very well for them.
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked.
Would you rather a capitalist dystopia, where large corporations get to approve everything you see & hear, or a socialist dystopia, where the government gets to determine what you're allowed to view?
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data.
There is no value in this "attestation" for me as a user. I want to be able to do whatever I want with the browser (for example, remove ads or block access to canvas and webgl) and I want sites to be unable to know this. And probably this attestation will provide additional fingerprinting signals which is what I don't want.
Attestation is a great concept for stuff you're in control of. Employee laptops, your own servers, your own phone, you name it. You want to be able to control and verify your devices are still under your control, preferably without manually entering the data center every week to check. The concept isn't inherently bad.
That said, the concept is seemingly aimed at blocking ad blockers and preventing browsers like Brave from impersonating Chrome so it can block ads without the need for extensions and such.
The only user-positive use case I can think of for this is for self-hosted software. Maybe it can be used to detect MitM attacks or malware messing with the browser? In practice this will just mean "no Firefox, no Linux, no adblockers".
In theory one could imagine a scenario like a bank website refusing to be accessed unless the entire OS & browser stack pass attestation - as that would rule out things like keyloggers, malicious browser extensions, and session hijacking.
In practice it'll just be used to lock down content and force unskippable ads on users, of course.
And in practice it will eventually mean being unable to do online banking if you're on Linux. My Android phone with a custom ROM doesn't pass even a basic SafetyNet check, and this means I essentially cannot use mobile banking. For now, using a browser on my phone is a "workaround", but this proposal could change that
But that's not a direct value. I'm aware that reducing fraud for banks will potentially (bank behavior makes me doubt this) increase interest rates/decrease fees since they'll have less stolen money. I'm also aware that the current internet is built on free-as-in-beer services due to ads typically covering costs.
I'm not interested in being hobbled for either of those problems. I remember when banks used to reject my browser because it wasn't IE in Windows. I remember when I had to look at webpages that were 50% advertising.
one could imagine a scenario like a bank website refusing to be accessed unless the entire OS & browser stack pass attestation - as that would rule out things like keyloggers, malicious browser extensions, and session hijacking.
The important part is that "malicious" isn't up to you to decide anymore; if you have any "unapproved" software that acts in your interests and not others', this could theoretically be used to lock you out too.
> a bank website refusing to be accessed unless the entire OS & browser stack pass attestation
Even that use case leads to bad outcomes. I already have to jump through hoops to get banking apps to run on my rooted phone. Banking websites refusing to run on anything but Chrome on Windows is a likely scenario here, and that's awful.
IT in big banks is usually horrible and their security departments would close you and your family in a cage if it was possible and helped them avoid liability. If attestation exposes let's say your password policy, be sure you'll be required to set it for monthly changes the moment they can do that.
I don't want them to have a say in how I run my devices.
I hope banks like getting phone calls, then. MacOS and Windows normies are going to get caught up in this, and so are all of the laypeople who got pissed at those two and moved to OS's like Linux Mint.
Attestation can have value in a corporate network, ensuring only patched company laptops can connect to certain services, for example.
But software already exists to do this kind of thing for private networks. I really, strongly believe that this kind of functionality has no place on the open web.
This proposal is user-hostile, and could be very dangerous to the future of the web.
One thing from the blink-dev discussion caught my eye:
> Anything we might decide would ultimately be influenced by the larger societal debate around privacy (regulations etc.) since perfect privacy means perfect immunity for criminals.
Ensuring that your devices don't spy on you on behalf of a government or company does not imply "perfect immunity for criminals".
Putting aside attestation for the moment, consider this: Modern enclave driven device encryption (and the self-destructive passcode limitations that often accompany it), for example, could be likened to designing a very good safe that can automatically destroy its contents if it is breached. Do we require governments to have their own keys to all such safes sold?
It's funny how they frame laws and regulations designed to prevent companies from abusing people's rights as a "larger societal debate". Yes, the debate is between people who want companies to respect their rights and companies who don't wanna. That's not a debate and framing it as such is just an obvious attempt to narrativize their stance for lobbyists. Also "perfect privacy" is a red herring (binary fallacy or what is it called?) because the compromise between no privacy and perfect privacy doesn't have to be "Google gets to harvest users' data against their wishes".
"Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety."
The problematic dude's disdain for humanity aside, the quote serves as a good reminder that the "but the criminals!" argument is often used and rarely justified.
Remember they already added DRM to browsers once. There was a big outcry at the time, and they still went ahead and implemented it. Now even Firefox supports Widevine.
If they believe that it's in their best interest, I'm not really sure what we can do against this...
That's the premise that the RIAA and friends was pushing. There is of course another choice; to stream the movies without DRM. Once Flash was gone, eventually they would have caved in because there is a lot of money to be made by streaming movies.
This was a faustian bargain.
Now that DRM is in the browser, it's going to be pushed further, as with this proposal. It forced Firefox to compromise on their values of open-source in order to stay relevant. Streaming movies are still getting copied the same day.
We know from experience with the gaming and music industry that what protects the publishers is to provide a convenient platform, with reasonable prices. And of course the legal system to take down pirate websites.
And? Making people who can't help themselves from consuming DRM'd content jump trough hoops is much better than integrating this shit into the browser. Eventually media companies might have caved in and accepted DRM-free distribution like the music industry already has.
> Exactly how the rest of the world feels about this is not necessarily relevant, though. Google owns the world's most popular web browser, the world's largest advertising network, the world's biggest search engine, the world's most popular operating system, and some of the world's most popular websites. So really, Google can do whatever it wants.
On one hand, I think this is wrong, because the world is full of tech companies who thought they could do whatever they want because they're big enough. "Nobody would dare switch away from Facebook! Err, I mean Twitter. No wait, I meant Chrome!" But that's a bet, not a fact. Sometimes it works out, and sometimes everyone leaves and goes somewhere else. You think you have a moat, and you do, it's just you don't always realize it's ankle deep.
On the other hand, Google can do what it wants with Chrome, because it's their product. I use Firefox, and it won't affect me. All the people who don't care about this are free to use Chrome. Likewise, anyone who wants to listen to a man in his forties tell them about why some browsers are better than others can ask me about my thoughts. Nobody has done that yet, but the offer is on the table.
They don't even have to do that. In five or ten years your browser will be bitrotted and unable to read tons of webpages, since you'll be stuck on the version before Firefox completely capitulated and called the users who complained about it "childish bullies."
Google "will be able to request a token that attests key facts about the environment their client code is running in."
Google "will ultimately decide if they trust the verdict returned from the attester."
"Allow" Google "to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
I have replaced "web sites" and "web servers" in the original explainer text with "Google" for clarity of intent.
Why would Google want these capabilities in web browsers?
What does Google plan to do with them?
What follow-on actions is Google planning?
Google marketing exec: "We need to lock down web browsers so we can make more money by showing ads."
"Ad blockers need to be prevented. The new WEI APIs will ensure that ad blockers aren't running, that our ads are being seen, and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEI we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
Web Environment Integrity is the beginning of the further DRM-ification and enshittification of the Web.
“There is a tension between utility for anti-fraud use cases requiring deterministic verdicts and high coverage, and the risk of websites using this functionality to exclude specific attesters or non-attestable browsers. We look forward to discussion on this topic, and acknowledge the significant value-add even in the case where verdicts are not deterministically available (e.g. holdouts).”
See, don’t worry, they’re thinking about you, holdout.
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
This phrases itself as ensuring news sites can block unpaid users, but also targets the Internet Archive, other webpage archives, possibly Reader modes, and more.
But they told me that Google being the one of the largest advertising companies in the world, had no interest in handicapping ad-blockers. BTW its the same company spreading FUD over AGPL.
If this proposal gets rejected it'll be because of feedback in the press that is impossible to ignore. My experience watching how Google has handled contentious issues in the past makes me personally feel that Google will not be receptive to concerns about whether this spec should exist. Google and the Chromium team are not willing to hear community feedback about the direction of the web or about what the web should be. They demand that feedback start from a position of assuming the best intentions of the spec, and start from a position of assuming that the spec is basically good and might just have additional concerns to address (https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...).
This has been a longstanding issue with how Google approaches web standards; according to Google there's no such thing as a harmful feature and Google's approach is never wrong; it just might need refining. The refining is the only thing that Google wants to talk about.
There is a predictable arc to this narrative as well. If blowback gets out of control, Google will blame that blowback on misinformation and accuse the community of operating in bad faith or fearmongering. At best, you'll get a few people from the Chromium team saying "we hear you and we need to communicate better." Note the underlying implication behind that statement that the original proposal wasn't bad, it just wasn't communicated well. People just need to do a better job of "getting involved" in the web standards process so that the Chromium team knows to address their concerns. And it just comes down to learning to be kind and "remembering the human" -- ie ignoring the structural damage that the human is capable of causing to the largest and arguably most important Open platform on the planet.
There will never in any situation be an acknowledgement that the direction or intent was wrong; that's just overwhelmingly not how the Chromium team operates on any issue big or small.
It's good for larger sites like Ars to cover this, and it's good for people to share thoughts on social media; the only way that users have a say over this is if the press runs with it and generates a metric ton of bad publicity for Google; and even then it's a toss-up. It comes down to what the company feels like it can ignore or dismiss with a couple of Twitter posts. And this is not just where issues like adblocking are concerned, the Chromium team has been hostile to user feedback even on more minor technical issues for a pretty long while. I was writing about this issue back in 2018 (https://danshumway.com/blog/chrome-autoplay) and it was a trend before that point as well.
It stinks to go into a conversation not assuming good will from all of the parties (and it usually is wrong to do so), but the Chromium team has not earned an assumption of good will, and it's done quite a bit to squander that assumption. It's regrettably kind of a waste of time to try and engage on this stuff, it's better to just criticize on social media and hope that the press runs with it. Because that's the only thing that Google listens to.
Google must love Brexit. I guess that in the UK people feel distance from the devs in the US complaining about this. And the company is more comfortable with the legal situation in the UK than in the EU.
I've been thinking about this for a few days but just realized that this is a complete end run around all web scraping in general.
All 'adversarial compatibility' from projects like Nitter, Teddit, Invidious, and youtube-dl go out the window. Any archive site (archive.org, archive.ph, etc.) can be blocked by sites requiring attestation.
And just like the book industry was terrified of piracy and were 'rescued' by Kindle, so too will journalism outlets that can't find a business model flock to Google to save them.
Any archive site (archive.org, archive.ph, etc.) can be blocked by sites requiring attestation.
What will happen if such a thing actually happens is that the underground market for "trusted device" farms grows, not too different from what's currently already happening but possibly at a far larger scale. Of course, that means the financially motivated scraping services still keep going while the honest individuals wanting user-agent freedom get screwed, just like with many other forms of DRM...
This has been happening already. The market is trying really hard to price out web scraping through scraper detection technologies and it's kinda working - scraping is becoming non-existent in user-space apps. It's also extremely discriminatory. Try running a single scrape with a developing country's IP and Linux, you'll be blocked at TLS step lol
Having your cake and eating it too is a natural goal of every business and honestly it was just a matter of time till web pages figured out they can have the benefits of public data and avoid the costs. Web scraping and botting is basically a solved problem too - just put a login gate for the data which allows you to legally litigate against scrapers and bots. Done. However, nobody wants to lose the benefits of public data so here we are.
> The market is trying really hard to price out web scraping... scraping is becoming non-existent in user-space apps
Uhh... Those two matters are pretty much unrelated to each other. Scraping is becoming non-existing because the era of static web pages has ended. No need to "scrap" when you have a nice, performant JSON REST API provided for you.
SSG vs SSR really has nothing to do with whether an API exists to provide the data you would otherwise need to scrape.
When was the last time you saw a site with a JSON API providing metadata, like the json-ld for a product on an e-commerce site? Or an API just for the open graph data? How would you even discover these APIs for sites that you don't own?
It's also worth noting that very, very few JSON APIs today are actually REST. They rarely include all the context needed, and in general JSON is much less useful than XML when you're talking to other APIs that you don't own since JSON can't easily describe the shape and datatypes of the content.
Yeah, exactly this, and on top of that, it also conveniently for Google makes it impossible or wildly expensive to build an index of the web if most of it is behind this attestation stuff.
the thought of this being used is making me much more strongly consider moving to firefox, there are still things I don't love about it, like many of the extensions I use are still chromium only, but now I really feel like I don't have a choice.
I don't know if anyone's all that interested in a possible explanation that doesn't make Google look like the bad guy, but if so, I wrote about it here:
482 comments
[ 1.6 ms ] story [ 394 ms ] threadBut a possible way to defeat it is what I do now --- keep two devices. One that meets their requirements for cases where it is absolutely needed and another for everything else.
Of course it's dubious if it applies here, especially because the playing field doesn't feel quite equal, but I think the most effective thing we can do is simply refuse to use websites that require a custom built user agent to access.
Heck maybe we've already mostly lost the battle to keep the internet usable with curl, let's at least try to keep some of the other options open.
Rinse repeat.
A lot of that has been happening for a long time now.
And, locally, there have been two ISPs set up (one by me and my friends) that aren't meant for public use, but to supply service to smaller groups. The one I set up was to supply internet service to a remote neighborhood that isn't likely to get reasonable commercial internet in the near or medium future.
Those two ISPs supply internet access, but they also operate an intranet that is mostly decoupled from the public internet.
All baby steps, and nobody is 100% "off the grid", so to speak, but it's a trend that started long ago and seems to be gaining a bit of momentum.
My prediction is that the web will ultimately be just for commercial use (it's already 90% there), and there will be a whole bunch of tiny networks -- that may or may not portal to the internet -- that will fill the needs that the internet is increasingly unable to fill.
edit: I'm studying ways to facilitate decentralized decisionmaking in small permissioned networks.
We're not in a movie. When they close the open internet, there will be no reason for them to open it back up. Everybody's Playstation will still work. Facebook will still work. Twitter will still work, but it will be all blue checks.
In the future they may not even sell general purpose computers to the public that can access the internet. The network will kick them off as unsigned machines. Maybe they won't let anything on the internet that is capable of running illegal or unlicensed encryption.
The open systems will have to be physical places where we go meet each other, and don't bring our phones. Of course, they could make you carry your ID in your phone (for a few years, there'd just be a $100 charge for a physical ID until they eventually just phased them out), or make you carry cash in your phone, so how could you meet up in person if they didn't want you to?
If we're writing stories.
Although in this grim future where all communication is monitored and censored, people like you and I will probably be up in the hills in the rebel camps, and open networking protocols might be low on our list of priorities.
Fun fact: You can no longer do such a project in software on stock Android. They locked down the voice audio API.
…and they will make us use lead free solder.
Some of us called that out as a slippery slope leading to ubiquitous gatekeeping, but we were shouted down in the name of (as usual) "security."
Faced with a choice between a vague future threat that might happen (an adversarial ISP or other MIM attack) and a certain future threat that will happen if we let it (incumbent gatekeepers locking down the Web), I'll take my chances with the former, and opt for less gatekeeping rather than more.
"That is because without Web Integrity, there is no guarantee that the site requested is being delivered as the site intends. For example, a browser extension could remove ads or modify content on the page."
See where this slippery slope is heading? We DO NOT want what "the site intends". We want to be in control of the content we consume.
> Same thing for a lot of sites, probably the vast majority of them.
Once Google gets this in place, it can then perform these checks through their ads SDK and demonetize traffic from visitors that don't pass the check. This will create an incentive for any site owner that wants to make money through ads to enforce that visitors must use an approved browser. Basically the DRM equivalent of 'Please disable your ad blocker'.
The bigger concern for me like you call out - major institutions like banks enforcing a separate company's requirements on me in order to interface with them.
Because of this. If we're at the point where you need to get permisssion and approval to verify that the platform you're using is acceptable, then the gates are up and the free web is no longer free at all.
I guess it has been the case from the good old CGI era? I do remember all those private forums that required me to wait for several days until they can "verify" my identity and "approve" my registration. The control always has been at the hand of platform. The difference is that now attacks are much more sophisticated (GPT-4 powered!), while defense line is left at a pretty miserable state.
It's honestly good for this to get a lot of attention though, I'm happy to see additional commentary on it getting shared.
I'd be curious to know how or if Chrome actually manages the PR around their work. Chrome lead fired off a blog post So you don't like a web proposal which effectively says it's purely a technical decision, and that only constructive technical criticism is regarded at all. https://news.ycombinator.com/item?id=36818409 https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...
But I don't feel like Google has the luxury of letting it's image burn like this. TURTLEDOVE is already a huge semi-sound but immensely scary change, MV3 is a disaster of high order and hasn't responded with anything but a stream of bandaids to challenges like Mozilla's far more capable Background Pages proposals. But I think the reputation damage here is vastly higher, as there's basically nothing being offered here to most users, or, if this spec goes through, ex-Web users. This effort is just an abominable horror show, and at some point, it feels like Google/Chrome have to stop being so blinders-on as to treat this as a merely technical discussion.
The last time these debates went down, where there was an incredibly contentious spec that got shipped, it basically took the Web creator Tim Berners-Lee using his w3c authority to stamp "ship it" on the spec. https://www.techdirt.com/2017/03/01/tim-berners-lee-endorses...
As if something with multiple downstream non-technical effects, is only a technical change
As if you can minimize and dismiss everyone’s fears and concerns as hollow, invalid and irrelevant by waving the magic wand of tis only a wee technical change, to be sure, to be sure
As if everyone’s protests and arguments against can be instantly hosed down, because aye, you guessed it laddie, it’s only a technical change
It’s almost as if the folks at Google think people are so stupid that not only do people not know what they’re talking about, but they’ll actually believe the lie and fall for that deception…
It’s almost as if Google was trying to gaslight the public about this…
If they end up groveling about this, I don’t think “in retrospect, we could have communicated this better” is going to cut it. This is a company the size, scope and sophistication of Google. This is not their first rodeo. They know exactly what they’re doing, and they mean to do it…
This is such a horrific & bastardly case - of creating unparalleld rank awfulness hither-to-fore unimaginable - that I am tempted to agree. And I do think there probably was some cross-pollination on this idea (which I personally would characterize as unlike the vast majority of things happening on the Chrome team).
But I still think there's a very necessary "reel it in" counter-response that has to happen here. It was me who characterized this as "only a technical change". Google is trying to shift how the web works & knows it, with this change, and that's clear, and their explainer indeed rather twists words somewhat to make it sound like it's for the user: but it is also imminently clear they seek to shift of the web works in a wide way, and they're not cloaking that behind anything or as simply technical: they're wrong & immoral & awful, but up front about what they're doing, and they're not presenting it subtly.
I linked Yoav Weiss's post with some disdain (for rebuffing), but I think a lot of these rules hold true in most circumstances, and I think even under duress many should be respected to the degree possible. But reciprocally, I've already advocated (in the HN thread) that sometimes I don't think constructive replies are appropriate or possible. When we are working to define the only open accessible shared hyper medium humanity has, there is a higher degree of engagement necessary, which also has to permit explosively deconstructive argumentation sometimes. That was my main critique: that Yoav is sheltering Chrome unjustly from the minefield of conflict he created (or more generously, let be created).
Also, I don’t think it’s necessary. Google is responsible for whatever its parts are doing; a corporate entity. And people are right to expect that if they get something from Google then it’s caused by Google.
Also, I think it’s wrong and too early to be diluting or shielding Google behind the pedantic hairsplitting that, “oh you see it’s not actually google at fault here, um, it was probably some guy that works in a basement somewhere, you know, his views not reflected by ours and so on…” it’s not necessary to provide them that shield or confusion at this stage.
He may work at google, you may work at Google, I may work at google; we don’t know. And it’s not important. What’s important is that Google is at fault here. (I don’t btw)
Magnitude of the malfeasance is so great they deserve to be held to account for it, and a simple label of Google is sufficient.
Also, Occam’s razor? I think it’s unnecessary to invoke the preposterously exaggerated strawman of some ghastly and convoluted conspiracy here, when their actions directly align with, and can be efficiently implemented by, their business. It’s a simple thesis: Google is at fault and they meant to do it. They know it’s bad and therefore are selling it deceptively.
It’s neither convoluted nor complex in any way. In fact, if they’d tried to engage with this technically in a way that accounted for acknowledged and respected the fears and concerns people raised in response, then I think they would’ve ended up with a solution that is more convoluted, and complex. In this we have the curse of simple evil.
I think it’s drinking the gaslit Kool-Aid to pretend “oh no, it’s an accident, it’s incompetence, they didn’t mean to.” This is directly (if harmfully and unethically) supporting their business interests. They meant to do it. That’s the simplest explanation. That’s Occam’s razor.
Nah dog, you're overcomplicating it. All it requires is a person or two in a management chain to recognize the hint of long term business potential in a technical change. It doesn't have to be a sure thing, or a big thing, the bare minimum is that they just notice a business model that could be enabled, and choose to explore it. Then once the company takes on the initiative, some combination of communication and intuition spread the understanding of what they're doing across some of the buisness. For the wider scale, all the rank and file need to do is play dumb, or be legit unaware, about the obvious incentive they're working towards.
That's not a vast complicated conspiracy. That's every single business' outward-facing messaging strategy.
When parent poster talks about the "size, scope and sophistication of Google," the point doesn't have to be that they're meticulously coordinating. The point can simply be: there's no fucking way they're not playing dumb.
This is my problem with people using Occam's Razor to understand business decisions. They often assume the idea that someone could be employed in business development and spend months championing and refining an idea is a level of complexity that must fail to a more simplistic explanation. But we know that shit happens all the time.
It also sounds like they're promoting yet another way to make "the internet" slower, more bloated, and have greater impediments to usage.
I wish I could agree. The internet isn't in nearly as bad of shape as the web is, that's true. But it doesn't look nearly as healthy as it used to, as more and more services are moving to the web and abandoning the internet.
And for most people in the world, that is "the internet".
But we still have TCP and HTTP. We will rebuild this place.
[0] gemini://hackersphere.space
[1] https://hackersphere.space
And most of the functionality people want out of the web.
It's a neat project, but it's not responsive to the problem at hand. By design. And that's fine. But it remains nonresponsive.
They lost me more than a decade ago when they hoovered clear text passwords from their wifi scanning and blamed it on a single engineer.
I don't see how advertising an open WiFi network is much different from advertising an open house. In both cases you should expect visitors.
You can take advantage of it, but almost everyone is going to feel like it's not right unless they have consent.
An open house would be akin to have an open wifi network labeled "PleaseUseMe".
You make these analogies attempting to equate an advertised open WiFi network to an unlocked home, while ignoring the precedent around both of those things.
It is expected that people connect to your advertised open WiFi network. It is not expected that people wiggle your doorknob to check if it's unlocked or not. If you put a sign on the door advertising, "the door is unlocked!" then I wouldn't be surprised when someone mistakes that for "come in".
While I do remember hearing about Google Maps vehicles connecting to open WiFi networks in the news, I don't recall hearing about private credentials being published. Was that the case? I thought it was just a map of open WiFi networks that was published with basic details such as SSID?
Edit: I found the article (2010, holy cow does time fly). It looks like they did collect payload data for non-encrypted traffic. Even though the data wasn't published in any way, I must agree that they went too far. I would have no issue if they were to simply verify that they could connect and record basic info such as SSID, but collecting payload data from network requests was inappropriate.
A better analogy is:
I leave my door open with a welcome sign out the front.
Two people enter.
One of them picks the pocket of the other.
And then the thief blames the guy who told him about the open door in the first place.
I don't find it particularly troublesome that maps of open WiFi networks exist.
I do not, however, think that it's okay to behave maliciously, or inappropriately on open WiFi networks.
My earlier response to your comment about hoovering plain text passwords didn't properly acknowledge the bad behavior that took place. I concede that you are correct, it was rude and insidious behavior.
It was never the connecting that bothered me, it was the storage of the data encountered.
We didn’t stand a chance.
I might user Firefox personally, but I'll have my company use Chrome.
Other Google products (Maps, Docs, Gmail) are excellently engineered and usually ahead of their competitors in terms of reliability and feature set.
It's not hard to understand why people use Google products despite the occasional moral qualm.
It is:
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
It sure seems like they're silencing opposition.
The "privacy sandbox" stuff is a perfect example of this process.
Yes, they might even intentionally have started with proposal so over-the-top that people who are now protesting may feel that they won when some time afterwards Google presents slightly less creepy second iteration this. And the ones who don't will be cast as radicals who don't want to engage in good-faith discussion while Google seemingly proposes a reasonable compromise. Besides, would anybody please think of the child... err... banks with webpages!
https://en.wikipedia.org/wiki/Halloween_documents
To me it looks like SGX for the web. Maybe it will introduce some neat and weird capabilities, but at the end of the day, it will be trivial to bypass at scale if it ever positions itself as being harmful to users.
Let's say example.com decides to require attestation from the {MS, Apple, Google} providers, and that they attest to only Chrome without extensions. You can't forge the attestation because cryptography. You can't fail to provide it (because they'll just refuse to send the bits). You can't use a "malicious" attestor because example.com won't trust it.
What's the trivial bypass I'm missing? How does a freely accessible standard impact the ability to bypass things in any way?
https://android-developers.googleblog.com/2019/09/trust-but-...
Go f yourself, Google. Browser’s purpose is to serve me web pages, not to learn about me.
The only regulatory action we've seen - supported on HN - is to go after their competitors.
Complaining is easy, but apparently even small compromises like these are hard.
Sometimes impossible in my case. Google Drive is always used in any collaborative project; so is Google Colab and Google Meet. And I still have the instinctual drive to reach for Google Translate/Maps, because it's so easy to access (physically and mentally).
Google google google google google...
F google.
I would probably have dropped Firefox back then if it was the only browser that I couldn't watch Netflix in, and I wouldn't be the only one. I don't think Mozilla can bear the loss of userbase.
They now have an interest in limited edition color drops and with their bespoke charactaristic allowing users to select color that best resonates with them.
You and I, as mere mortals, may not know what this means, but rest assured, mozilla does.
youtube, prime video, netflix, banking, github
none of that for firefox users
Like which one?
Try searching for "only chrome".
If you are shown a product ad whilst browsing searchengine.example and then later look up the product at reviews.example, then end up making a purchase at shop.example, your browser sends all of these events to an aggregation service that allows shop.example to understand (at least in aggregate, assuming you trust the cartel running the aggregation service) that you were exposed to their product at searchengine.example and further exposed to their product at reviews.example.
[1] https://github.com/patcg-individual-drafts/ipa/
It would be trivial for them to build a Chromebook, or Android phone, or browser that you can't flip into dev mode, but they've never done that, even though many of their competitors in the space regularly lock users out of their devices.
In a world with attestation, you can't browse any website unless you are using Chrome or another attested browser. The New York Times would refuse to serve content to unattested user agents. That is what would make everyone use Chrome.
You forgot one thing – once a copy of the content is server to AT LEAST one attested user agent – what prevents him from sharing his copy with unattested users?
It is easy to see that if something will make getting the content harder – it will immediately find the path of least resistance. This is the reason any new Netflix title is available for free an hour after the premiere. And the harder Netflix will try to fight this - less time will pass before their content is stolen and re-translated for free. Exactly same will happen to New York Times if they refuse to serve - someone would serve a copy instead of them – because there is now demand created for such copy.
This is already covered by the DRM in all major web browsers today. If your software will allow that, it can't get attested.
Or what prevents me from copying NYT article and re-hosting it? What DRM has to do with it?
The attestation uses a secure enclave in your processor with a secret key you can't access to verify that secure boot is on, you booted a signed OS, the OS is in locked-down mode, etc.
>you can't access
Don't you see how contradictory this is?
No secure enclave of registers or hidden secret keys can help, because a person can utilize the lower-level physical world around the processor to manipulate it (e.g sending electrical currents from a programator device manually). But that is a last resort, there are simple software attacks available already to fake as many "attested" devices as needed (for the same DRM system of Android). It will only bring more jeopardy to the "integrity"
And for tech-minded people it doesn't fundamentally change anything, it just means that it now takes more time to do the same than before
I assume it's something like the old Protected Media Path.
For example, if you try to screenshot a Netflix video all you screenshot is a dark-pinkish square, because the video is probably added by the graphics card at the last moment.
Kinda like how Widevine works. No keys means lower quality.
The end game is probably integration with a TPM that produces the token, or at least whatever part of it verifies that the chrome binary is genuine and that there is no forbidden software running on the client machine.
That is exactly the goal of this, and why it needs to be opposed fiercely.
You'll be filling in captchas 10 times a day, getting randomly locked out of your Google account in the name of security, and whatever new feature they add to their services, they'll find an excuse to require the DRM for it.
Then, people will DDOS the attestation endpoints because why not.
Google needs to be broken up, and the other tech giants too. Bring back competition to the market or we'll continue marching towards Blade Runner corporate dystopia.
> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.
The problem with Captchas today is that there are a lot of services you can use to bypass them. You send the token to a human, human gives you the solution-token, and you pass that to Google.
I can see why they want to make this more protected. As a user, if this lets me solve captchas less for certain sites, I'm OK with that. Of course, I don't think this API should be used for the entire web, but I definitely understand its use-case.
One key difference to Captchas is that since this new system requires no user input, the "cost" of a website requesting attestation is a lot smaller. So it will probably be used more widely.
Unlike captchas with this you can remove adblockers, greasemonkey/stylus edits, extensions adding download links to your youtube videos, etc, from the picture.
This is the point that company breakups start to make a lot of sense.
When Google can do something that every one of it's users hates and none of us can do anything about it, they perhaps have too much market power.
I don't think this is remotely the case. Quite a few tech-savvy people I know (some of them software developers) use Chrome and mostly don't care about whatever Google does with it. I mention "manifest v3" and get a blank stare. I talk about advertising and ad blockers, and most people don't care, with some of them not even using ad blockers.
We really live in a bubble, here on HN. Most people think of privacy as some abstract thing that they have little control over, and are mostly fine with that. And some are even also fine with government erosion of privacy, in the name of "save the children" style arguments, and of corporate erosion of privacy, in the name of getting free stuff in exchange for their personal information.
It's a sad state of affairs. If most people really did care strongly about these sorts of issues, then I think it would be baffling why we haven't seen more change here -- after all, Firefox is a perfectly viable alternative to Chrome that very few people use. But the lack of change is no surprise: most people don't care.
[1]: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
As for performance... That sounds dubious. Declarative blocking surely will be faster than v2, but what is being blocked by v2, I would imagine, is generally way slower than the difference between v2 and v3. At the end of the day, I don't see the performance of my browser negatively impacted by uBlock Origin, I see it saving CPU, bandwidth, memory, privacy, etc.
I'd be willing to bet that whatever isn't blocked by v3 is sifnificantly slower than whatever supposed slowness there is with v2 (in general).
Multiple bubbles on HN. Obviously, most of us are complicit in some techbro business conventions today that, 30 years ago, would've gotten us shunned by our peers, and reported to the authorities.
(Not that current phenomena weren't foreseen. SF writers had already been all over it. Anecdotally, Internet-savvy techies were often informed by various forward-looking thinking and by world history, and tended to act like stewards rather than exploiters.)
Archive: https://catless.ncl.ac.uk/Risks/
So much of our current hellscape was foretold long ago.
There's even a post on front page right now about Mozilla's position on the very proposal we are discussing: https://news.ycombinator.com/item?id=36857032
If this weren't true, Apple could just start inserting ads into every iphone's Safari window tomorrow, and Youtube could serve the ad in the same stream as the video to defeat adblockers, and they'd make a bunch of extra money with no downside. The fact that they don't do this suggests that Apple and Google understand this: people only tolerate restricted platforms that do a convincing job of pretending to be unrestricted. In practice, this means that step 1 of Google foisting off user-hostile stuff on us is getting Firefox to include it too, which is presumably why they spend so much money on it.
and that's exactly it. putting something in your music library is a hugely more visible and tangible thing than all the nebulous privacy concerns the internet wants me to be afraid of. nobody gives a shit if google or apple or facebook or whoever else introduces some techical measure that could be used for nefarious things. they only care if that api is actually used for nefarious things. as long as the argument is "well if google implements X, then it would potentially allow them to do Y*, that's a failing argument.
like it or not, people actually do trust the big tech companies. as long as they aren't actively abusing that trust in ways that people care about, things like "google wants to know if you're a real person or a bot" aren't going to cause a whole lot of outrage. most people can understand that letting fake people pretend to be real is bad, and that preventing that is probably a good thing.
It's similar to privacy 'dead bodies'[1], where users want to know actual concrete examples. I keep a collection of them in a larger directory of web pages about privacy, about instances where 'nebulous' privacy aspects meet reality and users are impacted and upset by it.
[1] Term used by a law professor in Daniel J. Solove's "I've got nothing to hide" and Other Misunderstandings of Privacy
That was an interesting read, thank you!
May I introduce you to Tobacco?
Yet, noone cares, even on HN.
This is false. Safari supports Manifest V2 and has no plans to deprecate it.
I'd guess that you're confused because Safari lacks support for webRequest BlockingResponse: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
Just slapping another name on it doesn't make the issues go away.
This is not true either. There are many different aspects to Manifest V3, such as restrictions on script execution.
Back in the 90s, much of the web was designed for Internet Explorer exclusively. A bit later, Flash took off. Both of these posed problems for users of niche browsers and operating systems, but from a business standpoint, nobody was complaining.
Yeah, Apple was toast after they did that. Their share price in 2014 when they did that was $24, and immediately afterwards it rose to $33 over the next 12 months. And since then, it's just been one long slow decline to almost $200 a share, as their global mobile market share has gone from the 24% it enjoyed in 2014 to the measly 29% it enjoys today.
Online outrage does not translate to action.
I think this illustrates that people only worry about this kind of thing if it gets shoved into their face.
The privacy thing is OK as long as it’s only used for the good. For example, I think nobody would object against a world where every killer would be caught within an hour to get a fair trial.
However, such a world also would be one where every traffic offense could be fined, and where powers that be could find some dirt on anybody in their email history, presence on on-street cameras, etc. Worse, it would take relatively few people to pull that of.
That’s something I think nobody wants, but it’s abstract until it affects you, so few people worry about it.
Privacy absolution is never what most people signed up for.
Also, “the police” are thousands of humans. That makes it harder to use the police for oppression than if “the police” were a bunch of computers and robots.
If somebody proposed the latter, I think lots of people would object.
Microsoft recommends Edge! Review your choices! 90 days free Apple TV! Upgrade your iCloud to continue backups!
The only one that slightly moved the meter is your documents moving to OneDrive, even that only had an impact because of a data loss bug.
This is not support, this is lack of awareness or apathy.
I don't use Firefox because it's slower than Chrome and because their behavior regarding limiting which extensions are available in phones, requiring signed extensions, Firefox Pocket, ads in new tab page, etc, does not exactly give me confidence that Mozilla truly has my interests in mind. In fact I bet they'll implement the nightmare DRM API once it's done swiftly and without complaint lest their money flow suffer.
If Mozilla ever decides to stop screwing around, clearly position themselves as an ally of the consumer, clearly express support for adblockers and put resources into making the browser faster and better and more customizable instead of whatever makes their CEO richer then I'll switch to Firefox even if it is a bit slower or has some flaws.
In the meantime uBlock works right now in Chrome which makes it usable, so since Chrome is the fastest right now, Chrome it is.
Also, Firefox just passed ahead of Chrome on some JS speed benchmark, so you should get ready to switch back!
Just setup ublock origin to filter annoyances as well, and it actually quite quickens the browsing experience.
PS Chrome is faster because it cheats and takes shortcuts in loading CSS. Check it out, it skips some frames when loading, to show the page faster.
Look, I will absolutely criticize Mozilla for some of its policies. Pretty much every issue you've raised there is spot-on, in fact I'll go a step further and remind everyone that Pocket was kind of supposed to be Open Source by now, and it still isn't.
But it's cutting off your nose to spite your face to use Chrome. Google is less receptive to criticism than Mozilla is, has worse extension APIs and is more restrictive of how extensions get installed, has worse privacy features, allows for no extensions on phones, is more directly tied into an advertising network, and is actively trying to make the web worse.
Use Firefox.
I am not telling you to be complacent or to ignore Mozilla's problems, I am telling you not to lend support to the browser that is actively trying to make the web worse. We're all very happy for you that you're very principled about not just picking the better of two bad options. We're happy that you have those standards. But we're less thrilled about your policy of picking the worst of two bad options. At the very heckin least you're not even going to use a Chromium fork? You're just going to make the worst browser choice you can make for the Open web?
That's true, I was talking about desktop, I probably should have not mentioned the phone extension thing.
In Android I use Bromite (a Chromium fork) which I should probably replace since it's fairly outdated at this point.
But you're wrong about me not using Firefox out of spite, the real reason I don't use it is because it is (or apparently was according to the other replies) slower to the point it is noticeable, at least on my desktop (and even more so on my old phone). The rest is just why I don't support them despite being worse.
Firefox fails because there is no actual industry pressure to build a better browser. you simply can't sell a browser alone anymore: the free offerings have been good enough since the early 2000s.
Safari only needs to be good enough for iOS users to not abandon the platform entirely, and the ecosystem wants to push you into native apps anyway (Apple wants their IAP cut).
Chredge is, well, _there_, but basically just a minimum batteries included that maybe funnels some set of users into other Microsoft offerings, but it isn't the core product.
Chrome is, well, Chrome.
Firefox is comfortably supported by Google funding as an antitrust action shield. there's no real pressure for them to try and beat Chrome in market share because they're explicitly paid to be minority market share, and aren't really going to lose that share because they already have all of the "intentionally don't want to use Chrome" market. Mozilla faffs about making also-ran internet services (idk, whatever the heck that VPN offering was, etc.) because they fundamentally can't lose their main revenue stream so long as Google wants to avoid antitrust action, and have no real pressure to offer a competitive product.
As opposed to chrome, which doesn't allow any extensions on mobile
> requiring signed extensions,
So does chrome
> ads in new tab page
Chrome is made by a company whose main business is selling ads ...
> clearly express support for adblockers
Mozilla has long shown support for ad blockers for example, uBlock origin was the first extension aupported on mobile, Mozilla has no plans to drop the blocking WebRequest API, largely because it is needed for sophisticated ad blockers like uBlock origin, etc.
I don't agree with everything Mozilla has done, but I still think Firefox is better than the alternatives.
When you talk about communications technology adopted at a societal scale, changes in norms and routine have ripple effects. Most certainly one of those is a change in asymmetric power relations by central communications companies, versus the user of their systems who get strictly limited information views of what is happening with their phone calls or emails.
When you have asymmetric power relations with market advantage and secondly literal surveillance at stake, a unilateral change in the service agreement is not a small "oh well" matter.
This single statement "people do not care" does not show all the players, and most especially does not show the players making decisions, the management of the companies making more money or new revenues with new decisions.
The problem is that it isn't.
Do you know why Firefox managed to usurp IE6 in the first place? Because it won the adoption and appeal of tech enthusiasts and professionals. Mom and pop (read: the general population) switched to Firefox from IE6 because their tech nerd kids installed it for them, and the enterprise largely moved off of IE6 dependence because the general population moved off.
But the Firefox today is not the Firefox that defeated IE6. Mozilla steadily eroded and destroyed every single thing tech enthusiasts and professionals loved about Firefox, to the point it practically became just a Chrome ripoff. At that point, why bother? Chrome's right there, the real deal.
Not to mention Mozilla happily takes money from Google with no shame at all so their CEO can get her fat paychecks.
Firefox is not a viable alternative, Firefox is literally controlled opposition to pedantically argue Chrome is not a monopoly. Not even the Intel and AMD x86 duopoly is this blatant.
The original reason Google started the Chrome project was that the stagnation of IE6 was a barrier to implementing the web software they wanted to build. At least that's what they told us.
It seems this particular moment in history has been either forgotten or rewritten, judging from this thread and another one from yesterday.
Firefox got better dev tools and mozilla did random crap for a bit, meanwhile brain-dead devs insisted on continuing to use chrome. When the devs supported it, they started favoring the googlified things.
Honestly it's a terrible browser - we are back to the bad old IE days (almost).
It's a small difference, perhaps, but its "my" browser in a way chrome will never be. Blink sucks.
Also, not a clue what you are on about - I don't have an issue with firefox. Chrome is basically for dealing with google stuff, and for the rest of the web I don't care about them.
Just like I'll have some conversations on WeChat but if I want to talk about Chinese politics maybe I'll do that on another platform.
I don't really see the erosion in the corporate space. The erosion of privacy is happening at the government level. With "forced backdoor" laws and/or just outright forking the internet backbone (ala PRISM). I've never really understood "Corporate erosion of privacy"... It's opposite, Privacy is literally a USP of Apple products. They had to back out changes that hinted at an erosion of that trust with the on-device processing of Photos for cloud-sync. People are more aware than ever.
This quote is from page 2 of the article. It is common for certain HN commenters to remind us that HN is a bubble. True. However, the author of this article is not necessarily in this bubble.
But, honestly, what difference does it make whether HN is a bubble or not. Google is a bubble. The Register, another entity outside the HN bubble, calls Google "The Chocolate Factory".^1 Does it matter that Google is a bubble.
1. Of course it's also common for certain HN commenters to try to broadly dismiss all journalism, on a news aggregator site no less. Maybe there is a pattern here.
Would anyone outside the HN bubble try to discredit the observations about so-called "tech" companies mabe by those inside it. (Besides those with vested interests in so-called "tech" companies.) All evidence I've seen since 2009 points to the contrary.
If a journalist would explain these news to the masses AND the news has a way to reach the masses.
These days these kinds of news do not make it to broadcasted news and most people do not watch the old broadcasted news.
The news currently get people attention from the news feed on Android and Apples phones. Those feeds recommend only the kind of content you usually interact with. No many people gets tech articles. And you can even argue that there is some extra filters on what news get on the feed in first place.
Maybe it's an extension or three I'm running but I just want to use the bloody thing not sit there and figure out what extension is not working nicely (and then potentially find out it's none of them) on one platform but is fine on another.
Every so often I go back and have look to see if it's improvised but it hasn't in the last few years for me.
Setting aside the fact that it's as fast as or faster than Chrome, it doesn't crawl any of my machines with >500 tabs (this has 562 as of now).
If you want to dig into your performance numbers there's "about:performance" to see what is using your processor and RAM.
Three year old Mac btw... everything else runs pretty well... if I get a chance I might fire up Firefox in Parallels and see if it's a Mac issue
Give it a go.
Same for Web Environment Integrity API. Nobody knows what those jargon terms means. That's part of how enshittification works. If everyone knew how badly they were being fucked, this would never work.
If it's so bad, why can't we bring a monopoly lawsuit against them over chrome/chromium? This is pretty similar to what Microsoft did, isn't it?
What will actually happen? Nobody knows for sure. The most likely outcome is that you will not be able to do banking, watch Twitch streams, etc. on anything other than Chrome, Firefox and Edge, on Windows and macOS. Linux will probably be relegated to the legacy web that does not enforce remote attestation. Alternate browsers like Librewolf, Brave and Mullvad Browser will just disappear as if they never existed. You can not browse Tor on clearnet websites anymore, as if you really could anyways. Etc, etc.
> If it's so bad, why can't we bring a monopoly lawsuit against them over chrome/chromium? This is pretty similar to what Microsoft did, isn't it?
Microsoft of today is doing things blatantly in the open, that Microsoft of 199x would never dream of doing. The difference now is that all of the major computer manufacturers are basically going the same way, just at different rates.
The legal system is not coming to rescue us.
On top of all this, a lot of users don't care, which is a problem itself, but also leads to an even harder time trying to navigate a company breakup. The convenience is too great for them, and it's too easy for the above noted companies (alongside other giants like Walmart) to shift public opinion.
The best time to break up Google was 10 years ago.
The second-best time to break up Google is today.
So get a front row seat and get ready for what is to come in September this year to witness the beginning of the end of a company once adored by hundreds of techies finally getting broken up to pieces.
[0] https://www.cnbc.com/2020/10/20/doj-antitrust-lawsuit-agains...
[1] https://www.cnbc.com/2023/01/24/doj-files-second-antitrust-l...
https://www.spglobal.com/marketintelligence/en/news-insights...
How would this have changed the existence of the Web Integrity API?
A competitive market is way more important than Google.
They aren't great, just another proprietary browser. Every time I've used it has been sub-par. It reminded me a lot of Opera in that it was very opinionated, even if it tried to offer some feature. Apple makes money off of apps, not websites, though, so it makes sense they don't invest much into their browser.
I’d never use it due to lack of uBlock Origin and good dev tools, but it’s hard to argue with the speed and battery efficiency on macOS.
Their hold on these claims are extremely tenuous. No one would be surprised if Firefox, Bing, or iOS resurged and killed Google’s offering, for example.
The only circumstance where I wouldn’t be surprised would involve regulatory action I see as an outside chance.
They're quite happy scrambling for the crumbs as it is.
Google Chrome is "open source".
Android is "open source".
ChromeOS is "open source".
Nevermind the truth being more "open source" with proprietary bits (the bits that matter).
So the opening argument often is; well, someone else can enter the market and do what they do. But that's missing the trees for the forest (and the devil's in the details).
They know that making it so tedious means it will only be used by a handful of hobbyist and nothing more significant.
For example, when Apple makes a user-hostile hardware change, every major Android vendor will copy it in a matter of months[0]. The only thing you can go to after that is niche Chinese phone makers that will cause you a bunch of other pain.
I'm basically completely disconnected from Google at this point. My phone requirements forced me to get a phone without Google Play Services, and I live in a country where Google is not dominant. The only thing that still pops up is YouTube occasionally. (Also it would be nice if I could get my old Google Photos archives exported from Photos, but the export in Takeout keeps erroring! Oh well...)
[0]: Back when I worked at Google, there was a mailing list thread on a big internal engineering mailing list, where somebody point-blank asked "Did we remove the headphone port on the Pixel because Apple did?". The answer from the product team was a whole bunch of wishy-washy word soup, amounting essentially to "Yes".
Did you try different export options? I recently had to do one export and it kept failing but exporting using another option worked. I don't remember which one but it was either email or drive.
1. Unlike EME (the controversial web DRM backed by Google that was standardized somewhat recently), the Web Integrity API requires a third-party service, which involves maintenance costs, as well as development costs to constantly adjust to the arms race against all the hackers who really want to thwart these tests.
2. In a "functioning attestation industry", many attestation servers would compete on price to validate users, making the network efficient and robust. I struggle to see this becoming reality because decent attestation would require very complicated techniques for each supported browser, and there is only 1 company that does both significant browser development and also wants to run an attestation server.
3. In a monopolized attestation industry, Google would be the single point of failure for all DRM-protected media on the internet. Google's down? So is Netflix, Hulu, HBO, etc. because they can no longer validate that their users are running an approved version of Chrome. This also give Google an incredible amount of leverage over other companies, because they can change fees and policies unilaterally and there are no alternative games in town. Companies have an incentive not to put themselves in that position.
If the entire media industry coalesces around Google Chrome as the only supported browser for media on the internet, and bestowed this incredible market power and leverage upon Google, then it could work. I find it hard to believe that this will slip past every significant regulatory body on Earth, and any significant gaps in market control would make the scheme unworkable.
I remember Google+ when they ignored feedback on users hating aspects of it and tried to force it on us using their dominant position and it didn't go very well for them.
Thankfully we have brave, Tor, Arc, Opera, GrapheneOS, calyxOS, LineageOS etc....
If you purchase a pixel phone, and put graphene OS onto it Google loses money.
Want to go to an online banking site? Then we'll need to make sure your computer is unmodified and contains no unapproved software.
Would you rather a capitalist dystopia, where large corporations get to approve everything you see & hear, or a socialist dystopia, where the government gets to determine what you're allowed to view?
[Answer: Neither]
There is no value in this "attestation" for me as a user. I want to be able to do whatever I want with the browser (for example, remove ads or block access to canvas and webgl) and I want sites to be unable to know this. And probably this attestation will provide additional fingerprinting signals which is what I don't want.
That said, the concept is seemingly aimed at blocking ad blockers and preventing browsers like Brave from impersonating Chrome so it can block ads without the need for extensions and such.
The only user-positive use case I can think of for this is for self-hosted software. Maybe it can be used to detect MitM attacks or malware messing with the browser? In practice this will just mean "no Firefox, no Linux, no adblockers".
And no curl, no yt-dlp or youtube-dl, no alternative YouTube frontends, no scraping the web to build an alternative search engine.
In theory one could imagine a scenario like a bank website refusing to be accessed unless the entire OS & browser stack pass attestation - as that would rule out things like keyloggers, malicious browser extensions, and session hijacking.
In practice it'll just be used to lock down content and force unskippable ads on users, of course.
I'm not interested in being hobbled for either of those problems. I remember when banks used to reject my browser because it wasn't IE in Windows. I remember when I had to look at webpages that were 50% advertising.
Screw that.
The important part is that "malicious" isn't up to you to decide anymore; if you have any "unapproved" software that acts in your interests and not others', this could theoretically be used to lock you out too.
Even that use case leads to bad outcomes. I already have to jump through hoops to get banking apps to run on my rooted phone. Banking websites refusing to run on anything but Chrome on Windows is a likely scenario here, and that's awful.
I don't want them to have a say in how I run my devices.
I'm also sure it'll end up with things like "your browser is too up-to-date" or crap like that.
But software already exists to do this kind of thing for private networks. I really, strongly believe that this kind of functionality has no place on the open web.
This proposal is user-hostile, and could be very dangerous to the future of the web.
> Anything we might decide would ultimately be influenced by the larger societal debate around privacy (regulations etc.) since perfect privacy means perfect immunity for criminals.
Ensuring that your devices don't spy on you on behalf of a government or company does not imply "perfect immunity for criminals".
Putting aside attestation for the moment, consider this: Modern enclave driven device encryption (and the self-destructive passcode limitations that often accompany it), for example, could be likened to designing a very good safe that can automatically destroy its contents if it is breached. Do we require governments to have their own keys to all such safes sold?
The problematic dude's disdain for humanity aside, the quote serves as a good reminder that the "but the criminals!" argument is often used and rarely justified.
If they believe that it's in their best interest, I'm not really sure what we can do against this...
The choices were EME, Flash, or no premium VOD on the web.
Actually, it was Silverlight, not Flash. But still a plugin nonetheless.
This was a faustian bargain.
Now that DRM is in the browser, it's going to be pushed further, as with this proposal. It forced Firefox to compromise on their values of open-source in order to stay relevant. Streaming movies are still getting copied the same day.
We know from experience with the gaming and music industry that what protects the publishers is to provide a convenient platform, with reasonable prices. And of course the legal system to take down pirate websites.
On one hand, I think this is wrong, because the world is full of tech companies who thought they could do whatever they want because they're big enough. "Nobody would dare switch away from Facebook! Err, I mean Twitter. No wait, I meant Chrome!" But that's a bet, not a fact. Sometimes it works out, and sometimes everyone leaves and goes somewhere else. You think you have a moat, and you do, it's just you don't always realize it's ankle deep.
On the other hand, Google can do what it wants with Chrome, because it's their product. I use Firefox, and it won't affect me. All the people who don't care about this are free to use Chrome. Likewise, anyone who wants to listen to a man in his forties tell them about why some browsers are better than others can ask me about my thoughts. Nobody has done that yet, but the offer is on the table.
It will affect you a lot if websites start refusing to serve to you because you're not using an approved browser.
Google "will be able to request a token that attests key facts about the environment their client code is running in."
Google "will ultimately decide if they trust the verdict returned from the attester."
"Allow" Google "to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
I have replaced "web sites" and "web servers" in the original explainer text with "Google" for clarity of intent.
Why would Google want these capabilities in web browsers?
What does Google plan to do with them?
What follow-on actions is Google planning?
Google marketing exec: "We need to lock down web browsers so we can make more money by showing ads."
"Ad blockers need to be prevented. The new WEI APIs will ensure that ad blockers aren't running, that our ads are being seen, and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEI we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
Web Environment Integrity is the beginning of the further DRM-ification and enshittification of the Web.
See, don’t worry, they’re thinking about you, holdout.
Also known as "we'll read what the opponents say, and keep trying to poke them with convincing-sounding arguments until they surrender."
"You're trying to access your AWS console, is your laptop patched?"
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
This phrases itself as ensuring news sites can block unpaid users, but also targets the Internet Archive, other webpage archives, possibly Reader modes, and more.
If this proposal gets rejected it'll be because of feedback in the press that is impossible to ignore. My experience watching how Google has handled contentious issues in the past makes me personally feel that Google will not be receptive to concerns about whether this spec should exist. Google and the Chromium team are not willing to hear community feedback about the direction of the web or about what the web should be. They demand that feedback start from a position of assuming the best intentions of the spec, and start from a position of assuming that the spec is basically good and might just have additional concerns to address (https://blog.yoav.ws/posts/web_platform_change_you_do_not_li...).
This has been a longstanding issue with how Google approaches web standards; according to Google there's no such thing as a harmful feature and Google's approach is never wrong; it just might need refining. The refining is the only thing that Google wants to talk about.
There is a predictable arc to this narrative as well. If blowback gets out of control, Google will blame that blowback on misinformation and accuse the community of operating in bad faith or fearmongering. At best, you'll get a few people from the Chromium team saying "we hear you and we need to communicate better." Note the underlying implication behind that statement that the original proposal wasn't bad, it just wasn't communicated well. People just need to do a better job of "getting involved" in the web standards process so that the Chromium team knows to address their concerns. And it just comes down to learning to be kind and "remembering the human" -- ie ignoring the structural damage that the human is capable of causing to the largest and arguably most important Open platform on the planet.
There will never in any situation be an acknowledgement that the direction or intent was wrong; that's just overwhelmingly not how the Chromium team operates on any issue big or small.
It's good for larger sites like Ars to cover this, and it's good for people to share thoughts on social media; the only way that users have a say over this is if the press runs with it and generates a metric ton of bad publicity for Google; and even then it's a toss-up. It comes down to what the company feels like it can ignore or dismiss with a couple of Twitter posts. And this is not just where issues like adblocking are concerned, the Chromium team has been hostile to user feedback even on more minor technical issues for a pretty long while. I was writing about this issue back in 2018 (https://danshumway.com/blog/chrome-autoplay) and it was a trend before that point as well.
It stinks to go into a conversation not assuming good will from all of the parties (and it usually is wrong to do so), but the Chromium team has not earned an assumption of good will, and it's done quite a bit to squander that assumption. It's regrettably kind of a waste of time to try and engage on this stuff, it's better to just criticize on social media and hope that the press runs with it. Because that's the only thing that Google listens to.
Of the FAAMGs my favorite is Google, but this makes me reconsider my position.
* I won't even say relatively unknown, he has 8 followers on GitHub. Simply unknown to the dev community.
Skepticism is a survival skill.
All 'adversarial compatibility' from projects like Nitter, Teddit, Invidious, and youtube-dl go out the window. Any archive site (archive.org, archive.ph, etc.) can be blocked by sites requiring attestation.
And just like the book industry was terrified of piracy and were 'rescued' by Kindle, so too will journalism outlets that can't find a business model flock to Google to save them.
This is going to be rough.
What will happen if such a thing actually happens is that the underground market for "trusted device" farms grows, not too different from what's currently already happening but possibly at a far larger scale. Of course, that means the financially motivated scraping services still keep going while the honest individuals wanting user-agent freedom get screwed, just like with many other forms of DRM...
Uhh... Those two matters are pretty much unrelated to each other. Scraping is becoming non-existing because the era of static web pages has ended. No need to "scrap" when you have a nice, performant JSON REST API provided for you.
When was the last time you saw a site with a JSON API providing metadata, like the json-ld for a product on an e-commerce site? Or an API just for the open graph data? How would you even discover these APIs for sites that you don't own?
It's also worth noting that very, very few JSON APIs today are actually REST. They rarely include all the context needed, and in general JSON is much less useful than XML when you're talking to other APIs that you don't own since JSON can't easily describe the shape and datatypes of the content.
There are no performant json rest APIs provided these days though. The days of public APIs are long gone.
In practice, if there is a mobile app, there is an API. Whether it's creators object to your usage is mostly their own problem.
https://tildes.net/~comp/18h8/web_environment_integrity_a_go...