Interesting and it made me try out Vivaldi. Ten minutes later I had lost trust in their claim of privacy.
It uses Microsoft Edge while installing to open links - like the link to their privacy policy - while the OS is set to use Firefox (and every other app use this). Then I found out that it has zero containerization features at all. Don't want Google cookies from one tab read in another tab? Use a new Private Window. No thanks. Uninstall, and then it used Edge to open a page asking why...
As pointed out, EU law may prohibit this ... even if they are slow to act.
There is another possibility; EU countries may decide that this amounts to tacit admission by Google that the revenue generating event in ad sales happens on the browser, and ad revenue is therefore always taxable in the country where the browser (and viewer) are located.
No more laundering international revenue through tax havens.
And since Google just demonstrated such an effective verification mechanism ... well they can just repurpose it to track all such taxable revenue for the countries in question ... otherwise they might be deemed a criminal enterprise and have to be blocked nation-wide.
No need to block the useful parts, just the illegal tax-evading ad empire.
... and countries can move fast when there is a lot of money to be had ...
Mozilla should call for Google's removal from the W3C over this implementation of Web Environment Integrity. "But Chrome has 65% market share, what good is the W3C without them?” If Google can take unilateral action to fundamentally change the basic principles of the web, then the W3C is already useless. This will give Google a clear choice: if they want to maintain the idea that the W3C matters, they should withdraw this implementation.
It is unbelievable that over the course of 3 days, the potential future of the web has been put in such dire straits. There's already an existing, far less troubling (while still bad), proposal in the form of Private Access Tokens going through a standards committee that Google chose to ignore. They presented this proposal in the shadiest way possible through a personal GitHub account. They immediately shut down outside contribution and comments. And despite the blowback they are already shoving a full implementation into Chromium.
What we need is real action, and this is the role Mozilla has always presented itself as serving. A "true" disinterested defender of the ideals of the web. Now is the time to prove it. Simply opposing this proposal isn't enough. This is about as clear and basic an attack on what fundamentally differentiates the web from every walled garden as possible. If someone drafted a proposal to the W3C that stated that only existing browsers should be allowed to render web pages, the correct response would not be to "take the stance that you oppose that proposal," it would be to seriously question whether the submitting party should even participate in the group. Make no mistake, that is what is happening now.
> If Google can take unilateral action to fundamentally change the basic principles of the web, then the W3C is already useless. This will give Google a clear choice: if they want to maintain the idea that the W3C matters, they should withdraw this implementation.
It's pretty generally accepted that the correct way to do web standardization is for proponents of some new thing to implement that thing and deploy it and then once it has been shown to actually work bring a spec to the the standards folks for standardization.
That usually works fairly well, although sometimes if that first pre-standard implementation does too well the original implementor may have trouble replacing theirs with something that follows whatever standard is eventually approved, because there are often significant changes made during the standardization process.
An example of that would be CSS grid layout. That was a Microsoft addition to IE 10, behind a vendor prefix of -ms-. Nearly everyone else liked it and it was standardized but with enough differences from Microsoft's original that you couldn't just remove the -ms- prefixes from your CSS and have it work great with the now standard CSS grid.
It was 4.5 years between the time Microsoft first deployed it in IE 10 and it appearing in other browsers by default (Chrome had it within a year of Microsoft, and Firefox had it about two years after that, but both as an experimental feature the user had the specifically enable). In that 4.5 years enough sites that only cared about IE were using the -ms- form that Microsoft ended up stuck with that on IE 10 and 11 instead of the standard.
Basically, the ask for forgiveness approach. It's common in large, dysfunctional organizations as well. Sometimes the easiest way to get attention is to break things. Then once enough pain is felt, everyone starts taking interest. Trying to follow a proper change control based process only works when everyone is invested in the process.
In the browsers anything that's not behind a flag is immediately relied on by people.
So no, you shouldn't ask for forgiveness and pretend that you're just gathering data.
That's why what Google is routinely doing now (releasing APIs after a very short period in origin trial and without ever reaching consensus) is so dangerous.
> It's pretty generally accepted that the correct way to do web standardization is for proponents of some new thing to implement that thing and deploy it and then once it has been shown to actually work bring a spec to the the standards folks for standardization.
- Behind dev flags
- And then wait for consensus
- And then there have to be at least two independent implementations
And only then does this become a standard.
Chrome doesn't care. They create a semblance of the spec, create a semblance of a discussion, and then enable it APIs in Chrome. And then pretend it's a standard.
A feature behind a flag in a browser isn't for the public web sites. It's for devs (web devs and browser devs) to figure out if the feature works, if an API is ergonomic, the various edge cases etc.
Sure, but not all (or even most) chrome features are web standards, so it makes sense that those are deployed without consensus, because there isn't anyone to get consensus with.
Yes and the standard development process starts by designing a spec proposal and testing it! That's the first step. If the proposal ends up not being implemented, the implementation may be removed, but you still need the implementation to write the spec, that's more or less how WHATWG works.
All of the following are true statements:
- Not all chrome flags are related to spec proposals
- Not all spec proposals are related to chrome flags
- Not all chrome-led proposals are finalized
- At least one browser must implement and test the proposal before the proposal can really be considered, and multiple other browsers must implement it before it can be accepted.
You seem to be taking things that are factual, normal, everyday, aspects of the WHATWG working process and trying to imply that chrome is doing something unusual, or untoward with its process here, but it isn't. It's doing what is necessary to make a proposal with WHATWG: have a trial.
> You seem to be taking things that are factual, normal, everyday, aspects of the WHATWG working process and trying to imply that chrome is doing something unusual, or untoward with its process here, but it isn't. It's doing what is necessary to make a proposal with WHATWG: have a trial.
And yet, we've seen many such proposals go through this process because Chrome is paying lip service to it. Whatever Google wants it ships. And Google wants this.
As an adjacent (ads- and tracking-related) example: Google's FLoC flopped, hard. So they immediatey shipped the replacement Topics API [1] despite there being no consensus. E.g. Firefox is against [2] (but Chrome presents Firefox's position as "No signal" in the feature status). And despite the fact that its status is literally "individual proposal, not accepted" [3]
Do not assume any good intent on Google's part when it comes to Google's business interests. Their intent is always malicious until proven otherwise. And there have been fewer and fewer cases when they have been proven otherwise.
I don't follow, is the issue that Google is lying about trying to standardize something (what you claimed before, and which clearly isn't true), or that they're implementing things that aren't standardized[1] and which you dislike (true, but, like, fine. You can use other browsers)?
If chrome implements WEI and it isn't standardized, you're not going to be knocked off the internet if you use firefox. That's extremely silly.
[1]: Keep in mind that things that aren't standardized include third party cookie behavior, so the behavior that FF and Safari have, that you support, isn't standardized either. If you're fully against browsers implementing nonstandard apis or features, you can't be in support of third party cookie sandboxing at all.
It's far, far too late for this. The W3C is already irrelevant, not that it ever mattered much.
The internet is made by big companies. Not standards bodies. The WHATWG has the actual living standards, and Google, Apple, Cloudflare and Amazon make the actual software. Nobody cares about the W3C. And Mozilla is long past dead.
Microsoft wasn't trying to control the web; they were trying to hobble it so that everyone kept on developing for win32. In retrospect, not a great strategy, but many companies try to kick the can down the road, and it often works, so I can't fault them too much.
Of course large companies are always a bit schizophrenic with different departments moving in different directions, but I think fundamentally 1995-2000's Microsoft was trying to improve the web, and get people to use it. Just as Google does now they tried to blur the line between desktop and web, just that where Google is trying to move all desktop functionality to the web interface, Microsoft was trying to make all web functionality accessible in a desktop interface.
Explorer and Internet Explorer were deeply married, with the ability to set web pages as desktop background, the Explorer of Windows 98 having a "sidebar" that was an HTML page, the ubiquitous help format being compressed HTML pages with index and search, ActiveX giving webpages desktop-application-like powers, JScript being a powerful javascript-compatible automation language for Windows. Windows was full of web technologies in the dot-com era, many bringing web and desktop closer together. This stopped an reversed course in the early 2000s. You could now say that's classic embrace-extend-extinguish, but the collapse of the dot-com bubble explains explains the sudden lack of investment and increasing distance between desktop and web just as well.
Eh-- I think that 2-3 years of breathing room they bought-- and killing Netscape's "the browser is the operating system" dreams-- was probably worthwhile from their point of view.
4% of global browser usage can be described in many ways (defeated, miserable, collapse compared to the past etc) but it definitely is not dead and is one of few developed browsers.
Maybe if they replaced top Mozilla leadership. Apple had to reinvent itself back into relevance. Mozilla refuses to, and just keeps stagnating in a cesspool of rot and nostalgia. They're less a browser maker these days and more an ineffective think tank. I think Google keeps them around just as a "useful fool" so they can look less like a monopoly...
Probably better for a different org with different leadership to start over. I wouldn't count on Mozilla to miraculously reinvent itself.
There's no plan, no growth, they don't have a mobile OS, and users will use whatever browser (aka, "the internet") comes with their device. On Windows, Edge is being heavily "promoted". Most of the technical people I know gave up, unfortunately.
Corporate + institutional mass installs on Windows and Linux — e.g. university computer labs — are still mostly Firefox. It's easier to lock down something that's not part of the OS; and it's easier to create a local-network roaming-user-profile experience that's seamless between the machines that must run Windows (regular labs) and the machines that must run Linux (CompSci labs.)
If we're arguing about whether 4% global usage constitutes dead, then yes, it's truly dead and Mozilla is completely irrelevant. Even Microsoft is more important these days (again).
The difference between 0% and 5% is that at 0%, if you want an alternative, you have to write it yourself, but at 5%, the alternative exists. Mozilla is not dead.
If you don’t like what Google is doing, don’t pretend that Firefox does not exist. Do something instead. File bug reports, send patches, donate to those who are working on Firefox and countering Google.
Even if you don't trust Mozilla, they cannot do what Google is already doing. Mozilla doesn't have nearly enough market power to force something like WEI down our throats.
>If we're arguing about whether 4% global usage constitutes dead, then yes, it's truly dead and Mozilla is completely irrelevant. Even Microsoft is more important these days (again).
According to these folks[0], Firefox has a 3.29% market share globally. They also claim there are 4.66 billion browser users globally.
If those numbers are correct, Firefox has a bit more than 150,000,000 users worldwide.
If my software had 150,000,000 users, I'd consider that wildly successful.
Other folks have different ideas/takes on that, I suppose. But it's food for thought nonetheless.
Linux market share on the desktop was 3.08% on June (source:0). I don't see it dying anytime soon because of that. Firefox isn't pushed by Google, hence the much smaller adoption; it's not about quality but rather which one is being advertised the most.
Pretty sure download statistics don’t reflect usage. And are we even sure those are unique downloads?
At any rate, 100M downloads across the lifetime of the app isn’t much to write home about when considering the billions (plural) that use Google products. Furthermore, there’s an entire class of people that think Chrome IS the internet. It’s wildly more common than the average HN would think.
It's only alive in the same sense that a zombie is... constantly moaning and groaning while begging for brains, shambling aimlessly along waiting to be put out of its misery
I have been using Netscape/Mozilla, in terms of heritage, ideology, and codebase, for almost a third of a century now.
I was there 30 years ago using NCSA Mosaic when it was first released for the VMS Vax system. The only break of any kind I had was with Opera as a secondary browser in the few short years between Netscape 4 and Phoenix (original Firefox). And I was still using Netscape 6, just not exclusively.
They can tear Mozilla (or any one of its forked variants) out of my cold, dead hands.
> The W3C is already irrelevant, not that it ever mattered much.
This sounds myopic, or what do you mean? W3C is not only about HTML and CSS innovation, but is responsible for and/or involved in a diverse set of relevant standards — many of which "big companies" don't show as much interest in contributing to.
The DOM is largely abstracted over by JS frameworks and component libraries.
XML, XPath, XHTML, SOAP, etc gave way to haphazard JSON that's easier to use.
JSON-LD is a tiny niche and mostly unknown.
SVG is used only trivially as a PNG replacement or for vector graphics interchange, while Canvas is more common whenever performance matters.
Aria is mostly an afterthought, put in at the last minute with alt tags and roles on random elements.
Maybe MathML is still used on Wikipedia?
Can't comment on the other ones I've never heard of, but the web ones all seem either dead or niche.
I think this illustrates what I meant by irrelevance. It's not that they make bad standards or have bad ideas, it's just that companies have always preferred their own implementations of these ideas rather than some standard. Over the last two decades, the W3C has been at times a strong suggestion, at times a weak consideration, but never an actual standard. It was always the big tech companies making the actual standards. We were lucky when a W3C spec actually reflected real world implementations.
And this isn't just my opinion... the WHATWG was created specifically to bypass the W3C on purpose.
WHATWG (meaning, the browser vendors) are the de facto actual decision-makers of web standards. They tolerate the W3C existing because it's less hassle than causing a big fuss by getting rid of it, but make no mistake: the W3C is a powerless figurehead organization.
> The internet is made by big companies. Not standards bodies.
Yes. However said companies may want to avoid too much scrutiny from governments.
As long as they can pretend the web is an open standard, they are good. If Google were to leave the w3c, it would expose them to antitrust laws and so on.
It didn't happen when Apple did it with Safari (and you all were quiet as a mouse as well, with HN actively defending Apple Safari monopoly with this feature enabled)... so why would NOW be any different?
Apple don't have enough web properties to force this sort of change.
Google can turn around tomorrow and say that no browser without WEI can access GMail, GMaps, GSheets, Photos etc; people will have to comply, effectively killing any browser that does not support the feature.
This is the problem with the Chromium monoculture. "We", as generic IT people and developers on HN, definitely have a responsibility for not deprecating this monoculture earlier. If you use Brave, you're guilty; if you use Ungoogled Chromium, you're guilty; if you use Safari, you're guilty. It's high time people start taking responsibility.
If you want a browser engine it's either one of the KHTML descendants or Firefox. The problem is, both are ridiculously complex, only one family has the backing of three multi-billion dollar giants, and the other infamously suffers from "progressive disease" aka complete unwillingness to move fast and instead preferring to engineer the "perfect" solution.
That even Microsoft couldn't manage to keep up with progress only shows how utterly impossible it would be to kickstart a browser engine.
(The fact that Mozilla as an organization is embedded in constant infighting and utter incompetence doesn't help either)
It's kinda hyperbole, to demonstrate how taut of a claim "Chrome monoculture" is.
We had a shot at open browser engine development with limited scope. Everyone said no, not just Chrome. Mozilla and Apple both have blood on their hands too, if we want to be reductive.
Speaking as someone that has been doing native and Web for 30 years, it is the only game for developers that couldn't care, and in the process help Chrome to widen its market share and influence.
I've been doing this for 20, which is enough to say: rattling off years of experience isn't going to win me over on this point.
> it is the only game for developers that couldn't care
Yeah, dude. Most devs literally do not care, they just want to write and ship stuff. The native stack(s) are not cohesive enough and the numbers do not lie; devs do not want to rewrite the UI n times.
Signed, someone who also does native and web UI dev. ;P
Google can also decide at any time to put those web properties behind forced logins, or paywalls or just shutter them altogether. If Google doesn't want them to be part of the open web they won't be, regardless of whether this particular set of things is implemented or not. If we're all dependent on them enough that that's a problem for us, then that dependency is the problem.
> If Google doesn't want [Gmail etc] to be part of the open web they won't be
The point is not that Google cares about those sites - they don't. Those services are leverage that they use to control web standards, in order to enable their real cash-cow: AdSense. They will use their web properties to shove down our throats anything that makes AdSense more profitable, from the anti-adblock measures in Chrome to this one.
> If we're all dependent on them enough that that's a problem for us, then that dependency is the problem
I don't disagree - and I use Firefox, keep my important mail outside of Gmail, etc etc. But I recognize that many, many people don't, so the technologically literal out there have an ethical responsibility to push back against corruption of the open web.
I am not HN, you'll find no comment of mine defending that (despite, for the record, Apple's system being less bad than this one, while still bad).
NOW would be different because, again, this system is worse than Apple's, and because Chrome has a larger influence on the web than Safari (on Desktop, on mobile its a foregone conclusion since you're not allowed a different engine other than Safari anyways, so the real fight there is allowing third party engines).
Does this answer your concerns? I can't tell if you are defending Apple and Google, or are against both but are using this what-about-ist accusation as a way to vent general frustration.
> and you all were quiet as a mouse as well, with HN actively defending Apple Safari monopoly with this feature enabled
Citation? To be sure, there was not universal outrage over Safari's attestation implementation, but out of curiosity I looked up the only thread I was aware of, in part because I couldn't remember what my reaction was at the time. That thread was a year ago and the overwhelming sentiment of the comments section is critical: https://news.ycombinator.com/item?id=31751203
They're less forceful than they are now with Google, partially because I know more now about how attestation works than I did over a year ago, and partially because (as some people have also pointed out) Chrome's implementation is straightforwardly more dangerous than Apple's is.
But HN "actively defending" Safari? That's not the impression I get from the overall comment section and it's definitely not what I personally was doing. There are a lot of people in these comments calling Apple's implementation DRM. So I'm a little skeptical of the "nobody on HN cared about this with Safari" narrative that has sprung up; from what I can see media coverage was fairly positive, but people on HN were rightly critical. I'm not sure the facts match the narrative: Safari was criticized for this.
It's a fair critique that there wasn't a coordinated attempt to outright stop Apple, but I would once again remind everyone that attestation in Chrome is way more dangerous than attestation in iOS. The market matters, that's not context that can be ignored. So it's not really all that weird to me that people are more willing to react more strongly to abusive behavior in Chrome.
I think the main difference is that Apple already controlled what operating systems can run Safari via other mediums. Adding this to Safari effectively changes nothing regarding the web ecosystem on Apple devices.
There is no chance Mozilla does anything that actually matters here. They may do some virtue signaling and put out a statement about how they support the open web but nothing more.
Quite frankly, the W3C stopped having any say on the matter when the WHATWG supplanted the XHTML standard with the HTML5 committee.
They had enough weight at the time to say "The Web is XHTML2, you can make your own internet if you want " compared to what they can bargain for these days.
Maybe at the time it was a somewhat reasonable decision to abdicate their responsibility over to big internet companies, but that's what brought us to the current state where we're basically going back to original version of The Microsoft Network[1].
When Google announced the EME DRM in the semi-public W3C HTML working group, it created a massive backlash. So W3C moved the EME spec under a new, closed, invite-only working group, and then announced that there is a consensus among everyone (there), and it can move forward to become a recommendation. They didn't even fix known bugs in the spec written by Google (e.g. architecture diagram in the EME spec is factually incorrect).
So I don't think this rubber-stamping W3C will do anything. They have no power over Google, and they know it.
Mozilla publicly opposes Google's actions all the time, especially when it comes to web specifications. One time they publicly endorsed an ad blocker intended to DoS google's ad servers with nonsense data, an extension that the Chrome Web Store considered to be malware.
2. Open Bing Chat sidebar (top right corner); it auto-summarizes the article.
3: My prompt:
Using the that webpage summary, please write a letter reporting Alphabet for antitrust violation. Please include the following [this language is from the ftc.gov site]:
Q: What companies or organizations are engaging in conduct you believe violates the antitrust laws? A: Alphabet
Q: Why do you believe this conduct may have harmed competition in violation of the antitrust laws? A: [use the article]
Q:What is your role in the situation? A: I'm a user of the Firefox browser
Thanks, just emailed the FTC. It was a bit cathartic and now I don't have to be angry about this for the rest of the day, I'd encourage everyone else to do the same.
I'm not extremely optimistic either but at least in the US Lina Kahn is already on the right track with antitrust and the FTC already has two antitrust cases against Google in process. However, it's still an uphill because antitrust enforcement was either asleep at the wheel (or corrupted, depending on your perspective), which is partially why Google is in such a dominant position to begin with.
IANAL, the EU is also on the right track with antitrust but unfortunately seems very weak in terms of penalties and enforcement.
At this point, anything we can do to slow them down in any jurisdiction in a win. Even if antitrust enforcement is weak making Google at least have to defend this in a pro-forma way I think helps.
This is what I sent, feel free to use and customize:
I would like to bring your attention to Google’s recent proposal to add a feature to its Chrome (Chromium family) of browsers called Web Environment Integrity. This provides a mechanism to reinforce Google’s already dominant browser market position by creating a technological control that can be used to nullify a user’s choice of browser, device and operating system. This technology also has the potential for abuse by preventing users from using browser extensions that can enhance security by blocking unwanted and potentially malicious content, as well as browser extensions that help vulnerable users with enhanced accessibility needs, such as color blindness and visual impairment.
Google’s dominant, near-monopoly position in the browser market already harms me as a consumer by reducing browser choices and preventing a competitive market for developing new browsers. Allowing Google to include this feature will reduce my browser choices and consolidate the browser market even further, and it is incumbent on [INSERT AUTHORITY HERE] to take action against this abusive behavior.
This standard would allow Google applications to block users who are not using Google products like Chrome or Android, and encourages other web developers to do the same, with the goal of eliminating ad blockers and competing web browsers.
1. Google is a developer of popular websites such as google.com and youtube.com (currently the two most popular websites in the world according to SimilarWeb)
2. Google is the developer of the most popular browser in the world, Chrome, with around 65% of market share. Most other popular browsers are based on Chromium, also developed primarily by Google.
3. Google is the developer of the most popular mobile operating system in the world, Android, with around 70% of market share.
Currently, Google's websites can be viewed on any web-standards-compliant browser on a device made by any manufacturer. This WEI proposal would allow Google websites to reject users that are not running a Google-approved browser on a Google-approved device. For example, Google could require that Youtube or Google Search can only be viewed using an official Android app or the Chrome browser, thereby noncompetitively locking consumers into using Google products while providing no benefit to those consumers.
Google is also primarily an ad company, with the majority of its revenue coming from ads. Google's business model is challenged by browsers that do not show ads the way Google intends. This proposal would encourage any web developer using Google's ad services to reject users that are not running a verified Google-approved version of Chrome, to ensure ads are viewed the way the advertiser wishes. This is not a hypothetical hidden agenda, it is explicitly stated in the proposal:
"Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins."
The proposed solution here is to allow web developers to reject any user that cannot prove they have viewed Google-served ads with their own human eyes.
It is essential to combat this proposal now, while it is still in an early stage. Once this is rolled out into Chrome and deployed around the world, it will be extremely difficult to rollback. It may be impossible to prevent this proposal if Google is allowed to continue owning the entire stack of website, browser, operating system, and hardware.
Thank you for your consideration of this important issue.
This proposal is just so throughly user-hostile that it's impossible to criticise it based on technical grounds. It's not a bad proposal, it's a dangerous, evil and malicious one, so criticising it in details is futile. The whole thing in itself is evil, and it needs to be thrown out.
Quietly protesting won't work this time, the goal is to kick up a huge fuss which gets the attention of governments, regulatory bodies and start antitrust proceedings.
Excuse my french but Google can fuck off with their censorship and "reminder to be civil". They have truly gone mask off, with the Code of Conducts not reinforcing good practice and a welcoming environment, but just a tool used to suppress dissent.
I've switched to Firefox and I'd recommend everyone else to do so.
It's nakedly user-hostile. A blatant attempt to invert the "user agent" relationship such that the agent works for the advertiser/corporation/government to spy on the human behind the screen. The way the intro paragraph tries to disguise this as something users need or want is frankly disgusting:
> Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it. This trust is the backbone of the open internet, critical for the safety of user data and for the sustainability of the website’s business.
Ugh. Here's a fixed, honest version:
Corporations like Google often depend on advertisers knowing as much as possible about their users. Their revenue may depend on fingerprinting the client environment, tracking their behavior and history, and attesting that a human with sufficient disposable income is behind the keyboard. This personal data mining is the backbone of Google's business model, critical for their continued dominance of the web and for the sustainability of their enormous margins.
> This proposal is just so throughly user-hostile that it's impossible to criticise it based on technical grounds. It's not a bad proposal, it's a dangerous, evil and malicious one, so criticising it in details is futile.
I can't agree more strongly. I sat down to write a letter to the FTC, and I can't even articulate my objections because after reading this spec my only response is encompassed in "WTF is this shit?". I've worked in my past with members of the Chromium team and I've generally found them competent and well-meaning, and I can't see any amount of well-meaning (and some lack of competence) in this spec proposal. This feels like a shift in the behavior for Google far beyond their existing slow drive to consume everything, to something far more draconian and direct.
How is this feature hostile to Googles users?
There is genuine benefit from websites allowing you to do more things via their website (vs their app).
Also: fewer/no Captchas, fewer bots on social media
The platforms most people use will see benefits. Apple users apparently already do.
I understand the argument that the open source experience will get worse. But frankly, google.com will still work for you. It will be other websites that make your experience worse.
The above user has spent the past few days doing nothing but astroturfing on this topic while failing to declare that they are or were employed by the company proposing the standard.
Your personal opinion may well be that ‘this is fine’ but by failing to declare that bias and having never posted much of anything else it is difficult to interpret your actions as a good faith contribution.
I am employed at Google, though not on Chrome or Ads, nor am I doing web development. I don't have any insights into WEI besides what is publically known.
I stopped declaring my employment because it's a hassle to do that on every comment when writing multiple comments. And no one else seems to disclose their biases in this discussion.
That said, I agree with you that I should have declared my affiliation.
Apologies.
As many people here, I am trying to understand the implications of WEI. Of course I will challenge the mainstream opinion to advance my own understanding and hopefully those of other readers too.
I don't think arguments should be dismissed based on affiliation.
There are many arguments against this but not many brought the implications for search engines.
If websites implement this, it will effectively make building a web search engine impossible for new entrants. The current players can whitelist/attest their own clients while categorizing every other scraping clients as bots.
If not for other reasons, I can't see how Google a search company can be allowed to push something that can kill competition using its market dominance in other areas like browsers.
> If not for other reasons, I can't see how Google a search company can be allowed to push something that can kill competition using its market dominance in other areas like browsers.
Because antitrust has been dead for a while. Chrome is a tool to drive people to Google and Google ads and nothing more.
I will say, I did appreciate Microsoft having a browser engine with IE and Edge, even if the former was notoriously a pain, it gave competition in the space. Unfortunately, that's not the case anymore and everything is either Chrome (Blink), Firefox (Gecko), or Safari (WebKit). And it's pretty clear what Chrome has done once that have amassed a dominant market share.
I'm sure there are Googlers who think they're legitimately making the web a safer place, but I think the real reason is pretty clear if you take a birds eye view.
Unfortunately it seems that nearly all software platforms with a dominant market share, end up degenerating to serve only one purpose: to shove advertisements and subscriptions onto you.
My mother's new Windows 11 laptop's out-of-the-box configuration had me clicking through half a dozen things attempting to manipulate me or her into spending more money. There are (I can only assume paid-placement) news and adfotainment in the start menu! Repeat pop-up reminders from Lenovo to subscribe to their protection package. Emotionally-manipulative reminders to subscribe to virus protection services. To Microsoft Office. Etc. etc.
It's been the same thing in the mobile market, where the move to "apps" means you are running their software on your device all the time, so they can optimally surveil you, and target the advertisements and behaviourally-modifying nudges. Quite a few messaging services now actively mess with delivery of notifications, spacing them out, delaying them, according to research that shows what maximizes engagement.
I saw the trend 20 years ago and switched to free software around that time -- I liked Linux anyway, but it was partly on principle. Still, the new laptop was eye-opening. The degree of intrusion, the degree to which even desktop computers have turned into user-hostile advertising terminals serving the purposes of their manufacturer, rather than a computer for the user to accomplish their work, is quite shocking.
Everything networked is becoming like that - twisting the user's hardware, turning it into nothing more than a terminal, an extension of the corporation, serving their interests at all times. Even smart TVs now have ads built-in to their menus and such.
>to shove advertisements and subscriptions onto you.
There is no other end state in capitalism. If you want tools and products that serve you instead of an owner, you must do it outside capitalism like with truly open source stuff.
Is it possible for them to implement this API in such a way that it will fail 5% of the time or so, making it impossible for websites to deny individuals based on failing attestation?
Have you seen bank "login redirects" when the system redirects you for ca. 5-10 times before actually letting you in? This proposal could be defeated in the same way: after successful authn, the user is redirected to the page '/wei_chk_1', then '/wei_chk_2' and so on until '/wei_chk_$n', e.g. 10 or WEI check success. If the WEI Javascript check succeeded on at least one page, you are logged in. Otherwise, get lost.
I cannot trust a known thief and let them into my house based on their promise not to steal.
I have no way of knowing if they are honest or not and even if they are there's no guarantee that they won't change their mind later.I cannot take the risk and be on guard forever.
I would much prefer not to allow them into the house in the first place.
Google should not have brought this proposal but they did.So, I will not place my trust in Google doing the right thing irrespective of their claims and promises.
> However, a holdback also has significant drawbacks. In our use cases and capabilities survey, we have identified a number of critical use cases for deterministic platform integrity attestation. These use cases currently rely on client fingerprinting. A deterministic but limited-entropy attestation would obviate the need for invasive fingerprinting here, and has the potential to usher in more privacy-positive practices in the long-term.
I think any holdback will eventually go away because of the "critical use cases for deterministic platform integrity attestation"
But as mentioned above, isn't doing so against Google's own self interest? It seems like the project is explicitly stating their goal isn't to allow for websites to do this, and they are implementing it in a manner consistent with that.
One thing about your comment above: Hulu can't start implementing attestation until Google turns the knob to 0 because they can't start randomly dropping 5% of Chrome users. So in your comment above it should be "and" not "or". If I understand correctly Hulu cannot act unilaterally with the currently planned implementation of this.
If let's say they did turn the knob for Chrome, wouldn't it take a while for websites to start implementing this? For me not knowing as much about this it feels like this is a step in an ambiguous direction which could be good or bad still. But since it's Google everyone is thinking ahead in the causal chain. Can you help me understand why this is such a big and clearly bad step against the open web? Thank you!
Hulu has DRM issues in Firefox and their DRM just fails with unknown errors on about ~15% of content they host (anecdotally, of course, I have no specific data). There's no way for me to tell if a specific episode of a show will fail or not, some succeed, others don't. I at least find no pattern for this. From this perspective, they are essentially randomly breaking 100% of Firefox users some seemingly random percentage of the time.
They have "good" business reasons to require this DRM and whatever this random broken user percentage is, I'm sure it meets their bottom-line criteria as a business.
"95%" uptime for Chrome users is only "one-9", but it's still got that one 9. That's an acceptable SLA to many businesses. A business might easily decide attestation is worth that "uptime risk" because it sells more ads or makes the DRM vendors happier (and thus the content owners are happier) or any other number of "good" business reasons.
> But as mentioned above, isn't doing so against Google's own self interest?
I don't see how it is against their interest, it would cement Google into power in a way that is very difficult to undo barring government intervention (which I doubt is going to happen).
> It seems like the project is explicitly stating their goal isn't to allow for websites to do this, and they are implementing it in a manner consistent with that.
If you drop a frog in a pot of boiling water, it will of course frantically try to clamber out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite placidly. As the water gradually heats up, the frog will sink into a tranquil stupor, exactly like one of us in a hot bath, and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death.
> If I understand correctly Hulu cannot act unilaterally with the currently planned implementation of this.
Hulu will keep their attestation implementation ready to turn on at a moment's notice because it's patently obvious that the hold-back stuff will be gone when it's ready to go, and it's obvious because the currently described implementation (with the hold-back) does not really serve any real purpose.
The hold-back is only on the spec to keep people from revolting while the thing is built and tested.
> The current players can whitelist/attest their own clients while categorizing every other scraping clients as bots.
Can't they already do this by having scrapers send plain-old client certificates? Or even just a request header that contains an HMAC of the URL with a shared secret?
Actually, taking a step further back: why does anyone need to scrape their own properties? They can make up an arbitrary backchannel to access that data — just like the one Google uses to populate YouTube results into SERPs. No need to provide a usefully-scrapeable website at all.
The browser instance knows it is being driven by an automation agent. If you so wanted, you can actually comment out the code that does that in the browser's code but since this new setup will enable the page to check if you compiled your own browser, they'll be able to incorporate the "isUnderAutomation" flag under the attestation data and that's sealed because you can't build your own browser and have it attest.
Despite the spec's half-baked state, the blowback last week was swift – in the form of a flood of largely critical comments posted to the WEI GitHub repository, and abuse directed at the authors of the proposal. The Google devs' response was to limit comment posting to those who had previously contributed to the repo and to post a Code of Conduct document as a reminder to be civil.
Also worth noting that this locks reactions (thumbs up, hearts, etc.) - providing plausible deniability that "only a small number of people raised concerns about specificTopicX." Journalists should be more aware of this!
On a separate note, for journalists and others who wish to communicate with the spec's author directly, his public website (which lists a personal email) is one of the other repos on the Github profile under which the specification was published. It's painfully absurd that he wrote this sentence in 2022 [0]:
> I decided to make this an app in the end. This is where my costs started wracking up. I had to pay for a second hand macbook pro to build an iOS app. Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app.
Limiting posting and asking for civility is the only way for individuals to meaningfully engage with even a mere thousand others. Nothing about the human mind was meant for social internet at the scale of the internet, where there are more distinct voices than you have heartbeats in a lifetime.
My expectation is that private is worse for any public involvement in any discussion because nobody else can see it, and also likely to get them yelled at more via other channels, and also lead to the assumption that they "have something to hide".
It's small, but here's a real actionable item that you can do to help:
Put a gentle "Use Firefox" (or any other non-Chromium-based browser) message on your website. It doesn't have to be in-your-face, just something small.
For people who want to put something like this, here is the code snippet:
<span id='browser' class='hidden'>
This website is designed for <a target="_blank" rel="noopener noreferrer" href="https://firefox.com/">Firefox</a>, a web browser that respects your privacy.
</span>
<script>
if (window.chrome) {
document.getElementById('browser').className = '';
}
</script>
Class .hidden must hide the element somehow, in this case I do:
Thanks for the code! I would slightly change the phrasing. "This website is designed for X" is traditionally, in my opinion, a user-hostile statement which indicates the user has to do something to accommodate the website. "We recommend you use Firefox, a web browser that respects your privacy" or something doesn't have this vibe IMO.
1. Instead of using CSS to hide it by default, make the script to only add it (perhaps by document.write, or alternatively by adding text to an empty <div> or <span>) if Chrome is detected. (This way it will be compatible even if CSS is disabled (or not implemented).)
2. Instead of Firefox, mention something else such as Line Mode Browser (it has some features I had not seen in other web browsers, but which I think are good and would like to have), or some other uncommon one which doesn't have Google and Mozilla etc, or more than one.
I like this idea, but has Mozilla said anything about their position in all of this? I'm a Firefox user, but I haven't felt great about Mozilla in quite a while. I'd love to know they are on the right side of this issue before I start promoting them like this.
Mozilla posted its position on Google’s Web Environment Integrity API here:
Mozilla opposes this proposal because it contradicts our principles and vision for the Web. Any browser, server, or publisher that implements common standards is automatically part of the Web. ... Mechanisms that attempt to restrict these choices are harmful to the openness of the Web ecosystem and are not good for users.
I don't think most people know the difference between Chrome or Firefox and if they can still use websites they use with that change, they just won't bother.
Even if you explain what is the difference, 99% they'll forget the next day.
It's just pointless. With this kind of overreach, only government intervention and regulation can help. Google is not something you can go against with your proverbial wallet - they are too big.
Microsoft was the same, and still they were humbled into opening the space for others (with the browser-choosing screen at first boot). If people are noisy enough, lawmakers can be distracted from their payola.
Antitrust authorities in both US and EU are literally fighting these monopolies right now, with huge fines and increasingly vicious inquiries. Don't be defeatist.
Small anecdote: I am not sure how you're detecting the browser, but this note still appears in Orion (webkit-based browser) while it does not in Safari. Persists even when I change user agent explicitly to Firefox or Safari.
I check for the existence of `window.chrome`. I've never heard of Orion browser before, but based on a brief glance at their website, my guess is that because they allow running of Chrome extensions, they are also replicating at least some functionality provided by Chromium-based browsers, including `window.chrome`.
Thanks for pointing this out, but I won't fix this.
Sorry, comes default with Hugo (sort of). Set it up when I was playing around with the website configuration and never bothered to remove it. I don't use the analytics, so I will delete. Thanks for pointing out.
note to self: hn is a great place to debug & review your site
The issue with that is that most people here will only have their own website or product, which is already aimed at more tech-savvy people, who will already have made a conscious decision to use Firefox, Chrome, or whichever browser they prefer.
But we / this site only represents a small percentage. 85% market share means there are hundreds of millions, if not billions of users that would have to switch to make any kind of impact.
And you can't do that without being a very large company with an operating system or the most popular search engine or other ways to constantly tell people to use your browser, no matter how good or privacy conscious or whatever your own is.
"We" already waged a grassroot browser-war campaign in the late '90s-early '00s, when Mozilla was born and eventually birthed Firefox. It was successful enough to seriously dent the Microsoft monopoly, creating the political conditions for antitrust authorities to deliver significant hits to their power.
It can be done again. Just drop the fucking Chromium bullshit now.
In the end, I feel like there is a silver lining to all this. As the world wide web becomes more sanitised with their codes of conduct, corporate censorship, ads, witch hunts, all these limitations - more and more, I hope, would the valuable, interesting bits of it drift to alternative locations.
The internets of old were just that - a place where nerds, freaks, outcasts, and other antisocial personalities congregated. Everything was permitted and everything was possible. Many, myself included, hoped that it would change the world. It didn't - the world is winning again, as everyone can clearly see. Still, I hope that the normalisation of the web might as well create a critical mass of those who just want something more than just a corporate safe space.
I sincerely wish that there is a future where protocols like gemini - stripped from all the visual noise and 'dynamic' features - get a critical mass of useres. If that doesn't happen - as someone who doesn't use any mainstream social media, google and microsoft services, llms and other modern (and some might add - dystopian) stuff - I don't really loose much. There are enough great books for a hundred lifetimes, enough hikes to walk and friends to get blasted with. Maybe it'd even be for the better.
That colourful internet of yore coexisted with doing your banking at a bank. Now, banking has largely moved online and banks have eliminated a lot of their physical locations. Ditto for accessing government services in many countries. The concern here is no longer being able to do important everyday things without using a supported browser, even if a small hobbyist internet for nerds, freaks, and outcasts survived out there.
Get the Wikipedia Foundation on board and make sure the wikipedia or other big mediawiki hosts refuse to show any kind of content if such feature is detected in the browser.
Also, if you're a distro mantainer, configure apache and nginx defaults to make this is the default behaviour.
Even better: instead of redirecting to any wall of text with a long explanation of the political and technical reasons of this choice, just display a big, loud "ERROR" message stating that their browser is unsupported due to the presence of this module, and a small tutorial on how to deactivate it from the about:config page, if available.
I do not agree with configuring apache and nginx to do that by default, unless WEI would somehow prevent a server that doesn't understand it from working properly (as far as I can tell, that is not the case). (A system administrator could still change the configuration; this is only about the default setting.)
However, I think the other stuff that you had mentioned would be OK.
Furthermore, a distro maintainer could configure clients by default to disable WEI (or to not include client programs that have WEI).
I do, and I keep having those tiring conversations, but it's really hard to get the point across in layman's terms. I have enough friends in tech who stick with Chrome out of convenience instead of just falling back on it in case something actually doesn't work in Firefox. how do I convince tech illiterate people of doing this?
For the tech illiterate recommend Safari. For tech people, appeal to their privileged position and the importance of defending the web by choosing any other browser (or Safari).
Both users can keep Chrome installed as a fallback - that will help with convincing too.
Tech illiterate people should be using MacOS anyway. Windows just gets worse every year. MacOS is actually more like classic Windows than Windows 11 is so it's actually easier to use for tech illiterate people.
Whenever a new device needs to be setup for my parents, I just install whatever I use (Firefox in this case). Then I show them the things they need on a day by day basis. The problem are people who did grow up with tech. They will say things like it will take too long. In cases like this you need to manipulate them based on their personality.
Clearing all state (all saved data and cookies), Incognito mode, disabling the few extensions she was running. When it got to the point where the only thing left to do was reinstall Chrome, we installed Firefox instead.
Containers are useful, but it's like having a few similar terminal windows open. Eventually you'll type something on the wrong window... at least I found myself searching for personal stuff on my work Google container.
With profiles I can have different bookmarks, extensions, and even a different theme so I'm aware I'm on my personal profile, not on a work profile. Since switching profiles on Firefox + macOS is a pain in the butt, I use 2 different Firefox channels (stable + dev).
Anyway, containers are nice, but they're not a replacement for profiles.
> Anyway, containers are nice, but they're not a replacement for profiles.
This, so much. Anytime I've brought up profiles on Firefox, I'm told about this alternative that isn't a replacement for the feature.
Safari is (finally) bringing this, so maybe the folks at FF will begin to see this as a feature worth investing in. First-class profiles support is one of the main reasons I stick to Chrome, despite trying to switch.
And then to use them you have to start firefox e.g. :
firefox -P <profile-name>
Very few casual users (nor even most technical users) start Firefox from a command line, and setting up shortcuts for these is also a step that most users won't do.
The support for profiles is there, it's just hard to use in the context of a GUI desktop.
That's part of the "problem" with Firefox's support of profiles. It feels more like an afterthought and less like a primary use case the product wants to surface. To approximate the functionality Chrome has, I had to bookmark "about:profiles" and make it my home page.
Chrome also added this nifty feature that lets you open links as a Profile, making it easy to switch.
These may seem like small issues, but the end up mattering.
Firefox is also missing a don't allow any website to play audio unless explicitly enabled setting (mute tabs by default, except on allowed sites), as far as I can tell.
That's not the same thing. Chrome's setting can force audio to be muted regardless of user interactions or manually started playback, until the website settings are changed to allow sound.
Not sure why you're getting downvoted, but this is a big deal IMO. We're here because Chrome has been the better product for a long time. Firefox not doing things people want well enough will hurt its adoption, which will impact its capacity to influence the Web.
Add to Mozilla's perceived not-very-good management and you have a death spiral on your hands, and more power to Google and Apple to shape the Web towards their interests.
Mozilla in the past ignored the criticism users had regarding UI/UX changes and went with deploying this bulky mobile-oriented interface for desktops. And here we are.
This itself is one issue; there are also all sorts of adventures they decide to go for little to not at all related to the browser development, and which are conducted to convince people all around the world that they're a good humane corporation that cares. Igh.
There’s a saying, on the internet nobody knows you’re a dog.
WEI is part of a broader movement to make this false - more generally to make an internet where we know you are a human staring at a screen
It turns out having dogs (or more commonly programs and scripts) on the internet is not profitable and not good for business, so corporations want to take dogs off their websites by finding clever ways to attest that a real human with eyeballs is clicking with hands and staring at ads.
Support dog rights. Don’t allow for a WEI-dominated web.
The whole narrative about WEI "proving" you're a human is completely false (and I'd argue a ruse). It only proves you're using a sanctioned OS and browser binary. It does nothing to stop robots being wired-up to devices w/ emulated inputs.
In fact, WEI will make it easier to use a robot w/ a sanctioned software stack since, hey, it's a "human" per WEI.
WEI proposal leaves open the functionality of the attester, so it’s neither correct to say this will prove requests are humans nor that it simply proves a sanctioned OS/browser.
The attester will attest whatever they want. They can evolve to match the further degradation of user freedoms.
> Agreed. Eventually the attestor will be measuring “proof of life” with the camera, for example.
Ultimately, it's all just instructions being sent to your computer to be executed, and "your computer" is whatever you say it is. Everything (e.g. Intel SGX et al) can be emulated in a sandbox. That's how modern DRM is defeated.
Even in that case, your computer is still an arbitrarily-programmable Turing machine; it contains this one hardwired + proprietary component that the remote end is looking to speak to, but that component isn't in control of the system; rather, it's controlled by the system. This just moves the job of deception one target over. Rather than just turning the logic sent by the remote end into a "brain in a vat" fed a false reality by your Cartesian https://en.wikipedia.org/wiki/Evil_demon of a custom OS, you also turn its local emissary, the DRM TPM chip, into another "brain in a vat" fed lies by an enclosing evil-demon hardware platform.
The only way this attack can even be avoided in principle is to restrict distribution of the DRM TPM chip — ala Nintendo's NES CIC lockout chip that never left Nintendo's hands except in the form of finished first-party-assembled game cartridges. But even that only prevents mass production and sale of devices that defeat your DRM; any sufficiently motivated attacker can still buy a legitimate device from you that includes the DRM TPM chip, rip the DRM TPM chip out, and feed it to their evil-demon hardware to enable it to faithfully attest a lie over the network.
In short: if this was truly a practical additional layer of defense, there'd be tons of use-cases for it — game consoles, set-top boxes, kiosk computing (e.g. ATMs), etc.
But you don't see anyone using DRM TPM chips for these systems, because it's not a practical additional layer of defense: such chips would increase BOM for these systems, while only defending against attacks that weaker defenses (namely software DRM, or programmable-firmware DRM like Intel SGX) already defend against; and while not doing anything more to stop the truly motivated attackers than current layers of defense already do — as your Netflix pirate media-scraping bots, your EVE Online gold-farming bots, etc. all have the monetary incentive and capital to invest to build exactly these evil-demon systems.
It looks like they do not care if they have consensus or approval for WEI, they are implementing it regardless.
Wherever you live, you should contact your government representatives and regulators and put a spotlight on this issue for what it is--monopoly abuse of power.
Grassroots efforts are great and it is good to let your friends, family, and associates know what they are doing and why it is wrong. However, government regulation of this abuse is needed to stop it by force of law.
Why do you think they don't have consensus or approval from all the people that matter? This is far too big for that. Google, Apple, Microsoft, Cloudflare, etc, are all working together on this. Governments will like it for "security", and 99% of users won't care.
Perhaps this specific proposal is only Google's doing, but the concept in general, absolutely.
For example, these provide essentially the same attestation service for native apps consuming APIs, validating that the phone is not rooted, and the OS and app are unmodified:
Of course that will be hooked up to Google's new thing as soon as possible!
Microsoft has also been preparing it with the whole TPM integration in Windows 11 and mandatory inclusion of such hardware in all prebuilt PCs since ~2015. That's what the Chromium integration builds on - Google can't actually do the foundation for this themselves on Windows.
You can absolutely bet that all of these companies are on board with whatever Google is doing.
I know about the Safari captcha system (the only one of those that's truly analogous to WEI). Nobody cared about it because Safari's market share is very small. I would care if those companies jumped on the Google proposal because Google has the market share to force this through and make it ubiquitous, which is why I was wondering whether those companies had come out in support of this specific proposal. If they had/will, that would make WEI totally inevitable.
I've been holding on to my Firefox installation after switching back around ~2016 or so. I was on the Chrome bandwagon when they were the upstart (still have the comic from the launch!) but it didn't take long to see how dangerous things were getting with monoculture.
If you want to help, push back on all the anti-Firefox rhetoric that amplifies every little misstep that they take. Firefox is so much better from a user-respect perspective and the vitriol over little things (a couple of anonymous, tracking-free sponsored links on a new tab page?) are losing the plot.
Maybe they shouldn't have added the Pocket links if they didn't want the vitriol. Tracking or not (I'm still not 100% convinced that they're not), it doesn't look good when your browser greets you with that stuff. It's like entering a neighborhood and seeing a "checks cashed" store.
If those people seriously switched to Chrome just cause of Pocket, which I doubt, then sure. Otherwise, we're allowed to complain about a bad feature in the browser we use. Maybe the problem is people treating Firefox like a religion instead of just a better alternative to Chrome.
Since Google controls the implementation and the featureset of this API, they are effectively controlling the entire chain of access.
Having open source implementions does not make a difference, because a Google, or implementing website, server will control whether the content is served. Having the mechanism of access open sourced makes no difference in this situation.
It is the same situation with the "latent" passkey attestation mechanism. Apple and Google have general guidelines that the feature will not be used, but that only true currently. This should not be part of the browser for the same as with passkeys, it gives corporations final say in what you are allowed to use.
Who has been mismanaged for at least a decade and depends on Google to pay their bills..
I'm a FF user since the early 00's and Firefox will mostly not go away because Google has an interest in using it against monopoly accusations but the reality is bleak..
And the reality is these people ( Google in this case ) are so far removed from any moral compass about the Web ( at least what most people here think of "the Web" ) that it's near impossible to do anything about it. These companies are huge and from top to bottom there are certain groups that are hired guns to do a job, no matter what "job" it is, they'll do it, achieve those KPIs, get promoted, get paid. Even for their own detriment in the future, it doesn't matter. Big money now, screw the rest.
Btw, this is how every big company operated since forever, the only "news" here is the disproportionate impact their acts do to the World due to their huge size and influence.
None of that should prevent anyone from using Firefox.
There are no alternatives, nearly all other browsers are built on Chromium.
Making FF more prominent will not give Google more power, it will give Mozilla more power to negotiate better deals with Google and Bing to become the default search engine, because in the world of browsers, that's what pays the bills.
Giving more power to Mozilla hinges on them having a larger user-base so their voice is heard on these technical issues.
I'm tired of people complaining about how much better they could do "if only" this, or that FF was % slower on some tasks 10 years ago.
Firefox is a better alternative. It's the only alternative, and we can make more demand on its direction if we actually use it.
It doesn't mean that we shouldn't hold Mozilla to higher standards, but if we keep waiting for them to be perfect before we will consider using and pushing FF, we're just going to lose the only alternative not controlled by Google or Microsoft.
It's Firefox here and now. There probably won't be a tomorrow otherwise. Google is making that very clear.
Exactly. Also, if some anecdata can help change a mind: Firefox is a really good browser these days. I use it quite heavily, and it hasn’t disappointed in the last three or so years since I switched from Chrome.
About the only use case I still need Chrome for is for sites requiring experimental web APIs not supported by Firefox, such as Web USB or Web Bluetooth. Site compatibility for everything else, including very heavy web apps, is just fine.
History sync is encrypted, which is what made me switch over in the first place (Chrome deactivates history sync when activating end-to-end encryption – go figure…)
I switched to Firefox for the idealogical reasons above and was pleasantly surprised to find that it was a net improvement.
The only site I have compatibility issues with on desktop is MS Teams and even then it's only for voice/video calls, everything else works fine.
Firefox Android is a slightly less happy place. The password manager doesn't work very well (am moving away from the built-in one) and I can't log in on Amazon (which is important because I can't buy Kindle books in the app because of the Play Store).
Interesting. Firefox android works great for me, but Firefox windows gets very slow on my machine. I don't use their password manager on either, though, so I can't attest to that.
> but Firefox windows gets very slow on my machine.
This is why I don't use FF (although I'm on Linux). It's unusably slow for me. My experience is not the most common one (indicating that there's something about my ecosystem that FF hates), but I haven't been able to make FF work in any of the releases starting a couple of years back, I think.
I don't browse on my phone at all, so I won't be using FF there purely for that reason.
This is just more anecdata, but I'm exclusively using Firefox on Android and have never had issues with The Guardian. In fact, at this very moment there is a Guardian article linked on the front page, and I've visited it without an issue.
I don't doubt your experience, but it's clearly not universal.
Much of it goes to policy issues like this very one, and to government education about these kinds of things, and to other important efforts closely aligned with this exact issue. Mozilla does both "advocacy" and "product" and that two pronged fork exists to serve people and the web, not massive ad companies.
The same thing can be said about the opposite stance you are taking. The question is: do we already know things, and how easy are the things we don't already know to look up?
Regardless, I have Googled this for you: please return the favor by helping others learn to use search engines in the future before leaving comments insinuating that they are lying.
The tldr (as you'll probably insist on that also) is that Firefox finds Mozilla, not the other way around, as the latter is a non-profit while the former is a FOR-profit, so Mozilla actually can't directly fund Firefox.
I hear Firefox is mismanaged all the time, but it seems to be a perfectly fine browser for the most part. I hear all about sites that won’t render in comments on this website, but they must all be internal tools or something because I never encounter them.
The Mozilla Foundation is arguably mismanaged. Firefox does ok, but could go further if the Foundation invested more in FF development and less on… other things.
I'm surprised not to see more love for Librewolf here on HN.
It's just the latest Firefox release, recompiled without all the Mozilla telemetry, and with all the settings flipped to more secure/private defaults so all the tracking features are opt-in instead of opt-out.
Honestly I think the name of the project might be limiting its adoption. It’s sometimes annoying for the more technically inclined among us, but branding matters a lot. You need a name that’s snappy and memorable, which “Librewolf” is not.
Firefox is actually a pretty good example of good branding. It’s short, rolls off the tongue, has pleasant alliteration, and evokes mental imagery.
It's behind by some weeks on major, contributing new features is difficult because most dev effort seems to be on integrating upstream. It is a great easy path for the less technical to 'more privacy', but pretty much if you are a developer just harden it yourself IMO.
I sparingly run into sites that don't render properly on Firefox but they do exist. As an example, Ticketmaster's account page has problems on Firefox that I don't get on Chromium.
This is going to be a problem which compounds more as Google gains more ground. “Oh, I love internet freedom, but I really need to visit website X.” As more and more websites adopt Chrome’s standards, Chrome will be the only browser that works.
Maybe so, but asking somebody to not go to shows of their favorite bands anymore as a form of protest against Ticketmaster and/or Google is a bit much. Unfortunately, some venues seem to be Ticketmaster only at this point. Sometimes you’ve got to choose your battles.
Ticketmaster is the only company selling tickets to several venues, there is no choice of who to buy from available there.
The only choice is to boycott your favorite artist because their record label made a deal with the wrong company. That's too many layers of indirection, for many fans.
No but appart from festivals (which were not relying on ticket master) I haven't seen tickets sold by only one company. Usually there are different ones and also some plain old in person in ticket office of department stores.
There are venues that are Ticketmaster specific because Ticketmaster's parent company owns the venue and some acts just use Ticketmaster because they are the most popular ticketing service. If I want to go to UFC 292 for example, I have to get my tickets through Ticketmaster. UFC isn't using some service that shows up on indiehacker
I have the same - not sure if its related to many privacy plugins in my Firefox but e.g. google maps still doesn't render as sharp as in Chromium browsers - seems like using rasterized tiles.
Some Google services I regularly depend on (like YouTube and Google Meet) don't work as well on Firefox as they do on Chrome, in ways that actually matter. Besides that I think most websites work fine.
I haven't noticed any issues on YouTube after subscribing. Before that it used to glitch once in a while possibly to penalize the ad blocking. But that may have been the behaviour in Chrome too for all I know.
Google Meet does have some key features missing on Firefox such as blurring / changing video background.
I believe google has intentionally made google maps near unusable in firefox. It's been consistently working worse and worse every year. I feel like about 8 years ago there used to be parity between them.
I think this example is weirdly informative to me.
I mostly use maps via an app (Apple or Google, they seem to be the same for basic use). Usually if I’m using a map, I’ll be using it in my car for navigation, so Firefox doesn’t even come to mind.
I suspect, on top of the “maybe it is internal apps” thing I mentioned at first, some of the really bad sites are the really interactive ones, I probably just use the app without even thinking of it.
I am using it regularly without issues on firefox so I am not sure what you are talking about and definitely not in the "unusable realm". Can you be more specific?
Its really bad, it takes almost a minute for the site to "stabilize", and even then, default text in the search bar is overlaid with whatever you're typing, a good 30 seconds to load a destination.
A chrome browser on the same device has maps behave almost instantaneously.
TBF YouTube has gotten better (see sibling comment), but Google Meet is really what matters here for me. There's also offline mode in Google Docs, which I use regularly because I'm not guaranteed a good-enough connection wherever I go.
Firefox does some things better (like PiP video playback on most websites, like YouTube!) but others are so poorly done (like Profiles) compared to Chrome that it overall makes Chrome my first choice browser.
I never used Firefox profiles, but Firefox container tabs work really well IMO. I much prefer them to Chrome's profiles for managing work vs personal logins.
Jitsi is super easy to use, and I still can't get older people to use it. They just hear "Zoom" on CNN so they think, "I'm supposed to use Zoom. Other things are weird." So much behavior is just driven by anxiety and habituation.
He provides a nice piece of anecdata there: for one-on-one meetings, you can just send people a link and usually they just join. Even if they've sent a link to Zoom or Meet or whatever, you still can say “hey, join this instead” and it will work. I haven't tried this yet, but sounds plausible to me.
I've been using FF as my default browser on desktop and mobile for at least 4 years. I've had zero issues. In fact, if I need to use their dev tools, I find them superior to chrome. I don't understand the shade Mozilla gets thrown at them.
I'm not really seeing the dilemma here. Would you choose a browser from a mismanaged organisation, or a browser from a corp actively subverting the very basic idea of having a web client you can control, which has a chance of forever changing how we get to interact with businesses online? (In likely the worst way possible)
Seriously, how is this a question? (Unless you want to go with another independent option, then sure)
One has a browser that has +60% market share, the other went from ~55% to 3%.
One company dominates "the Web" and pulls these shenanigans all every other year, the other one is totally dependent of the former to pay their bills.
So yeah, Google has been better managed than Mozilla. That doesn't invalidate Google's execs are a bunch of lizards on the now common SV ego trip and screw up all the time, but they can and ensure they can continue to do so, Mozilla is not in the same position and part of blame must be attributed to them.
Dwindling market share of firefox is pretty much not related to how the mozilla foundation is managed. They had 55% of the market when the only competition was:
- ie6 which was a security nightmare for everybody
- browsers like Opera developed by very small companies against which competition was more based on merit
The only way for Mozilla have been able to maintain its market share against chrome would have to manage to reach both these requirements:
- build the #1 smartphone OS in the market in term of market share to have it preinstalled everywhere
- build the #1 search engine in term of market share to advertise using it everytime the user search for something.
Both feats requiring:
- financial means that were out of reach from the Mozilla foundation at any moment in time regardless of its management.
- giving up on mozilla ethics and values to be on same level as the definitely evil competitor.
Who has been mismanaged for at least a decade and depends on Google to pay their bills..
I don't see how this matters, it's an open source project, if people find enough value, it will be forked and improved by community or a new organization will form around it. This is the beauty of open source, you must embrace.
You’re gonna have to swallow your pride and use the best option here. If you are American you already have lifelong training in this dynamic and you know if you don’t, it just gets so much worse.
Exactly. I use Firefox for everything. It renders all the pages fine and is speedy enough so that I never question its performance. But even if it had some issues, those were minor compared to the danger the web is in now.
Firefox' killer feature on mobile is that it supports uBlock Origin, while Chrome doesn't. Browsing the web without it is horrible -- the screen covered in popups with tiny Xes. There's a decent fraction of the time that you can't even read the content underneath. Firefox solves all that.
However.
Try opening any article from The Guardian on Firefox mobile. Even a good phone will start feeling sluggish and laggy and weird. An old phone will just go catatonic, get hot, and OOM the whole browser.
Surely this is partly The Guardian's fault. (Should it surprise me that the paper that poses "left" for the upper middle class is also incompatible with any but corporate software from Big Tech?)
But it's also definitely Firefox' fault too. Something is wrong with the implementation. If Chrome can render these sites smoothly, Firefox should be able to.
Firefox would only have an excuse if Google had some special APIs on Android, or were doing something to actively sabotage the Firefox experience. I'm not willing to get quite that paranoid yet.
There are some other browsers, but who the hell wrote them? How much of what you see in the app store is legitimate open source, and how much is OSS that some opportunist put their own trackers into? I'd love a good alternative, but I don't see a lot worth trusting.
So it's Firefox for most things, and Chrome when Firefox gets all slow and laggy. Or, Firefox for news articles, and Chrome for businesses' websites.
It would be much less likely if we could get the market share back to 2010 levels.
Is that a realistic goal? I don't know, maybe not, but it seems like there's little will even in tech to try.
There was a time when tech was the biggest driver of alternate browser adoption, and even managed to make serious inroads into the mainstream. It's a huge shame that this attitude seems long gone.
(As someone writing this in FF, being a Mosaic/Netscape/FF user for ~30 years)
No that ship has sailed.
It would mean focusing on developing the best browser and spending money on marketing so people download and install the best browser. Cut every other expense. Take FF from the politics of Mozilla and make it a real open source project.
If I look at Opera marketing, they seem to aim for young people with themes and video integration.
I do think FF has no vision and no clear strategy to get back market share, even it this is the only way to save the web. Perhaps market share isn't even their goal, I have no clue what they want.
> There was a time when tech was the biggest driver of alternate browser adoption, and even managed to make serious inroads into the mainstream. It's a huge shame that this attitude seems long gone.
I think that was just a side effect of browsers like Phoenix/Firebird/Firefox and Opera offering numerous tangible benefits over IE and the other browsers of that era.
They offered things like better functionality, better security, better extensibility, better performance, better ad blocking, and so on.
There were many compelling reasons to switch to them, and many compelling reasons to suggest them to others.
I could easily show less-technical users how those browsers could make their lives better in many ways.
For a while now, though, that just hasn't been the case. Using Firefox today, for example, doesn't really leave most people any better off, but it does come with its own set of new problems. I can't bring myself to recommend it.
It will be annoying if bank sites and other companies that are hard to avoid drop Firefox support (I mean I can switch banks I guess but it is a long term customer relationship, I don’t really want to).
Most websites aren’t bank websites. If a website doesn’t support Firefox, leave. If a website doesn’t support good old HTML, it is probably made by some kind of dummy who is trying to replace lack of content with glitz, this sort of person shouldn’t be listened to.
I never have any real issues with Firefox, and when I do I simply don't use that site. I have my girlfriend and mother using Firefox as main browser on desktop and mobile, with uBlock Origin and they've never complained.
I did have issues during an interview in Microsoft Teams refusing to play my video. "Your browser is not supported", yeah fuck you it's not supported. I explain why, ask if we can switch to Hangouts and send a link.
Works fine, if more people had the balls to do the same we wouldn't be in this situation today. It's our duty to educate people instead of conforming to the path of least resistance.
I use firefox for everything. The only site I know that doesn’t work is an internal app at my work that was written in FileMaker pro. I just use Edge/Safari for that one.
I very occasionally run into these, and keep Chrome as a backup browser. I suspect it's as often to do with adblocking though - I have no content blockers on Chrome.
Firefox performs way better and is a more pleasant experience. (This is a fair comparison because my ad-laden Chrome experience is internet as Google intends!)
Is your firefox rendering google maps the same sharp (vectorized) as in chromium? In my firefox it seems not so sharp and rasterized (tiles?), but might be related to some privacy plugins/settings I'm using.
If a website doesn’t work in Firefox (due to a bug in Firefox or the website or because the website blocks Firefox), please file a bug report on https://webcompat.com/
Mozilla developers will then try to reach out to the website’s owners, add a fix or workaround in Firefox, or (as a last resort) spoof Chrome’s User-Agent string to bypass the website’s Firefox block.
Firefox is my daily driver on all my computers and smartphones. There are some hiccups, often with obscure websites and airlines. Most of them better be avoided anyways. However, Slack and Microsoft Teams don't function properly in Firefox.
Brave runs on Chromium; I am sure if WEI helped some crypto scheme for attention token it would be embraced there. But not as relevant as this relates to the "on by default" nature of these tools to validate web viewers.
I predict that hardware attestation will in 10-30 years become a requirement to maintain an internet connection.
Given Microsoft's push to make their OS support hardware attestation as well as Google's push for technologies which use hardware attestation in broader and broader scopes (Android and iOS has supported this for apps for a long time), the technology to make this possible is increasingly becoming widespread.
Hardware which supports hardware attestation is expensive and some people who can't afford it would therefore be excluded. But I don't think this matters.
If Google forces you to see all their ads then they can sell the ad space for more money. This can make it increasingly profitable to sell devices at an ever increasing loss. Likewise for Microsoft.
As a side note, this will make it incredibly difficult for anyone to compete in the hardware space. Why would someone spend even £500 on a phone or computer from a non adtech company when the adtech company can sell the same device for £100 or £50 or maybe even give it away for free?
By making hardware attestation more mainstream, it will become increasingly difficult to argue that enabling it for things would cut off customers.
I think it's easy to argue in favor of requiring hardware attestation for internet connections from the point of view of a government or an ISP. After all, if your customers can only use a limited set of hardware which is known and tested for security, it decreases the chance of security problems. For a police state like the UK it also seems even easier to justify too.
Even if things don't go that far, in a few years you will become a second class citizen for refusing to allow this on your devices. I can easily imagine banks requiring WEI for their online banking portals (they already do it for all their apps). Likewise I can also imagine my water, gas and electricity companies, or really any company which handles payments, considering this technology.
The worst part is, I don't think most people will care as long as it keeps working seamlessly on their devices. Likewise I don't think governments or the EU will do anything about it. I am not even sure what I can do about it.
> I predict that hardware attestation will in 10-30 years become a requirement to maintain an internet connection.
What you fail to take into account, is that geeks like being able to freely goof around with stuff; and that new disruptive tech evolves precisely in the ecosystems where geeks are goofing around with stuff.
Consider the dichotomy between iPadOS and macOS. macOS still exists — and still has things like the ability to disable Gatekeeper, enable arbitrary kernel-extension installation, etc. — because the geeks inside Apple could never be productive developing an OS on a workstation that is itself a sealed appliance. They need freely-modifiable systems to hack on. And they may as well sell other people those free systems they've developed — with defaults that make the tool appliance-esque, sure, but also with clear paths to turning those safeties off.
The same thing was true in the 90s with the rise of walled-garden ISPs. The average consumer might be happy with just having access to e.g. AOL, but the people who work with computers (including the programmers at AOL!) won't be happy unless they can write a program that opens a raw IP socket and speaks to another copy of that program on their friend's computer halfway around the world. And so, despite not really mentioning as a feature, every walled-garden ISP did implicitly connect you to the "raw" Internet over PPP, rather than just speaking to the walled-garden backend BBS-style — because that's what the engineers at each ISP wanted to happen when they used their own ISP, and they weren't going to tolerate anything less.
And then, gradually, all the most interesting stuff for consumers on the Internet — all the "killer apps" — started being things you could only find the "raw" web, rather than in these walled gardens — precisely because the geeks that knew how to build this stuff, had enthusiasm for building it as part of the open web, and no enthusiasm for building it as part of a walled-garden experience. (I would bet money that many a walled-garden developer had ideas for Internet services that they wrote down at work, but then implemented at home — maybe under a pseudonym, to get out from under noncompetes.)
Even if there comes about an "attested Internet", and big companies shift over to using it, all the cool new stuff will always be occurring off to the side, on the "non-attested Internet." You can't eliminate the "non-attested Internet" for the same reason that you can't develop an Operating System purely using kiosk computing appliances.
The next big killer app, after the "attested Internet" becomes a thing, will be built on the "non-attested Internet." And then what'll happen? Everyone will demand an Internet plan that includes access to the "non-attested Internet", if that had been something eliminated in the interrim. (Which it wouldn't have been, since all the engineers at the ISPs would never have stood for having their own Internet connections broken like that.)
Hell, as soon as the federated systems started getting traction, Meta's Threads got set up to interface with them.
The companies have an imperative, since I guess calling it a vested interest would be an understatement, to not let you escape from their clutches.
They can't force you to come inside, and they can't force you to stay, but they can make it so that it's almost impossible to go anywhere where they are not already there. It's creepy and predatory vulpine super stalker behavior, but unless we establish a system of government that puts our desires above theirs there is not much we can do about it other than stay away to the best of our abilities.
I vote that this happens, but happens completely, definitely, and thoroughly to its logical conclusion.
If you want a penny from Google adtech, you're subject to their stringently filtered portal, you're inaccessible from non-WEI enabled browsing, and circumventing WEI policies gets you demonetized. It'll be the Great Firewall of Adtech, gated access via an app to a filtered corporate paradise - a bit like Facebook tried in India, unsuccessfully.
If you want to be part of the free, non-commercial web, WEI doesn't apply, access is open. You are able to be indexed as such. The healing can begin.
This will provide a true choice: commercial xor non-commercial. Confine all the SEO garbage to ghettos that think they're kibbutzim, forcing the big commercial entities to either fight over the noise or exert their influence, and leaving the rest of us out.
Google depends on Adwords. Other revenue streams are minor in comparison. Chromium is the main moat. Android too, of course. ~$15 billion to Apple is another, so protecting all on mobile. With the demise of AICOA, we cannot hope or expect the EU to deliver. In a sense it's simple; folks have to stop using Google search in order to preserve the web, and support those who are trying to preserve it. But I would say that. We are doing what we can.
As someone who is a somewhat new to web technologies, can someone really explain why this is bad? I saw the techical discussions in the PRs made to the WEI repo but it was all super technical that I was not able to understand the arguments made for and against it.
WEI turns non-compliant browsers into second-class citizens. You’re perfectly free to use whatever compliant browser engine and OS combo you like today – but in a world with WEI, you’ll have to use Approved Chrome on an Approved OS on Approved Hardware with Approved Signing Keys, or you won’t be able to sign into your bank.
No, Google has plenty of skilled engineers that can make spoofing an attestation extremely difficult. It will probably rely on hardware that you cannot modify. See details of a plausible implementation here: https://news.ycombinator.com/item?id=36859465
Approved Signing Keys -> Will this require for the end user to do it? If so, then this might be a short lived change, cause for a lot of people having a username and password is already super complicated.
Like many others in this thread you stack so many assumptions on top of each other. Why? I don't think that helps.
Will this person's bank implement WEI in such a way that none of this person's devices (computer, phone) are supported and will this person not be willing or able to switch banks, only then buying a new computer comes into view. Without knowing anything about this person, assuming average, the chances for this must be low or the bank will have no happy customers left.
I fully agree with the underlying worries you and others in this thread have, but to extrapolate that without any nuance into a world where we all become privacy-less, ad consuming, eye tracked zombies on newly bought computers is not helping the case (in my view).
> Will this person's bank implement WEI in such a way that none of this person's devices (computer, phone) are supported and will this person not be willing or able to switch banks, only then buying a new computer comes into view.
Yes, they will, because it has already happened.
On Android many many banking apps block rooted phones and custom OSes by using Play Integrity and Safetynet. And then games started doing it too, you can't play Pokemon GO unless your phone's OS passes Safetynet. And then restaurants joined in. Sorry, you can't order from McDonald's unless you pass Safetynet.
I have talked to government officials responsible for my country's digital security policy and they have explicitly told me that they want remote attestation to lock out devices not running big corporate systems and they do not care about freedom. The same ministry is responsible for police. If they could, they would forbid you doing anything that is not explicitly legal just to be safe.
It's called looking ahead to the straightforward results of the obvious power dynamic, to know what it will lead to when that dynamic gets entrenched enough to be taken for granted.
It's like how all these "free" websites coasted along for years being quite user friendly, but have recently switched to extraction mode. Anybody who thought about the incentives knew what was coming down the line eventually.
I already today have a phone dedicated to "important stuff" like accessing banks. I think it's actually a decent solution, and a low-end phone doesnt cost that much either.
Despite what some on the political spectrum try to say, the Internet has become a basic human right. It is required in schools in America. In many cases, it is required to even interact with certain government entities. Allowing governments and corporations to force users to a specific browser on a specific operating system just to interact with their site goes against everything the web is supposed to be -- an open platform for the free exchange of ideas.
This proposal is a slap in the face to all of that and basically allows governments and corporations to force users to use what those governments and corporations choose.
This is net neutrality all over again, just in a different vein.
I, for one, will continue supporting Mozilla and Firefox and will never again use Chromium-based browsers, or any browser which supports this. I just hope I can keep browsing the sites I need to.
In what way does this increase the security of my bank account? A criminal can use credentials it obtained via a hack, etc. using an approved platform to access my account. My own approved platform can be compromised by malware and used to access my account. This class of problems is addressed by physical ID tokens, not attestation.
Corporate world currently sells attestation as a way to create secure token out of everyone's phone to the public sector worldwide. They obviously want it for the walled gardens and to fight ad-blocking, but public sector really wants to "deal with the cyber criminality" and they are clueless.
That would be difficult to do, if say all banks decide to only support Windows/MacOs. My bank that I use is a bit wonky on Firefox but works fine on Chrome.
Some banks even refuse to run on Firefox.
Also, switching banks might be more difficult than switching an OS.
And you would lose the reward points if any if you switch a bank, not to mention, if you use autopay that is configured to withdraw from a certain card, you would need to go and reconfigure that everywhere.
It is not technically impossible, it's just going to arduous.
There are already countries where all banks in the country (and often it is a mere handful; not everywhere is like the USA with a big choice of banks) already require e.g. using their app on an Android version that passes SafetyNet, in order to log in to online banking.
Does that seem easier for people to do than buying a Windows or MacOS device? If your oldest credit cards are through your bank it could wreck your FICO for quite a while.
The problem is that this feature can and will be used to restrict the users, it doesn't offer any real benefit to you.
This will not increase security for the user either, it's just a new barrier at the risk of higher fingerprinting. Why should you care how your bank handles security? It's their responsibility, not yours to handle.
one example of a non-compliant browser would be something crawling the web and building up some sort of search index of things because I don't think we want anyone to be allowed to do that.
This is good as a user story if you are using a blessed OS/browser/device in that you can avoid CAPTCHA or whatever
This is bad as a user story if you are not blessed and get likely locked out because the web operator doesn’t recognize you as valid
This is worse in the second order effects in that it can be leveraged to fight against ad blockers, paywall bypassers, YouTube video downloaders, and so on, by forcing all those user-friendly software under the umbrella of being unblessed. Hence the moniker of “web DRM”
To put it simple, it makes it possible for service provider to reject providing service to clients not running corporate-owned white-listed clients. Thus making it virtually impossible to create independent clients for such services.
It will be swiftly adopted by well meaning but clueless bank and government clerks who will accidentally use to lock all open hardware, open operating system, open browser users out and mandate you need to purchase at least one locked down corporate device to exist.
It's the trusted computing story all along. Eventually you will need permission to run your code on your own device and such "unlocked" device will be blocked from accessing any digital infrastructure because it might be otherwise used to breach ToS.
Isn't this already the reality in the mobile space?
I own a rooted Samsung device and have to jump through 100 hoops to be able to use my banking app or Netflix or some rando game (which I don't actually play). SafetyNet broken, hardware fuse blown, Magisk Hide + some other havks just to still be able to do online banking.
I just want to be able to ssh into my own device or install a real ad blocker, like Adaway without losing access to real world applications.
> they would love to extend this to all computing devices to remove control
That's not really true. Apple is encroaching freedom of software choice on their devices, but they know that they can't extend the same kind of security policies to the desktop. You can disable secure boot on Macs and even run Linux if you like. Additionally, it's a bit difficult but if you disable SIP you do get access to the entire systems file system. They're a shitty company when it comes to repair-ability and their walled garden, but they know they can't extend this to the desktop, or else they would disqualify themselves from the developer market (where they are quite popular).
Like any technology, there are both positive and negative aspects of it. The positive take would probably be that this technology is already widely used by iOS and Android apps. People use Apple's AppAttest to e.g. ensure that high scores submitted for a game are from a legitimate copy of the game and not just someone calling the SubmitHighScore API.
But it's absolutely fair to argue that the web operates on a different set of expectations than the Play Store/App Store, and I think the concerns that this will create a second-class citizen status for browsers are totally valid. There's a huge difference in character between "in order to prevent piracy and ensure ad revenue we are only releasing our app on the Play Store" and "we are only releasing our web app for Chrome".
> People use Apple's AppAttest to e.g. ensure that high scores submitted for a game are from a legitimate copy of the game and not just someone calling the SubmitHighScore API.
But that's for Apps. Native Apps, not websites. If we argue this way, then this becomes a solution seeking an issue, since the first thing you learn in web programming is to never trust the client. I don't even see how this changes here, given that it won't mitigate any bugs, except giving me proof that the only bugs present on the client side system are the ones written by me.
The reason Google actually want's to implement this, is because they risk loosing huge amounts of revenue due to adblocking, something they can control on mobile (since they control the software supply chain there) but cannot do in the browser (since I have access to the DOM).
It's a change to the browser that gives site-owners the ability to require a positive attestation of non-modification before running. The stated goal of this change is to make it more difficult for end-users to block ads. As the spec states, blocking ads violates the deal you make with content creators to use your attention to ads as a form of payment.
In practice, this will make it harder, but not impossible, to run ad blockers. Now instead of just finding and installing a plugin, you'll have to first find and install a forked browser that implements the attestation as something like 'return true'. This will predictably decrease the number of people blocking ads.
Personally, I don't object to this. The easy solution for most people is simply: don't consume the content. Or pay money instead of watching ads. Content creators, it must be said, also have the option of self-hosting and/or creating content as a hobby rather than a career. As someone who has grown more and more despairing of any paid-for speech, especially by ads, I welcome this change.
Far more troubling is the possibility of attestation for "important apps" like banking or government. In general this mechanism gives the org a way to prevent you from doing what you want with your data. For example, they can prevent you from scraping data and automating end-user tasks. This takes away your degrees-of-freedom, and using a modified browser will certainly become an actionable offense. In my view this is by far the more troubling aspect of this change, since it take away significant aspects of user autonomy in a context where it matters most.
Technically sophisticated users will note that it's not possible to secure a client, and foolish to try. This misses the point. These changes stochastically change behaviors "in the large", like a shopping center that offers two lanes in and one lane out, or two escalators in and one out. This represents a net transfer of power from the less powerful to the more powerful, and therefore deserves to be opposed.
EDIT: please don't downvote, but rather reply with your objection.
This has been litigated to hell on HN, but no, there is no implicit contract when loading a webpage that your user agent will display ads or any other content as envisioned by the publisher. A user agent has always been intended to be something that displays content according to the wishes of the user. Even this "modest proposal" phrases itself in terms of user desires (albeit completely disingenuously). Ads have become prevalent because most users go with the default and don't install content filters to block them, but this does not create some obligation for all users to display ads. Rather, the core dynamic remains that ads essentially display at the pleasure of users.
There is no option to "implements the attestation as something like 'return true'". There is a chain of verification from the hardware manufacturers building in software surveillance, through OS developers treating the device owner as an attacker, this proposal of carrying the same user-hostile dynamic through browsers, and finally to the website that by verifying the signatures can force a user to only use software that enforces all of the above.
You should very much object to this! Today, "unsupported browser" is a CYA term that doesn't really mean much besides that the website has limited testing budget (and who doesn't?). With this proposal it would become a hard blocker. Goodbye Linux/BSDs/etc. Goodbye `make install`. Goodbye virtual machines. Goodbye computers that last longer than the rapid e-waste treadmill of mobile phone land. You will of course be able to keep running user-representing operating systems, old computers, "jail" breaking them, etc. You just won't be able to access banking websites, followed by web stores, then general sites. Basically anywhere today that hassles users with CAPTCHAs will be looking to implement these restrictions eventually (which is basically everywhere).
Your first paragraph, about ad blockers, is very strong, thank you. I may even be convinced. I already want a world where communication only happens by consent, and framing this change as fundamentally coercive makes sense. One may object on the basis of wanting the consumer to consume "the whole thing", however I think that's easy to dismiss. I think I'm convinced.
Your second paragraph, about chain of trust, gets a little more wobbly, but this is a matter of fact, not opinion. Will this change require a chain of trust from hardware up? That's startling. Do you have a link? I read the proposal but don't recall seeing that.
The third paragraph seems to articulate the worry that systems will now be closed with centralized gate keepers determining what we can do with our systems. Or at least, that will be the default unless you can get grandpa's old TPM-free linux laptop working again. And even if you do, you won't be able to connect it to the future internet to do anything real. That's not a good future. It's one which makes individuals passive and controlled by central authority - and even if you don't object to this morally, you must admit that an ignorant and disabled population is weak and susceptible to attack.
I haven't read the proposal in depth. But skimming, this stands out:
> With the web environment integrity API, websites will be able to request a token that attests key facts about the environment their client code is running in. For example, this API will show that a user is operating a web client on a secure Android device. Tampering with the attestation will be prevented by signing the tokens cryptographically.
I don't see what else this could be referring to besides bringing TPM "remote attestation" up through the software stack to the level of a web browser. By "secure" Android it must mean one running a corporate Android distribution (see: SafetyNet), where Google has already been pushing this lockdown dynamic for a few years at least. Without tying it into the TPM, there would be literally no point to this specification as it could always be faked.
The insidious thing about this spec is that it's not an immediate prescriptive lockdown the way corporate "secure" boot is. Rather if it turns on tomorrow, Firefox, extensions, and community Linux distributions will all still work fine. But the long term dynamic is that each of these nonstandard things will be stamped out in the name of "security" - look at how the SafetyNet requirements on Android are getting incrementally harder to "pass".
Fundamentally this is entirely about consensual interactions. Right now, the demarcation point between user interests and website/server/company interests is the communications protocol itself. Your computer represents your interests, my computer represents my interests, and they possibly communicate with each other while still representing each of our interests. Remote parties that you're communicating with being able to verify what code you are running means they are then able to dictate what code you must run, even when it undermines your interests. Your only recourse becomes to not communicate, which doesn't work in our world of imbalanced power relationships. Computing's revolutionary spark of personal autonomy gets shoved back in the bottle as far as the Web is concerned.
> centralized gate keepers determining what we can do with our systems. Or at least, that will be the default unless you can get grandpa's old TPM-free linux laptop working again
There's some nuance here. Likely you will still be able to "jail break" new devices, or even root them in a supported way like Google's current Android devices. But doing so will make the device useless for accessing any website that insists on performing the verification. So sure, you can keep on using your nonstandard development environments just fine - most of the Web will be unavailable to it though.
You will just need a second WebTV like device for accessing banking websites, then shopping websites, then news websites. As I said, anywhere that currently pops up CAPTCHAs when browsing from less-surveillable IPs is a good indicator for the eventual adoption path. Said device will implement all the restrictions the website publishers can dream of - ads, lack of copy/paste, no screenshots, no access by VNC, no browser extensions, no protection from corporate surveillance, etc.
> And even if you do, you won't be able to connect it to the future internet to do anything real
That's a long way off and doesn't have any technical connection to this proposal. But one can imagine this proposal being one step in a chain of developments/legislation that brings us to that point.
>there would be literally no point to this specification as it could always be faked.
I disagree. There is a point to making something more difficult but not impossible: you alter behavior at statistically significant scale in practice AND you get to point to the alternative as a reason why the change isn't "coercive". In practice, 99% of users won't know to download an altered Chrome - they have a shaky understanding of "browser" and "os" as it is. In fact, I can imagine Googlers rationalizing this as a kind of shibboleth that keeps hacker culture alive.
Sure, I see where you're coming from, and much corporate software has traditionally worked in this quasi-consensual hostile-default kind of way. But the specific terms used in that passage are highly indicative of this being intended as implementation of remote attestation for the web.
Furthermore, even if the "key facts" it reports don't initially include results of hardware remote attestation, it's entirely foreseeable that over time these will be added.
As wonderful as it has been to have a platform that the entire world is on at once, I'm beginning to conclude that the only way to get back to the web as we knew it is to go back to the days when only a small, geeky subset of the population spent time on here. Back then it wasn't worth it to create massive amounts of garbage content in order to serve ads to unwary search engine users—there weren't enough of us to make money off of!
I think it's time to establish a successor to the web that we can once again call home. This doesn't mean we need to give up on the web or stop using it—it can run in parallel to the mainstream, a niche home for hackers and techies and people who care about freedom. It needs to be simple, like Gemini [0], but also have enough interactive features to enable old-school social apps like HN or the old Reddit. It should have a spec and a governance process that discourages rapid changes—we've learned from hard experience that more features does not mean better.
I realize this sounds like a cop out, and that getting people to use such a thing in sufficient numbers would be extremely difficult. But I'm pretty convinced at this point that the web as we knew it will never come back unless there's a reset—unless we create a new niche tech that isn't big enough for corporations to want to take over.
This is the bait to make it sound reasonable. Of course this hold-back feature will be quietly disabled at some point in the future. The whole proposal is full of weaselly half truths and misrepresentation about their real plans
> this hold-back feature will be quietly disabled at some point in the future.
Will it though? Googles main reason for WEI I assume is to combat ad-fraud. Ie. to prevent someone making a bot farm to click ads to earn money from advertising or exhaust competitors ad budgets or manipulate search engine user ranking signals.
With WEI, all ad clicks without WEI could just be ignored (ie. not billed to advertisers, ignored when calculating statistics and signals). If 10% of clients have WEI 'cloaking', you just inflate the final advertising bill by 10% to account for those users - the end result is the same as billing for all real users and no bots.
WEI still achieves all of Googles goals even with cloaking.
As the middle man Google benefits from ad-fraud and has few incentives to really stop it. Ad-blocking is a real problem for them however, and they have huge incentives to prevent that. Ignore what they say - that's what WEI is actually about.
Googles main business is ads on google search. Here they aren't a middle man.
Companies give google $X, and hopefully sell Y extra products. X/Y is the cost per sale. Google competes with other advert forms (eg. TV/radio/newspaper ads) on that X/Y number.
If there is ad fraud, that Y number gets decreased (budget is used up on fraud that doesn't translate to sales), and their revenue decreases as advertisers spend their ad budget on other mediums.
>Will it though? Googles main reason for WEI I assume is to combat ad-fraud. Ie. to prevent someone making a bot farm to click ads to earn money from advertising or exhaust competitors ad budgets or manipulate search engine user ranking signals.
Right. And so I ask this question: Why should I be forced to donate my data, CPU cycles, network bandwidth and privacy to one of the largest corporations in the world so they can address an issue (ad fraud) between them and their customers?
I'd note that I am not a customer of Google or their advertisers. Because advertisers are the only real customers of Google.
The antifraud company that worked with Google on the WEI proposal is already calling for the removal of holdouts from the spec[0], because:
- Attestation does not work as an antifraud signal unless it is mandatory - fraudsters will just pretend to be a browser doing random holdout otherwise.
- The banks that want attestation do not want you using niche browsers to login to their services.
That's currently just an idea in the 'Open questions' section of the spec, but there is already pushback against it from others closely involved in the spec & discussion around this (https://github.com/RupertBenWiser/Web-Environment-Integrity/...) and notably the attestation feature Google already shipped on Android for native apps in the same situation does _not_ do this.
That’s a silly proposal that will eventually be turned off as it causes issues. Users will complain that sometime websites are broken for no reason and the first proposed fix would be to turn the failure probability to zero. Then the zero failure setting will become the default.
Also if Netflix or Twitter decide to require device authentication they can give you an error message and instruct you how to turn the holdback feature off
The attitude from Google towards this has changed significantly over the last few days (unsurprisingly).
From the "explainer": "we are evaluating whether attestation signals must sometimes be held back [...] However, a holdback also has significant drawbacks [...] a deterministic but limited-entropy attestation [i.e. no holdback] would obviate the need for invasive fingerprinting".
From the Google worker's most recent comment on the issue: 'WEI prevents ecosystem lock-in through hold-backs [...] This is designed to prevent WEI from becoming “DRM for the web”'
So, in other words, WEI could be used to prevent fingerprinting, but won't be able to if holdback is introduced -- 5-10% of clients would still get fingerprinted.
Looking at the list of "scenarios where users depend on client trust", all of them would be impacted by a holdback mechanism:
- Preventing ad fraud: not for the holdback group
- Bot and sockpuppet accounts on social media: not for the holdback group
- Preventing cheating in games: not for the holdback group -- and thus not for anyone playing against someone in the holdback group
- Preventing malicious software that imitates a banking app: not for the holdback group
In other words, if there was holdback, WEI would require places which currently fingerprint to retain and maintain the fingerprinting code and apply it to fewer users, in the best case, or would be completely useless in the worst case (for things like games).
However, it's also quite interesting to look at the implications of successfully attesting a browser which supports arbitrary extensions:
- Preventing ad fraud: install an automation extension
- Bot and sockpuppet accounts: as above
- Cheating in games: install an extension which allows cheating
- Malicious software which imitates a banking app: a malicious browser extension could do this easily.
In other words, unless you attest the browser with its extensions, none of the trust scenarios outlined in the explainer are actually helped by WEI. It's not obvious whether the Google employee who wrote this deliberately didn't think about these things, or whether the 'explainer' is just a collection of unconnected ideas, but it doesn't appear to hold together.
It is not surprising that the first target of WEI -- Chrome on Android -- does not support extensions.
If you have 50% of people having adblock then websites loosing 10% of traffic because of WEI probabilistically fail it still seems like win for big tech if they force user to their approved unmodified OS/browser.
If this isn't the straw that breaks the camel's back, there is never going to be one.
Google needs to be broken up.
They own the browser market.
They own the web (through Adwords).
They own Search.
They own mobile.
They own most of the video sharing market with 2.5 billion monthly annual users.
They own a good chunk of email with 1.2 billion monthly annual users.
They have amassed an incomprehensible amount of power and influence over humanity and they have proven repeatedly that they are willing to use that power to the detriment of humanity and to entrench themselves further.
To make it explicit: the only way this happens is by Americans voting for it. The FTC has been more active on anti-trust issues in the past two years than at any time in the past 30. That's a direct result of the 2020 election. Elections matter.
n.b. I've found a lot of comfort by conciously rolling away from any subject that leads me to do "They"-ing, i.e. name an enormously large group, then talk about them as a unit. The more I avoid it, the more I realize how prevalent it became and drives how a lot of us feel society shifted.
Citation? FTC against Google doesn't produce much results on Google (kind of an irony :))
Have seen FTC going against Amazon because the FTC chair had published prior work against Amazon's practices. Not defending Amazon but FB/Google are a much bigger threat than Amazon.
Citation for what, increased anti-trust activity from the FTC over the last two years? Sure, here's one article:
> Private equity deals and transactions in the healthcare and technology sectors continue to attract heightened antitrust scrutiny...
> The US agencies have also demonstrated an increased interest in challenging vertical transactions.
> In January 2022, for example, the FTC sued to block Lockheed Martin's US$4.4 billion proposed acquisition of Aerojet, which the parties subsequently abandoned.
> Increased enforcement, combined with the agencies' reluctance to approve remedies, has created an uncertain environment where commercial parties should be increasingly prepared to litigate mergers.
> The ramping up of antitrust enforcement in 2022...
> Since 2020, the Federal Trade Commission (FTC) and U.S. Department of Justice (DOJ) have filed multiple lawsuits against major tech companies...
> "The agencies have started laying the foundations for a more interventionist stance over the last two years, and this year is when we'll start to see some of those efforts come to fruition -- or be stopped in their tracks by the courts," Kass said.
And I think the biggest blow may actually come about because of the SEC lawsuit that will be heard this upcoming term at SCOTUS: https://www.reuters.com/legal/us-supreme-court-decide-legali..., which will likely heavily reign in the power of administrator judges and the ability for an agency to keep initial fights in-house (blocking litigants from taking fights to the normal courts).
Yeah. You can't expect every swing to be a home run, but you also miss every swing you don't take. My point is at least they're trying to do something now, unlike previous decades. It will take some time and effort to bring the agency back around to being effective after decades of inactivity. That's not going to happen if future administrations put the FTC back on the bench.
How much of that involves the tech industry? Are you seriously claiming that Silicon Valley and Donald Trump were besties while the Democrats and tech hate each other?
A lot. Here's a link where you can read about some recent activity in the tech industry (change it to sort by Date, I couldn't figure out how to do that in the URL): https://arstechnica.com/search/?ie=UTF-8&q=ftc You can probably find more on Google (or perhaps Duck Duck Go? :) ).
>The FTC has been more active on anti-trust issues in the past two years than at any time in the past 30.... That's a direct result of the 2020 election.
Active against Google though? Remember, Google can help a certain political party in tough times (e.g. rollout of healthcare.gov).
Yes, but Google has a strong existing relationship, the D party owes them for that one and some other favours. Can you find a link for any recent FTC action against Google (not against Google's competitors or some tiny subsidiary of Google)? I hope I'm wrong here.
I don't see anything significant from the FTC specifically regarding Google, but there is an ongoing DOJ lawsuit. Possibly they don't want to step on that? I admit I don't really understand the roles of the DOJ versus the FTC regarding anti-trust enforcement. https://www.justice.gov/opa/pr/justice-department-sues-googl...
Wake me up with they actually do something instead of making announcements of looking into the possibility of perhaps one day sending a strongly worded letter asking their tech buddies to calm down a little bit, if they're so inclined. Until then, this is campaign fodder and nothing else.
"The Federal Trade Commission sued Amazon today, claiming the online giant violated US law by tricking consumers into signing up for the $14.99-per-month Amazon Prime subscription service and making it annoyingly difficult to cancel."
"Microsoft will pay $20 million to settle an FTC complaint that its Xbox platform illegally collected and retained information about children without their parents' consent"
Why should the US break up an asset like Google? Would be completely self defeating. This isn't like standard oil or at&t, that mostly had influence and market share inside the US. It would basically be handing power to foreign competitors who would pounce at the opportunity
And I'm not American so it's not even some sort of patriotic comment. If Europe , or anywhere else, had a Google sized Behemoth, they wouldn't mess with it no matter how "anti tech" they might seem now. If anything they are anti tech because they don't want foreign big tech to have massive influence over them. You'd bet they wouldn't cripple big tech if they were European. On the other hand, as long as they are American that massive power is a feature, not a bug for the US government.
The reaction to Tiktok is a good example of how nationalism/geopolitics shape the reaction to big tech, which is why google is probably safe.
> Why should the US break up an asset like Google? Would be completely self defeating.
Because in the short term it would disrupt a major company (ala Standard Oil), but in the long term it would allow the US to remain competitive in the global market.
If we allow Google to continue abusing its monopoly power in the US, that guarantees that the US will not be the home of the future technologies of the world. Innovations will be sucked up and killed as acquisitions. Enormous energy will be focused on blatant moat-building like WEI instead of developments that benefit the world. etc.
> Why should the US break up an asset like Google?
I'm also European and I think almost pretty much 100% as you think on this, but to play devil's advocate, and how I think this should have worked in theory in a free-market economy, is that the US, by allowing companies like Google to do their nefarious and frankly evil things right now and in the near future is also, at the same time, not allowing future potential companies, more innovative than Google is now, to take Google's place.
But what happens is that the US is focusing on having a strong and national security-enhancing company (Google) on its side now and in the near future, versus having an even stronger and, potentially, even more national-security enhancing company (the one that would have taken Google's place had the free market been allowed to do its thing) in the medium to long future.
On the face of it this compromise of security now and in the near future vs security in the medium to long future looks like a decent bet, the problem is that evil colossuses like Google are actively getting rotten from the inside, and at some point in the medium to long future they'll fall almost in an instant, with no company to take their place. That will leave the US highly vulnerable at that point in the future.
But anti-trust stalled Microsoft's efforts at a critical time and allowed Firefox and Safari (like Gecko) to restore a standards-based web from an IE-based web. It's not a cure all but it worked. IE had 95% marketshare in 2002 and Firefox took a third of that from them in a few years thanks to anti-trust and the consent decree it forced on MS.
Chrome has nowhere near 95% market share so it would be hard to make the same case against them.
Given that it's open-source and anyone can roll and distribute a tweaked version of Chromium (and many have, notably Microsoft), it's really hard to see an argument here that Google is acting anti-competitively. If anything it's very pro-competitive to give away your secret sauce to your competitors.
Just because their browser is more popular than you would like, and you don't like a feature they're adding, doesn't mean a judge is going to stop them from adding it.
In which case foreign governments, the EU and the like who collectively represent the interests of the other 7+ billion people, should start levying taxes, penalties and fines on Google and haul it and the US in front of international agencies like the WTO for unfair trade practices.
That would be a desirable action but look what happen in the end of 90s to Microsoft. It was about to be broken up and in the very end it didn't. They become dormant and polite only to strike back some 10 years ago with Windows 10, its telemetry, ads and cloud services which are being pushed onto users whether they like or not. And somehow, no regulators decided to step in to clean up this company's behavior - everyone seems to be ok with what MS is doing. Whether it's the US or EU. I take that the business and lobbing goes extremely well in both markets.
And because of this, I don't believe that the US is able to break Google or the other flagship companies despite of reasons existing for such action.
Not going to happen. Rationally there should be broad political consensus about cutting Google back to size: from rabid libertarians worshiping the miraculous abundance generated by "competition and free markets" to bleeding-heart socialists keen on pushing back corporate power as the root of all evil.
Alas, these political categories no longer have any meaning. The US political system has mutated into something else (the messenger being a horned man) which will probably require some time to properly characterize and name using terminology that is appropriate to use in good company.
So the fate of Google will be more shaped by actions of external entities than as part of US regulatory efforts. Powerful countries that antagonize the US are simply degoogling and creating their own copycat panopticons.
The question is what will be the course of action of powerful countries that are alies of the US (i.e. Europe and a few others). Will they accept that their digital society will be feudal in nature because the broken US political system cannot deliver on even basic responsibilities?
> Will they accept that their digital society will be feudal in nature because the broken US political system cannot deliver on even basic responsibilities?
The Germans, British, Australians and French are also attempting to build their own panopticons.
I think they're alluding to Waymo. I feel much better about Google tracking my taxi rides than I do with Uber, Lyft, random taxi company, my cell phone company, etc.
If this proposal becomes standard in Chrome, You can be sure Microsoft and Apple will follow Google's lead with the same or their own similar implementations.
See Microsoft Pluton and Apple's Private Access Tokens. Or read this article which provides an excellent overview of these developments. https://news.ycombinator.com/item?id=32282305
Make no mistake. If this becomes standard on Chrome, this is going to be standard on the web.
I didn’t specifically try to De-Googlefy my life for some moral reason. I think most of Google’s products are second rate - including their search page unless you use an Ad blocker. But I do find myself using ChatGPT more and Google less for coding questions since it does a better job of giving me exact answers to my problems and code is easy to verify for correctness.
As far as YouTube, I think I only use it for AWS ReInvent videos. I can’t stand ads and there are no ads interrupting the video.
My former business bank actually did this. They insisted their web app "was compatible with all modern browsers, but more compatible with Chrome" - I couldn't make transfers to other accounts with Firefox, it just hung indefinitely.
> was compatible with all modern browsers, but more compatible with Chrome
Is Animal Farm not required reading in Orwell's home country? Or was that a misquote, or maybe just something from a random support worker? It's almost too on the nose for that statement to be written by someone familiar with that book.
I was wondering the exact same thing with that wording. Maybe someone, somewhere was required to put in a notice like that (or worse, make it so that it does work better in Chrome for whatever reason) and decided to word it like that to fly under the radar. Unlikely, but I like that imaginary world.
PrivacyPass is an extension that lets you pre-solve CloudFlare CAPTCHAs if you're on a VPN. However, that was too frustrating, so CloudFlare partnered with Apple to integrate PrivacyPass into Safari.
How did they do this? Simple: iOS provides cryptographic attestation that your browser isn't a bot and isn't hacked, and CloudFlare takes that as your CAPTCHA solution. This works exactly the same way that Google proposes Web Environment Integrity work.
I don't have a Google account and don't use any Google service, still think that this libertarian message is bullshit, how do you do the free will if the web starts deciding which OS/Browser are authorised to do something? I am not sure we are talking about free will or useful idiots
I think it’s kind of naive to think a company that gets 80% of its funding from Google is going to go out of its way to protect you from the same company or that it won’t implement the same proposed DRM standard when it already implemented the older one.
But if firefox is full of tech to prevent privacy leaks? They incorporated a vpn, strict mode, containers, third party cookie block, dnt, etc.. what the fucking hell are you talking about?
Google broke itself up in 2015. What are you even asking for here?
Chrome and Android are open source, and there are several forks of both thriving in the ecosystem. Yeah it would be cool if there was a decent open source alternative to GMail and Drive, but no one else seems to have figured out how to get the incentives right for something like that.
Google broke itself up in 2015. What are you even asking for here?
No, it didn't, it restructured itself into Alphabet, with many subsidiaries. But, all the core businesses are still under that umbrella organization, with most web-related businesses remaining inside the current Google entity.
A forced divestment of the browser business might help. Same for the productivity products.
I don't think you understand what a business is. Google pays Firefox a lot of money to be the default search which means there is a lot of money in browsers. Google Search conceptually pays Google Chrome to be the default Search engine on Chrome. Except since they're both under the same company they will never take an outside offer which is why it's a monopoly. No different from any other vertically integrated company.
Sure, but on the positive side, the Chrome Company has its own incentives.
Today, Google can provide Chrome as a loss-leader, making up for the "free" browser with ad revenue.
The new Chrome Company can't operate that way. It needs to make money on its own. Perhaps MS Bing offers more money. Or they build their own ad system. Or pivot into some other business area.
Anyway, I don't think anybody is arguing Google/Alphabet must be broken up, only that it's a tool that's available in the US, should we (society) decide other regulation is insufficient.
And we still are being tracked by BigTech with the same business model that people object when Google does it.
> Or pivot into some other business area.
And what other method do you suggest for funding besides ads or people paying for the browser? The second option has never been a long term successful business for browsers?
> No one has paid for a browser in almost 3 decades and even then few did.
Considering NCSA Mosaic’s initial release was just 30 years ago this year and it’s considered the first browser, think you might be using a bit of hyperbole there? Twenty years would’ve been more accurate.
As someone who worked in this space at the time (Webmaster at Spry, Inc. in 1994), and we sold a web browser in the 1994-ish timeframe https://en.wikipedia.org/wiki/IBox, no, saying "almost 3 decades" isn't hyperbolic at all. 29 years is close enough.
MSIE was free, 28 years ago in late 1995, and while Netscape did take 5 years to follow suit, by 1998 Netscape was not in a healthy position because of the free competition.
But what does breaking up even mean? Separate companies, each publicly traded with their own C level staff, shareholders, etc?
Because to me it just feels like it might be legally separated, but still owned and directed by the same handful of people. And it being separated makes it safer, in that they can't forward e.g. large fines to the parent company.
Disclaimer: I don't know anything about large corporations. or economy. or governments.
Yes, breaking up a company means divesting some business units. The new businesses would have their own BoD, leadership, shareholders, etc.
The US did this with Standard Oil in 1911, Bell/AT&T in 1983. And the same laws were used against Microsoft in 2001, though the company was able to avoid a break-up.
Breaking up Google might not be the best option. Perhaps more rigorous regulation by the government would be better, similar to Microsoft. But a break up should be an option.
It's not the lack of open source, it's ease of use. Alternatives exist, but no company is going to run a charity case for you to store tons of data for free. Mail in particular is commonly known to be a hassle which has nothing to do with Gmail the software, as much as Gmail the provider.
> Google's open source projects are open in name only.
The link at the top of the page is pointing to the GitHub repo, where you can see literally over a million contributions from thousands of people working at hundreds of companies: https://github.com/chromium/chromium/commits/main
I've worked on both Chrome and Android (Chromium and AOSP) professionally, and never worked at Google.
There is the OSS vs FOSS distinction which may have been unwittingly invoked. Certainly there is nothing “free” about Chromium except its price. Google is not about to switch to a fork for Chrome and any changes to Chromium which are not approved by Google are unlikely to be in any release builds.
What I should've written is that: yes, they are open source, but there's no way to influence the direction they are going. These projects are 100% Google-run, and very few (if any) decisions are public.
For most projects there's also a significant proprietary part in the actual final product
Not a lawyer but this seems ripe for antitrust action. Microsoft got sued back in the 2000's for simply bundling IE with their operating system. The behavior of Google (and quite frankly Microsoft with Edge) seems way way worse than whatever MS was doing when they got sued.
As a general rule of thumb, web technology has traditionally separated the content and protocol from the browser ("user agent") in terms of concerns. By which I mean, a user agent needs to be able to handle any possible input without breaking, and a web server needs to be able to handle any possible request without breaking.
WEI tries to shortcut that process by creating a secured sign-off system that would allow the server to only respond to queries from a blessed hardware and software configuration. This wildly constrains the user agents that would be possible. The pro for web developers is that they wouldn't have to concern themselves with whether their server or the HTML they are. Emitting is broadly standards compliant and compatible; they can just make sure it works with the target platforms they care about and rest easy knowing no other platforms can touch their system. But this is bad for anybody who, for whatever reason, can't use the blessed platforms (user agent and hardware combinations).
Immediate practical consequences are that a lot of the screen reader solutions people use would probably break (because the screen readers wouldn't be certified user agents), a lot of clever hacks would be far less feasible (the website somebody hacked together to track whether the ice cream machine was broken at McDonald's restaurants relied upon being able to pretend it was the McDonald's smartphone app well enough to attempt to put ice cream in the shopping bag), and it would basically become impossible to build a new browser or operating system from scratch compatible with the web (they wouldn't work with the websites people wanted to use because they wouldn't be certified as authentic on any of those sites).
This proposal grossly changes the balance of power on how the web works and places most of it in the hands of the incumbent browser and computer hardware vendors.
Thank you. I can see why there is a pushback for it and also why Google would want to make it a standard. It has a feel of systemd to it ( making things easy enough that if it does manage to become a standard, people will likely accept it en masse )
Basically aims to make desktop browsers work like non-jailbroken iPhones: locked down and outside the user's control, for better and worse. You could also compare it to client-side anticheat in PC games.
I'm surprised to see so many people in this thread saying "write a strongly worded letter!" (or something along those lines), and so few saying we need to build a better browser without this crap in it, which has been the traditionally successful answer to attempts to privatize the Web.
Before doing this, Google was careful to make it as difficult as possible to build a replacement for Chrome. Apple struggles to make Safari capable. Mozilla struggles to make Chrome-first websites work in Firefox. Building a new browser is a Herculean task.
Pragmatically, I'm hoping that a Chromium spinoff like Brave (or Edge!? Could MS be the hero we need?) will turn the privacy switches on, WEI off, and get enough market share to make WEI infeasible.
Unblockable ads, sites can serve you data that you can’t manipulate or copy, micropayments can exist, invasive surveillance.
Surveillance is possibly the worst of the bunch. They say it’s just to do a better job of serving ads, but that’s only the tip of the iceberg. Governments could easily use it to know and track everything you do online. Just wait till the next elected nut job wants a list of everybody that has ever looked at or searched for a certain type of information, maybe they don’t like that you looked up info on abortions or lgbt info, now they can know the full extent of what you saw and when.
Ads will be worse. You think YouTube ads are bad now, just wait till you can’t visit any page without the mandatory viewing of their ads. They can require a cam installed to make sure your eyes are on the ad, helpfully pausing the video when you look away.
You'll need an "approved" browser and potentially "approved" hardware to access the web. Since Cloudflare is on this too, most of the web will be locked for anyone who doesn't use mainstream hardware.
Cloudflare want to be the internets backbone. And they've honestly succeeded.
Now it's almost impossible to access websites in an automated way -- the CTO posted you can just email him (https://news.ycombinator.com/item?id=34639212) and he'll sort it. Because that scales.
edit: Mispoke about the CTO, said he would approve you, I was wrong. Apologies.
Their DNS is "privacy focused", but they provide "aggregated results" of domains. How is that privacy focused?
Cloudflare came from the approach of being a developers friend ("Look! SSL is now free!") but was given the internet on a silver platter.
Yes. Cloudflare was irresponsible in fighting to keep 8chan, Daily Stormer, and Kiwifarms up as long as they did. Every other ISP with a competent abuse desk dropped them. If you don't think that's bad, then let me remind you that back in 2012, Malwarebytes actually had a policy of blocking all Cloudflare services specifically because they were hosting malware and refused to remove it[0]. The excuse Cloudflare used for not removing malware from their network was the same language used to justify keeping the aforementioned sites operational. If Cloudflare was paid to run the Great Firewall of China they'd bend over backwards to try and claim it was to protect Xi Jinping's freedom of speech.
Remember that moderators can be abusive not just in terms of removing content that shouldn't be removed, but also by forcing you to accept things that harm you. Moderation is a trust relationship because I'm delegating my own personal decision to accept or block traffic/content/etc to someone else. Cloudflare is not trustworthy.
Cloudflare also used to be a big pain in the ass for Tor/VPN users because competent DDoS protection requires some kind of traceable identity. Their solution was Privacy Pass - an extension that let you pre-solve their CAPTCHAs. However, this wasn't good enough, so their next solution... was to literally partner with Apple to implement Web Environment Integrity, years before Google even proposed it. Nobody noticed this - not even me - because it was sold as a way to make CAPTCHAs less annoying. It was literally the trojan horse Google could only dream of building.
Sorry, this was wrong. I was a fool to post that without providing context and I apologise. I have updated my comment. I sometimes forget there are real people on the other side of the computer sometimes.
I'm having trouble grasping how WEI works, providing examples of what would and could happen and what to ask/tell the EU specifically.
From my limited understanding it would mean the lockout of people with non-compliant hardware/software, greatly increase the fingerprinting of web browser users and further vendor lock in to Google as a company?
The stated reason is to stop bots from being counted as ad views and make sure that all ad views are done by actual humans. This is likely even honest reasoning from the people developing it.
The same technology could easily be applied to simply blocking anyone who isn't verified (in the name of stopping spam, DDoS, bank security, you name it), meaning anyone not using an approved install of Windows/macOS/Android/iOS is shut out from the internet.
In the long term, in the name of "banking security", they're likely to add a mode that also lets you ensure your pages aren't tampered with by extensions, and there go all the ad blockers.
>> The same technology could easily be applied to simply blocking anyone who isn't verified
Sounds like a great way to enforce censorship:
- websites can deny access to unverified web browsers / web clients
- WEI-enforcing web browsers / web clients can refuse to go to unverified websites (not a stated goal, but it is a logical next step to boost website adoption of WEI APIs once a critical mass of clients is reached)
Google wants to build a wall around the Web and have their own walled garden:
Oh, so it’s like the HDMI DRM that attempts to let displays certify “I’m a real honest-to-goodness TV, not a capture card.”
That one is in the category of things that is little more than a nuisance in practice since it’s so easy to circumvent, but that’s a hardware thing and therefore it’s easier to plug something in that is unauthorized. Things are getting so tightened up on the software side with secure boot, Apple’s read-only system partition and by-default App Store Only policy on the Mac, etc. that I suspect this type of thing will be a pain for normal people, though actual at-scale bad actors will probably figure it out.
It’s far worse. If you go back to to the html and http protocols, they are extremely open and friendly. I would say extremely elegant and helped build the web we know today. But google has been iterating away from open and accessible standards in favour of controlling experiences (see amp, WEI, etc). I’m all in favour of secure boot chains with options for unlocking because of the security benefits. There’s absolutely no good user reason to apply this to web resources though.
I know it's not exactly what you mean, but this is why I dislike HTTP2 and 3 (both also heavily pushed by Google but also others). While open, they are the opposite of "welcoming and friendly".
Indeed. Nor a search company, nor a phone operating system company, nor a maps company, nor an email provider, nor a business software company.
Whatever someone may think of Google or even of ads, it’s smart to keep that important thing in mind and remember their alignment is and must always be toward maximizing and improving advertising.
I think there are a lot of parallels with what Reddit did.
Reddit wanted to control how users consumed content on their site. To control the experience (i.e. monetize with ads), they had to shut down third-party clients, since those could remove ads.
Google appears to be doing the same thing, but for the entire web. WEI is a way for sites that want to monetize with Google ads to prevent folks from accessing their site unless they can cryptographically assure that the user's browser will follow all the rules Google sets. We don't yet know exactly what all those rules will be, but it isn't hard to guess that they'll be along the lines of whatever makes Google the most money.
This applies to desktop browsers, but also affects automated tools like wget and curl. It could kill web scraping altogether.
Third-party clients could have been made to display ads, or they could have gated third-party client access behind Reddit Gold. That wasn't the problem.
The problem was that if you used a third-party client, Reddit would have to coordinate with them to launch whatever new stupid cryptocurrency scam they wanted to push that week. On a web browser they can just push new code into it[0], and their first-party mobile clients can be updated ahead-of-time with support for the feature. But third-party clients would have to spend their own development time adding stupid "click here to get your Snoovatar[1]" links. They could slow-walk that, or just not implement that, and Reddit would have to spend time and money kicking users off that third-party app.
This, incidentally, is why every other major social media platform bans third-party clients. Third-party clients are user agents, not platform agents.
[0] Which, incidentally, makes web browsers not user agents
The Browser application needs to pass a binary image check, and if the browser hash doesn't match Google database, you cannot proceed to the website (since your browser may be corrupted). A major big deal for non main-stream browser, and for non Google browser developers, extension developers (eg. AdBlock), etc. In summary, some websites (like banks, Netflix, etc) will no longer be available for non mainstream browser users. Also, even if you're using Google Chrome, you may need to run the latest version to satisfy the hash check. Every day, the number of broken websites will continue growing until all non Google Chrome users have a blocked internet.
The idea is that an operating system service provides the attestation. In turn, the OS is signed, with the bootloader verifying the signature. The bootloader is also signed, with a hardware chip verifying the signature.
The infrastructure to do signed OS loading is already in place, and on some operating systems (e.g. Android), the OS attestation service is already in place. So everything is mostly in place already to have your browser attest that it is official Google chrome on Google Android on an approved device with a hardware chip that verifies a Google approved boot signature. That hardware chip contains a Google approved private key (a key that's signed by a manufacturer that Google has in turn approved/signed) that can't be extracted, and that's the key that makes the attestation. Replace the hardware boot verify chip with one that will verify software you want, and you lose your attestation key.
They could also make the OS service reach out to a web service to get an attestation that the attestation key hasn't been revoked, so even if someone did physically extract the key from hardware and share it, it could be revoked (assuming each device gets its own key).
In effect, wide use of this kind of thing means that open source software is no longer free since even if you can look at the code, you must be part of the anointed class (i.e. working within our approved by a major corporation) to edit it and run your edits.
Because the encryption key you need to sign the hash lives in EL3[0] and only Google and ARM can load code there. In order to lie about your hash, you have to break ARM TrustZone, and if you do that you can be sued under section 1201 for trafficking in copy protection circumvention tools. In other words, the law that prohibits you from selling DVD copiers can be used to give literally any bullshit the backing of law.
[0] An ARM exception level that sits above hypervisors and is specifically intended to support trusted execution modes for isolated mini-operating-systems that do this sort of shit
> Can you please explain why a third party browser can’t lie about its hash, just like it can lie about it’s user agent?
Because that thing basically describes a proprietary plugin like Activex, Silverlight or Flash before it, so a third party browser which doesn't have that proprietary tech can't fake it, under pretense of "standard". The code of that plugin will not be open source, worse, it will act as a spyware on people's computers at the OS level.
It's like EME before and these proprietary techs have no place in a open standard spec.
This is essentially a backdoor attempt to TiVoize[0] web browsers. The only difference is that, instead of directly using hardware to prevent you from running a modified browser, the intent is to use network effects to accomplish the same thing.
From a very top level view, this gives Google, and other websites, the ability to block requests from devices/browsers they don't approve.
This implements device level verification of the code running your browser. If the device identifies as something Google, or other implementing websites, don't approve, you'll get an error similar to how you see 404 errors for missing/wrong links.
If adopted by publishers, the web will be closed to everyone but allowed browsers on allowed OSes on allowed hardware. No ad blockers, no extensions, no customizations beyond what the few chosen browsers allow explicitly.
To turn your browser (an agent acting on your behalf) into a proprietary application (an agent acting on behalf of a website) -- i.e. the equivalent of forcing you to install a proprietary application in order to visit a website.
If websites wanted this feature, and the choice is between Chrome implementing it versus me installing proprietary software, I would rather choose Chrome, especially since Chrome is implementing it in the open.
There are already various services that require proprietary applications to be installed, most of which are closed-source with dubious security track record. Replacing those propriety apps with a common web browser is not necessarily a bad outcome.
Personally I am voting with my money and just avoid services that are user-hostile, independent of which user-agent I use to access those services.
Nothing will happen. People have been making the same complaints about every new crypto standard for decades, and yet here we are. TPMs are a thing, EME has been around for over a decade now, DRM on the web is as pervasive as it's ever going to get, and yet no one's user experience is any worse than it was before these technologies existed.
It really does feel like something is fundamentally wrong when we're trending towards getting our video and audio content via online streaming but the streaming services are trending towards being gatekeepers more than facilitators.
The temporary nature of any licensing deals behind these services and the resulting lack of reliable long-term access to content have become more and more obvious.
Increasingly the streaming services seem to be so paranoid about piracy that they are blocking "unapproved" players from getting the highest quality versions of the content - as if anyone who wants to pirate any blockbuster movie can't already find a way to get it in 4K somewhere else if they really want to. Meanwhile you can't watch your 4K movie on a service you're literally paying to provide that movie. IIRC Amazon Prime Video still won't even let you have HD content if you're on Linux.
It feels like the commercial incentives for tech firms to create walled gardens and a culture of never owning anything permanently are going largely unchecked and by now the governments who are supposed to act in the interests of their people should really be stepping in with regulation to counter those negative trends.
So, no 4K Netflix on Linux (and not even 1080p without light hacks), presumably because of some incompatibility with the DRM. Still handily beats the situation that existed before. "Similar to video DRM" doesn't scare me. Mass surveillance is scarier.
>DRM on the web is as pervasive as it's ever going to get...
Apple and Google only just now implemented this kind of web DRM, which absolutely can have further restrictions added to it. Careful with your absolutes.
This war was already settled long ago on smartphones, which are globally the most used personal tech. There are already lots of things like banks and messaging apps that require full or partial use of an unrooted smartphone for security purposes. Now they're bringing it to the more niche area of PCs.
this is where you should vote with your wallet and feet. and I think it's not really a stretch to ask Google's engineers who work on chrome/ium to get a job somewhere else.
I think it would be interesting to get their views on it. I wouldn't be surprised if a lot think this is a good idea. Not that I agree, but I think it's unlikely that everyone sees it the same way as those outside the organisation.
Obviously, if you get paid to implement this you don't want the cognitive dissonance of knowingly doing something bad, so I'm sure those folks have already laid out their justification for this technology.
I wish Google could and would make Chrome closed source. It would at least give all those rebranded Chromiums (Opera, Vivaldi, Brave) a strong reason to reconsider their choice of engine, or at least maybe work together on a more divergent fork of it that stays away from Google's evil stuff.
"It is difficult to get a man to understand something, when his salary depends upon his not understanding it".
I imagine it's hard to push back against it even internally. Not to be jaded, but one or two people raising a stink about it will only achieve them screwing up their career prospects within Google.
A cynic might observe that the tech sector - and US big tech in particular - has just seen the biggest round of layoffs that many of the developers in that market will remember. Many of those same developers might have been thinking even 18 months ago that their extremely high compensation was guaranteed because finding another extremely well compensated job was easy. Now they know better and I'm sure a lot of people are scared. Seems like a good time for management to push bad ideas that their remaining employees might not like.
Instead of simply flailing our collective arms around complaining about an evil corporation, has anyone written to the respective competition authorities (such as the FTC in the US or CCI in India) about the potential anticompetitive effects of this proposal?
> I decided to make this an app in the end. This is where my costs started wracking up. I had to pay for a second hand macbook pro to build an iOS app. Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app.
I don't think it's double-think, it's just a lack of consequential thinking. I believe the writers of the spec when they say that they just want to be able to see which ad views are real or not. They even lay out some (far too weak) ideas to keep the system from being mandatory and abusable. But they don't realize just how quickly things will go out of hand once the rest of the organization realizes what they have created.
Googlers tend to trust google, even when its readily apparent tool/system design obviously puts them in a control position above anyone else in matters that extend beyond their own walls. I've only met a few that will coyly admit they don't trust google, but maintain they have to keep up appearances.
I think it also explains their outspokenness on societal issues outside google's control. It's a distraction from thinking too hard about what societal bad google does have control over.
Exactly. This is common also with other tech companies. I knew an ex-Facebook employee who was defending them at the height of their "Facebook Research proxy monitoring underage kids traffic" scandal. I'm sure his team was trying to be moral in their work, but people don't realize this doesn't generalize to massive corporations or even that in their bubble their morals may be perverted.
Fine. Then, when we arrive in hell because this person took us there, it should follow him all the rest of his days that he was too Pollyannish about the consequences of his own designs.
I agree that there shouldn't be bullying campaigns on HN but you veered into offtopic flamewar at the end of your comment and that is in no way helping. Please stick to the site giudelines.
>1. Apple GateKeeper. "End of the Mac as a general purpose compute platform is nigh", >10 years later, you can still run whatever apps you want.
We ignoring that they now, as of the last 2 years claim unsigned apps are "Broken" and need to be "Moved to the Trash" instead of just "Unsafe" with an "Open" command?
They're moving at snails pace but there are people working at Apple trying to force the hands of devs into an iOS like system.
> 3. Web EME. "End of the web as an open platform", years later, web is just the same as it always was.
And yet every single paid streaming service refuses to serve high quality video to users on platforms like Linux. This is entirely normalized, and they still get to call themselves "web" sites because this mechanism is now officially part of "the web".
This from an industry that broke a zillion scripts as part of renaming git master to git main on the basis that the first name is somehow hateful.
That was the actions of a small group of extremists, and there was widespread opposition to it too.
Spinning the opposition as "hate" seems rather popular these days, and it's not wrong: We hate what Big Tech has done and is continuing to do to our freedoms and it's about time we released all of our rage on our oppressors.
We're a long way past source code being transmitted in magazine articles. Some of the people that are going to hand wave this away were born in the boiling water.
AFAIK, Number 2 only didn't happen because of pushback. It's also not too late for that to happen should Microsoft decide to move with it.
FWIW I didn't think any of the previous things would turn catastrophic, but I do think this might. I work with a lot of web marketers and also with security teams, and they will both salivate over this. Between marketers and security teams, that's like 90% or more of the internet.
This change is laying a trail of metaphorical kerosene from the campfire. It's possible the fire won't spread beyond the fire ring, but it won't take much for it to escape and then it's going to be unstoppable.
You seem to be under the impression that a forum with hundreds of thousands of users has one consistent opinion on everything. This is wildly incorrect.
Calling it a "vicious hate and bullying campaigns" is pretty overblown. You can't even propose closing the web to anyone without a big three controlled device anymore without being mean to you, sad.
This is especially surprising coming from a Linux user who presumably understands the desire to have a device that runs code one can read, write, compile, execute, and share freely and without needing to receive approval from a Big Tech gatekeeper.
It's notable that the proposal was put on a personal GitHub rather than a Google corporate GitHub. Someone is trying to avoid Google's obvious presence being too visible and throw their engineer under the bus instead.
I've heard time and time again how this is "the end of the free web". Can someone succinctly explain how this is the case, for somebody not familiar with web browser architecture? What does WEI provide that wasn't previously possible?
Future web will require you to have certified browser - Chrome ™, to access the web. It will require certified OS Windows™, running on trusted Hardware TPM™, running trusted firmware CIA™.
You'll have no choice and your love will be mandatory.
This won't stop malware of course. However a skull clamp will be installed to monitor your thoughts and you will be zapped if undesirable thoughts are detected.
Note: it's a hyperbole but if you want another OS, Browser or hardware you'll be forced to Homebrew it. Or use a compromised app.
This not only requires Google but websites also need to implement.
The problem is given the number of Google's services, it can easily "nudge" site owners into implementing it.
They can make it mandatory for adwords or analytics or any other service that they have for webmasters and everyone will have to jump in while it is still technically voluntary.
If your $bank choses to implement it, then it can very well mandate only windows or osx clients. Then you can't use firefox on linux.
This may sound like conspiracy theory but we already have examples of similar restrictions on android apps with safetynet. Bank apps already refuse to run on custom roms. It will not be limited to banks. Someone mentioned that McDonald's app doesn't work unless you pass safetynet.
As for other browsers: I guess that you'd still be able to access my website, but YouTube and GMail will just show you a generic "This browser is not supported" or, at best, "Your browser had been deemed insecure. Please use a secure browser".
If we go full Nostradamus the most likely result is that Safari will play ball (because they are already doing something similar), Firefox will play ball (because they no longer have a spine), they'll implement whatever Google says, and yet another portion of the web will be closed to those who don't dance to Google's tune. I hope you're not too attached to youtube-dl or your adblocker.
Google is clearly being evil here, but the original sin was having user-agent strings in browsers at all.
Public information on the 'world wide web' should by nature be open and accessible to any agent in a neutral way. (Of course this is implied in Google's (bullshit, cough) mission statement.) Making information about what the agent is invisible as a principle from the start would have helped with that.
In reality, that vision was lost in the early 90s when the web went from being a proposed hypertext/document/information retrieval system to being mostly a presentation system for what started as magazine/leaflet/poster analogues ("websites") to which were added dynamic client/server web applications.
The difference in model is stark: in the former, the browser, even the user, makes decisions about the presentation of the content based on mostly structural information declared in the document. In the latter, the 'document' is not a document, but a program executed on the users computer.
And once you've made that transition, the "developer" of the "program" now expects more and more of the kinds of controls they get when they truly control the platform.
And it doesn't help that in the midst of this, mobile applications came on the scene, undermined the web completely, and changed expectations of how content should be made available. From that point on it became even more expected by companies and product managers that they control the whole sandbox. e.g. Meta couldn't even be bothered to launch Threads on web, probably precisely because they don't like the restrictions there, and having full control is so much more profitable to them, and they're not the first.
In any case, this all sucks. I've already personally switched to Firefox in most places, but the very fact that Google feels emboldened to push this tact says a lot about the state of the web and how this 30 year trajectory has gone.
In a way, I just hope the "www" dies and all of us who helped create this thing in the first place birth something new and better. But this is also hopelessly naive.
Not sure how exactly ad fraud works but why this WEI supposed to even prevent it? There are many tools that allow to control your mouse and keyboard programatically like pyautogui [0].
Will OS check if such python lib is installed or script running in the background? Then those that doing ad fraud will move to programmable board as BLE keyboard/mouse/hid. Even microbit can can be programmed as BLE HID device [1]. Add external camera on unattested device that will stare at attested device screen and you can automate lots of thing. Sure this is more complicated to pull off but will probably eventually happen anyway if this is a lucrative business.
In the end WEI wouldn't prevent ad fraud / fakes but would end up used for restricting other things.
Most computers come with a trusted platform module which increasingly runs more and more services related to media handling. On modern Macs the T2 chip is an A8 or A9, meaning it has the same power of a modern iPhone and handles everything from device input (mouse & keyboard), to webcam decoding to media decoding. When you watch netflix on a modern macbook, the video buffer that is displayed is actually a shared memory buffer from the T2 chip, which the main SoC can't actually see. If you take a screenshot you will see that the screen stays black, since audio and video come purely from the chip.
You could run a Browsers Renderer in there and you would never notice.
This is a crisis of our own making. You don't want Google taking decisions for the web at large? Then don't let them own 85% of the browser market share. When that's the case they don't need W3C or anything to implement whatever they want, they effectively control the client-side internet.
One of the things that led to Google's current dominance is folks like us (certainly me, at least) pushing folks to replace their default IE installation with Chrome as soon as they set up a new computer.
I hope, pragmatically, something similar might happen with this: say that Brave (my daily driver) disables WEI in their Chromium build, and a new Chromium-derived browser surges in popularity... like judo, using their own power against them.
In the last few years (or in the first few), not much. But there was a time where Firefox was difficult to recommend for performance reasons - I think it's right when they switched XUL iirc. To me that's what afforded the then-competition (Opera, Safari, Chrome) to start to eat the market share. It's why I switched to Chrome for a while (before everything was Chrome).
It's proven that mass marketing works. Tell me how a minority of informed and caring users can avoid on their own that a single large scale bad actor pours millions over millions of dollars to convince the uninformed masses about whatever they want. It even happens in actual elections when some factions use misinformation campaigns to alter the average voter's perception! So not an easy task to solve without help.
Totally. In most things, you need to have the ability to trust that users will make (or at least see) the right choice even over multi-million marketing initiatives. Given today's people and today's marketing, I'd say we're properly fucked.
>Tell me how a minority of informed and caring users can avoid on their own that a single large scale bad actor pours millions over millions of dollars to convince the uninformed masses about whatever they want.
Firefox.
No, not Firefox of today; I'm talking about Firefox 20 years ago that defeated IE6 by sheer force of nerds alone.
Of course, the landscape is vastly different now and Firefox today is about the most not-nerd thing next to Chrome. If there's a a browser here to save us anywhere, I'm not seeing it.
> Firefox 20 years ago that defeated IE6 by sheer force of nerds alone.
Firefox was significantly better than IE though: it was faster, had more features, and things like that. This is what made Firefox popular, not "sheer force of nerds".
Chrome, when released, also had some significant improvements to Firefox. In particular, it was loads faster. This changed with "Firefox Quantum" (59 IIRC), but "too little, too late" I guess.
Firefox was better than IE6, but it was the sheer force of nerds that dragged it across the finish line because neither the enterprise nor the general population otherwise cared.
People used Firefox because their nerd friend or family member helped them download and install it. We got to 100 million downloads almost exclusively on word of mouth. It's not enough to have a better product, people have to learn about it and we did that with SpreadFirefox and other efforts I helped initiate so I'm very familiar with this. You don't have to trust my appeal to my own authority here, but I doubt you've got anyone closer to Firefox's early growth than me so maybe worth listening.
People used Firefox because it was installed on their computers by the neighborhood nerd. Something similar must happen now. People have to cease using gmail, google search and google maps.
Firefox was not faster than IE. We lost on pageload, cold and warm start, new window, pretty much everything.
Firefox was better because it had tabbed browsing, integrated search, pop-up blocking, and extensions, but I was responsible for monitoring our perf back then and I can say for certain that we were not faster.
One problem I find is that all that we do is in a bubble. I can convince a dozen like-minded people about the dangers and actions to take. However, the vast majority of the population is completely oblivious to all this and are negligently complicit in enabling bad behavior. This sort of things need to be discussed on the streets and in mainstream media (not tech media) for regular people to become aware. Remember that during the previous browser wars (IE vs Netscape), it was much more in the open and a lot more people knew.
I’ve put barely any thought into it but I think a “localnet” would be better. Your usage is entirely based on calculated geoposition and the userbase is segmented into regions based on user count. More than X0,000 users in any one region and it splits to keep things small. This would be a limitation for hosting content. If you want to send a message out to another person in a different region you’d have to make a deliberate effort to do so and it will be private such as a letter would be.
Idk if that would achieve my goals and honestly I can’t plainly state what my goals are. All I know is I get tired of privileged California snobs telling me how things should be in my back 40
I've had similar thoughts. I've been sketching out a design where you can tag data with a location (a restaurant menu, say, which is only needed near the restaurant). Suppose the data is being gossiped between mobile devices. Some process which understands the user's past (and estimated future) movements can decide when the data can be forgotten.
Plus--as I imagine it--users would be able to trust each other in certain domains, so which fragments your device hangs on to is going to depend on who you trust and what you're interested in.
Hopefully, these combined would mean that whatever part of the web is relevant to your location is also the part of it that's already cached on your device or on a nearby one.
I think this is a somewhat natural consequence of Google being a powerful corporation.
And, I don’t think we (somewhat loosely defined group of people who like free software and information and have a user-friendly computing environment) can and should work against this. Probably, we should give the corporate web some sandbox where they can play their games, while we develop alternatives.
For example, Gemini is becoming more popular. People are talking about search engines that exclude the corporate web and favor personal websites. IPFS or just switching to FF again.
Requiring remote attestation of devices not owned by the relying party should be illegal unless it is a revocable opt-in and only used to protect interests of the user, not service provider.
I am a bit confused. This sounds a bit stupid. If this is DRM for web content, then what would non chrome browsers like FF for web pages that ask for such authentication? Refusing to work with other browsers than chrome seems like a lawsuit waiting to happen.
We are in post-efficiency era. Power is driving profits and that's what companies compete for. Efficiency (value-to-cost ratio) is now a technical detail, soon to be automated away by AIs. The same is happening in politics - efficiency is a technical detail delegated to civil servants while politicians focus on power. The world is a small pond full of sharks so hungry they eat each other.
Can't we make a intranet of our own? yes im being stupid right now but i dont want wei or anything like that, if we power users can create something like the internet where there are multiple websites and stuff like it was in the old days i don't know what im talking clearly but i think y'all understand me
I don't see how this will end the "free web." No publisher will be forced to use DRM. Anyone can still create a website and make it accessible to anyone for free with an internet connection.
If certain publishers want to require ads to view their content, that seems like their prerogative.
I've seen people open up all of their users' "private" content to Googlebot IPs just to get rid of errors in Google's search/Adsense console "in case it helps revenue" (as in they didn't even know for sure if it would help, only that it shows up as an "error" in Google's console and red=bad)
All you need to do is to jingle some real, if small SEO/ad advantage and people will bend over themselves to lick Google's boots.
One way i could imagine to circumvent WEI would be to let WEI enabled Chrome do it's thing, while proxying the decrypted HTTP traffic to a free browser with plugins activated, potentially on another machine.
In my opinion, I think that it is good to remember the name of these developers that have not enough moral ethic to not betray the internet and users:
- Peter Bork Pakkenberg
- Rayan Kanso
- Dmitry Gozman
- Richard Coles
- Kinuko Yasuda
Let's not forget that it is not Google in itself, but persons being the keyboard that are pushing that. People that have the power to say no but did not.
I don't know you, but at the next Google mass layoff, I will certainly not offer to give an employment to someone with so little morality like them...
I'm sick of these guys trying to break the web. From now on it's personal. We need to make sure that Google gets very hurt, and ideally they are wiped out from our industry.
Publishing an implementation of a proposed web specification is how all web standards are created or evolve. The same thing happens with WebGPU, WASM, and many before them. Usually with a prefix (ms-, moz-, webkit-,...) and/or locked behind a config setting before standardization.
What is different this time other than it being a feature that is considered user-hostile?
That's not to say we shouldn't oppose this feature, I just wouldn't be up in arms about an implementation existing.
> That's not to say we shouldn't oppose this feature, I just wouldn't be up in arms about an implementation existing.
People aren’t up in arms about the process by which web standards become accepted; they are up in arms about this standard moving forward at all because of its dangerous implications for the web and it’s outright user-hostility.
How do we kill Google? They were great for 10 years - so so for another 10 - but now they’re outright hostile towards the free internet and must be put down. So how do we do it?
this abuse of tech, potentially goes beyond antitrust, and damages global economic wellbeing, as well as impoverishing information systems on global scale, generating isolation, ignorance, division, and radicalization.
I guess they could un-cherrypick this 'feature', but that doesn't mitigate google or publishers requiring a response from this API, in order to serve a request.
It's such a lazy, bad proposal that even if one wanted what it promises to deliver, you'd be hard pressed to choose a better way of getting it used for malicious purposes. Handing the token back to the web script means successful cross site scripting attacks can farm, exfiltrate and repurpose the tokens, as well as bypass attempts to limit which domains are allowed to receive their contents.
One thing about this that I don't understand is how they intend to validate memory without controlling the entire stack (which we aren't even 1% close to achieving on the desktop). If I poke /dev/mem, does that mean Chrome will have to validate every single byte of it's ram? Or does it rely on having a fully locked down environment (maybe feasible on phones).
Looks like this has been inserted into release 117, which won't hit the stable channel for several months yet. Chromium is still the most secure GUI browser out there so I'm not in a rush to leave, especially as OpenBSD 7.4 will probably ship with 116.
If the devs/Google's intentions are truly limited largely to trying to prevent bots, then I hope they realise their folly.
If you STILL use chrome after this, you were never willing to give an alternative even a little bit of a chance anyway. Surely not supporting this and the power it gives Google over the web is worth a "slower" (I've never experienced that) browser or one with a stupid pocket logo in the corner that you NEVER HAVE TO INTERACT WITH EVER
A good way to measure how annoying this would get is to look at the handful of applications demanding SafetyNet on Android. It is not quite as much as one would assume, since adding friction of any kind is a retention killer. On the open web this would likely be worse, since you are locking out more than jailbreakers and emulator users.
For those who still aren't sure why this is a bad thing, read Stallman's "Right to Read" story --- that's the direction WEI is going to take the Internet and probably other things too, if the opposition isn't strong enough.
Ironically, WEI is one letter off from WEF... but I doubt that was intentional.
Can someone explain how its technically impossible to conform to this spec using, for example some desktop linux distro and say firefox? Is there really no OSS way to implement this? Secure boot works today on linux (might not be the default happy path, but that seems fixable). TPM apis are there no?
And if they prohibit it, Google will just pay a several billion dollar fine. At the end of the day, it's just a cost of doing business. Something like an extra 2% tax raise or something. Whatever. Dividend time.
I wish Google would solve real developer pain points like having secure client side storage. That would be useful to developers. But heaven forbid they take a break for a moment from trying to squeeze every ounce of profit out of their users.
In order to have secure client-side storage, it seems like you would need to be able to verify that the client-side application that is accessing it is unmodified -- which is what WEI would allow for.
Is there a technical explanation of what exactly is being pushed here?
Web is an open protocol. It is okay for both browser and server to support some third party extension, and Google owns 95% of browsers. But how can it be forced onto all the servers?
The web stopped being open when W3C accepted EME. Now that effectively Google IS the web, they don't even have fake attempting to convince anybody and will just turn the web into another proprietary technology.
> The web was more open when to play those videos you had to use a proprietary Flash or Silverlight plugin?
That's what you are claiming with your sarcasm hidden behind a rhetorical question, I've never said anything about Flash or Silverlight in the comment you've answered to.
There is absolutely no difference from a conceptual perspective between EME implementation and proprietary plugins, EME is necessarily based on a proprietary spyware, but you can't fathom that fact apparently.
You said the web stopped be open when EME was accepted.
But as you just noted there is no conceptual difference between EME and the proprietary plugins that it replaced (Flash based and Silverlight based video players).
So how does replacing something with something else that is conceptually not different change that status of the web from open to not open?
Flash wasn't just DRM though. Incorporating video and animations into the web proper through browser was a win for the web despite the bitter pill of not ridding ourselves of DRM.
> Flash wasn't just DRM though. Incorporating video and animations into the web proper through browser was a win for the web despite the bitter pill of not ridding ourselves of DRM.
DRM as implemented by EME is necessarily a closed source, proprietary plugin just like Flash, I never said that Flash was just a DRM. Flash could be used as DRM system, in fact its video format FLV supported DRM.
Appologies if this was asked already, but what do people think are the most effective way to combat this? We are a website full of people who understand tech, surely we can find a way to push back
I don't think that that's surprising. Isn't this how all proposed features work? They can sit behind a flag for years, but the goal during a proposal is to ship first.
This is about WEI, Web environment integrity. The article below sums it up pretty good.
"The proposal suggests that websites should be able to request an attestation from the browser about its “integrity”. Such attestations are to be provided by external agents, which – presumably – examine the browser and its plugins, and issue an approval only if those checks pass.
The attestation is sent back to the website, which can now decide to deny service if the agent did not give approval." [1]
Is adding a feature-flag really the same as pushing the feature into the browser immediately? It can easily just be part of a SWE needing the flag in place in order to continue work without impacting anything else, even if that thing never ever launches.
In general Google engineers don't tend to work on branches, especially long-running ones. Incremental small code reviews are the expectation. The general process would be to stick things securely behind flags and continue development without turning it on, even if it never ever launches.
Not saying this work should be done -- it shouldn't -- but code being pushed is not the same as "we're going to make this happen tomorrow, no matter what."
> Is adding a feature-flag really the same as pushing the feature into the browser immediately? It can easily just be part of a SWE needing the flag in place in order to continue work without impacting anything else, even if that thing never ever launches.
Yes, because that's a such anti-consumer issue. It shouldn't exist in the first place, it should never be merged to master.
There's no reason to not keep it on a separate branch if you don't intend to use it.
Yes, because a feature flag shows intent to implement it before any real discussion have taken place with privacy and non-corporate security advocates.
When was the last time you heard Google or anything Google-related backing down from getting their paws in deeper? It's no longer a fallacy when there's a sign next to the slippery slope.
Since this is basically just obfuscation shouldn't it be possible to break it? Heck it's not even DRM so it doesn't fall under the protection of the DMCA.
Is it possible for web server software developers to oppose this? I mean, if Apache and Nginx join in protest and refuse to suport it, Goolag will lose!
so in the case of a forced implementation of this, websites don't actually need to adapt.
i think if people see websites constantly being broken in chrome, instead they'll pick another browser, that's most people's first instincts when a site doesn't work.
Biden really needs to fire/replace Lina Khan and Congress start exerting pressure on big tech for actual monopolistic issues, not just political targeting. Although to be honest, I don't really trust the GOP/Dem house to bring up non-partisan issues which makes the role of FTC head even more important.
I feel like I have to repeat this, since so much is at stake here, where it is about the preservation of the web as we know it today, at the peril of having it turned into yet another walled garden:
The only way around the dystopia this will lead to is to constantly and relentlessly shame and even harass all those involved in helping create it. The scolding in the issue tracker of that wretched "project" shall flow like a river, until the spirit of those pursuing it breaks, and the effort is disbanded.
And once the corporate hydra has regrown its head, repeat. Hopefully, enough practise makes those fighting the dystopia effective enough to one day topple over sponsoring and enabling organisations as a whole, instead of only their little initiatives leading down that path.
> constantly and relentlessly shame and even harass all those involved in helping create it
Not on HN, please. I realize that you're trying to protect something you care about (and that maybe we all care about) but this leads to ugly mob behavior that we don't want and won't allow here.
Yeah, financial and social pressure is basically the only weapons we have against corporations when regulations don't exist. And honestly, financial pressure doesn't work at this scale or in this case.
Yes, but this will be an uphill battle. Every campaign must be financed, so every politician must effectively be vetted by monied interests. The same monied interests that we see here on a strategic offensive against the rest of us. Regulators will tend to be sympathetic to them, not us, until things get really bad.
"At the same time, Schmidt has been appointed to numerous White House advisory positions, giving him privileged insight into the administration’s policies in technology, science and military defense, as well as unusual access to top policymakers."
I don't want to put words into the OP's mouth with regards to his assertion about Schmidt, but given the loose wording: "basically shadow president", it's fair to say it isn't meant literally, and it usually comes with a negative connotation and to imply that Schmidt was so deeply involved, from a standpoint of strong biases in favor of Google and the obvious potential for corruption in participating as an advisor to someone (Obama) who doesn't have the same grasp on technology — and the extent and length of Schmidt's involvement throughout Obama's terms.
It could be said that Schmidt disproportionately influenced important decisions in the tech realm, to a degree nearly equal to executive authority, because it presumably (and greatly) outweighs the opinions of the other heads of Big Tech, so long as Obama was naive enough to agree with him on key issues he didn't fully understand.
This is especially damning in light of the NSA / Prism scandal during Obama's term, and Big Tech's involvement and compliance with that.
Of course, anyone could assert this about an advisor to a President depending on the President's level of knowledge and outright willingness to apply their advice, even if in spite of fairness (competition), rights, laws, or precedents.
If you live in a representative democracy, and Google has a presence there, contact the offices of those representatives. These things don't always seem like they matter, but sometimes they do. Big tech generally (and Google specifically) is a pretty popular target right now -- seemingly worldwide and across most ideological divisions.
This is true, but I think the main issue is whether people are quick enough to call for congressional hearings and decisive actions / lawmaking that would have any impact before it's too late. It's a race to the finish, and big tech companies always have the advantage. Of course, that doesn't mean regulation couldn't call for a reversal on what's been implemented.
The other side to this issue is despite the scrutiny towards big tech, they can still lobby and make any regulatory actions seem effective, when in practice, they've already gotten their fingers into influencing policy in such a way that doesn't ultimately address the consumers' concerns.
Speaking of regulations, I think an angle that can help spread awareness to the general public is casting this as essentially being the equivalent of SOPA/PIPA but being pushed by Big Tech rather than Big Gov.
Please don't do this here. It's not what this site is for, and destroys what it is for.
Edit: I suppose I need to add—no, we're not pro-$MegaCorp or pro-$web-destroying-dystopia. We're just trying to have an internet forum that doesn't suck, and you guys need to make your substantive points without degenerating into mob behavior.
Please don't do this here. It's not what this site is for, and destroys what it is for.
Edit: I suppose I need to add—no, we're not pro-$MegaCorp or pro-$web-destroying-dystopia. We're just trying to have an internet forum that doesn't suck, and you guys need to make your substantive points without degenerating into mob behavior.
I think people like to take the easy way out of declaring those with a different mindset "evil." Everyone is the hero of their own story, and honestly there are multiple incompatible-but-internally-consistent models of how technologies can and should work. I think it's more useful to recognize these things than to write off a competing mindset (especially when the competing mindset is in a position of power).
Consider incentives from Google's standpoint. They want to provide users a safe and secure experience. They want to simplify maintenance of software and provide developers the ability to simplify maintenance of software (a problem simplified by chopping the unbounded set of possible user agents down to a blessed, vetted subset). They have the resources to make their site screen-reader compatible, so they're not concerned about damage that could be done to screen-readers because they'll just bless one and support it. And, of course, they implicitly trust themselves to do all this.
In that ecosystem, Weiss's viewpoint is completely reasonable. The old model of the web is old, and led to gestures broadly at all the bad things about the web today... fraud, users getting owned, CP, botnets, misinformation factories. I can definitely see the viewpoint where someone concludes "It's time for a new model, and this company has the resources to do it."
I don't agree with him (and in fact I think the idea will fail; I think Google actually overestimates its ability to provide an equivalently-good user experience to what we have now if they aren't leveraging the unpaid labor of other vendors putting the effort into making their own houses work with Google's house without Google even being aware of their work). But I think it's useful to wrap our heads around how one gets into that headspace without thinking oneself a monster.
As they say: "the road to hell is paved with good intentions". Wanting to fix the world by taking complete control of it is one of the most trivial examples of a plan that should be immediately labeled "evil", as, if nothing else, "absolute power corrupts absolutely".
This plan doesn't take complete control. It provides a mechanism for a web site to delegate trust on UA configuration authenticity to a third party, or even to itself via side-channel.
Nothing in the proposal requires the third party be Google. The proposal does decrease the control the user has over their own hardware, in the sense that it provides a channel for a site to decide the user-agent / hardware stack is the wrong pedigree to serve; that's not universally considered evil either (few people really get bent out of shape that you need a Nintendo Switch to use Nintendo Switch Online services).
Google sells ads. They want to kill ad blockers. This is how.
> Weiss's viewpoint is completely reasonable
Chasing diversions around in circles is not neutral. Someone wins by default. Diversions exist and they exist to tempt you into poor attention allocation decisions. This is not about safety, security, and providing an excellent experience. It's about ads and making sure you can't stop them.
It's extremely likely it's about both. It can be both about making it hard to skip ads on YouTube and about making it hard for somebody to replace human users with automated devices.
> When thinking about a new proposal, it's often safe to assume that Occam's razor is applicable and the reason it is being proposed is that the team proposing it is trying to tackle the use cases the proposal handles.
Ockham's Razor doesn't apply in an adversarial situation.
It is also for when you are comparing two explanations that do an equally good job of explaining empirical data.
"Google is an advertising company and does whatever leads to more profitable advertisements" does a much better job of explaining Google's actions than "Google just wants to build the best possible browser", so it should be preferred even though it is a more complicated explanation.
He came up with it more than 9 years ago, during which time no such war has been generally apparent, and if anything, the conditions for general purpose computing have improved.
I don't like Google's grasp on so many vital parts of the web but somehow, it seems like google is actually in trouble.
AI is going to completely change search if it hasn't already, and google is not even close to compete in this space.
Video has some massive competition from the likes of TikTok. Anyway, YouTube isn't the only option on the market.
Gmail is still popular but since google has been pressuring users to pay, it's been easier than ever to find a reason to try another service.
Chromium can always be forked and have some parts removed or added, and as we all know quite a few browsers do this, some are quite popular.
Is google also losing IOS ads like Meta? If they do, that's another reason for alarm for them.
I'm not sure google is in the best position for the future and WEI is not going to be their golden ticket either.
And, if your prediction that web will change actually comes to pass, well then it'll be just another cycle for this space that has changed countless times since the age of dialup. The web is going to change, again and again, but as long as people are still free to set up a server and let the world access it, we can still do what we like with it.
Except increasingly the world will access it via drm aware browsers because their banks require it, and the open web audience will subsequently dwindle.
The Halloween memos called this "Embrace, Extend, Extinguish". Google didn't just ignore the moves that provided M$ dominance.
To paraphrase John Maynard Keynes: Google can stay irrational a lot longer than you or I can retain our freedoms. And when the precedents have been set, a new normal has been established, and when/if Google does finally fail, the next actor will step in and keep those freedoms from us all.
And we have this crappy paradox that Mozilla is held to an impossibly high standard. People want to burn them to the ground for daring to use Google Analytics, or the Pocket acquisition, and keep using a 100% Google browser, with preferential integration with all of Google's services/protocols/APIs.
I think that's a false dichotomy. It's possible to criticize Mozilla (ideally in good faith) for both the way in which they develop Firefox and their focus/mission in general, while at the same time using Firefox, since to me it looks like the best alternative we've got.
Not every Mozilla critic is a Chrome user; I'd even expect that the most vocal critics are Firefox fans and users.
In theory, yes, but that’s what every thread about switching to Firefox gets: Lots of flames about Mozilla. But when the only sensible alternative is staying with Google, why would these people make these arguments as replies to suggestions to switch to Firefox? It is only reasonable to conclude that it’s not Firefox fans making these arguments, in those threads.
Probably also consider all Google employees complicit. All of them -- especially those who could easily just choose to work someone else, like their developers -- are either in favor of, or okay with, Google's mission to destroy the web.
> constantly and relentlessly shame and even harass all those involved in helping create it
If this ever helped, we wouldn't have absolutely unethical products created. Turns out people's morals have a price tag, that Google and others are willing to pay their employees.
Well at least you can increase the price tag for Google, Facebook etc by taunting their employees as bad people.
It is quite incredible actually, because it was not many years ago that working at Google had this coolness factor to it. Hopefully, it is a broader change of view, other than mine?
I agree with your overall ideal of free access to information but I disagree that harassment is a necessary or even effective option to push against this. I think the harassment puts us in a category of ineffective, bitter malcontents and that’s not what we are.
We are capable of going to elsewhere to free and open access to information, and we would be better off spending our energy on positively influencing others to follow us in that direction. They can’t take away tcp, http, ftp, irc and all the other protocols that these megaliths have built their empires on, and we can still use those tools even if it’s a demoralizing regression to move back to the basics. Giants like google, Amazon and others depend on our unwillingness to rebuild. Let’s use our efforts and our ingenuity to show them that they’ve underestimated us.
We have the tools, we have the knowledge. Let’s be builders instead of petty complainers.
We’ve been doing that for years, larata_media. Decades, even.
And what do we have to show for it? Our tools power their botnets and they flaunt the CoCs in our faces when we try to do something about it as “not constructive”.
In addition: could you please stop posting unsubstantive comments and flamebait generally? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.
Imo, the idea that this is about selling advertising and maintaining market share is being used as a false justification. This is not about being able to drive users to ads.
The bigger picture is that Google et al are actually part of the control structure. The governance system wants deanonymised Internet. Corporate interests are how this is being promoted - government legislation would be a harder pill for the masses to accept.
But all the recent mega changes tell us (Elon buying twitter, etc) tell us that this is on the way. Apparent anonymous internet will be sandboxed. Knowing everything about everyone all the time, and having that data being crunched by ai's is an amazing, audacious goal, that seems close to being achieved.
Multiple US states, France, Germany and the UK are going to make the web unnavigable unless you type your credit card number or scan your face for age verification in two out of every three sites.
We are going to need to at least try to create ways to secure those credentials in as zero trust model as possible.
(Note that the legislation is a disaster, but it is done. Nobody paid enough attention. It has passed or will pass in weeks.)
> Time to build a fresh web. Get me my hypercards!
A fresh web doesn't exempt you from the legal requirements unfortunately.
This year has seen the biggest state attacks by legislators on any electronic distribution of speech across most Western states for fifty years, and by and large the technology community has completely failed to even engage with that never mind stop it. We are all going to have to live with the consequences for decades.
That sounds entirely unhelpful. They can just close the issue tracker + people will obviously just move on. This sounds like the Reddit 'blackout' that did nothing and is already forgotten.
What we really need is for the collective browser vendors to refuse to implement this and, if Chrome pushes forward, to bring Google to court over it. Nothing short of legal intervention is going to help here.
What sort of regulation do we imagine a government putting into place to stop this? If anything, governments tend to lean in favor of identification and verification systems because they make corporate commerce run more smoothly.
It's not hard to imagine legislation around a user right to ownership of their device. For example, it could be made illegal for a website to attest that a user is not running specific software.
Legislation around device ownership rights are already present, especially in the EU.
It's even funnier with the auto-reply "Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA)."
All they'll have to do is make a pronouncement of support for some trendy social issue and everything will be forgiven and forgotten. Virtue signaling has turned into the most effective corporate tool for manipulating society into allowing corporations to do almost anything they want. And the public's addiction is so strong that even when this is pointed out and agreed that it is happening, the addiction still must be fed, so corporate sociopathic parasitism on society continues with the joyous approval of society in general.
Tech-literate folks really should make a concerted effort to move to our own darknet, something like freenet or I2P, to recreate the internet before the advent of mass adoption of smartphones by the public. Forums, IRC, vent/TS, webrings, XHTML 1.0. No WebGL. No Canvas. No WebAssembly. No damn WEI.
Normies can f&$% off and enjoy the data-mined, DRM'd, ad-infested, CCP-propagandized, upload-your-photo-ID-to-post-here, privacy-free dump their illiteracy, careless disregard for harm, and data exhibitionism fetish has allowed the clearnet to turn into.
While I like this idea, starting from the foot of "CCP-propagandized" based on the tiktok service hosted by Oracle in the US is an amazing way to start off on a Nazi infested foot.
Anti-communism and fascism are historically in lock-step. No one is going to use the services if you basically create web4 stormfront.
FWIW, I'm certainly not advocating for any kind of racism, or any kind of philosophies that support the use of force to achieve any political, social, or economic goals, so fascism would be firmly out were I the webmaster.
> any kind of philosophies that support the use of force to achieve any political, social, or economic goals
> so fascism would be firmly out
This goes to prove my point, that there's a gross misunderstanding of history in the general population.
Fascism doesn't use force to get political power, it gains political power through reactionary ideas based on false assumptions that leads to a fascist regime where the violence then occurs on the "other".
It comes through ideas such as "protecting your family", "returning to tradition", and other feel good sayings that mean almost nothing. Think of the phrase "Woke", taken from black community vernacular and twisted to mean almost nothing at all. It describes everything and anything that can make a conservative person upset, from queer people to mental health professionals.
Despite meaning nothing, oh boy has it taken root. Beer is woke, tv is woke, the black guy in star wars is woke for existing. And oh man look how easy it is to take root and now millions of people live their life by the "anti-woke" lifestyle. What does that lifestyle mean? idk, buying shes just to light them on fire, i guess.
This is why communist regimes had gulags. Fascism takes root through reactionary(meaning feelz over realz) ideas, typically against change. A revolution is something hard fought, why would they allow it to be derided by some idiots who miss when they owned all their neighbors land?
What I'm trying to say is one end of the spectrum is at a huge advantage when it comes to free speech environments, for the fascist does not need to argue in good faith. Going by "philosophies that support the use of force..." will get you a lot of a certain group.
China is nationalist authoritarian state capitalist, their external propaganda isn’t to spread Marxist ideology, it’s simply anything that helps China and hurts everyone else, same as any nationalism.
“What do you think the Russians talk about in their councils of state, Karl Marx? They get out their linear programming charts, statistical decision theories, minimax solutions, and compute the price-cost probabilities of their transactions and investments, just like we do.
We no longer live in a world of nations and ideologies, Mr. Beale.” Network, 1976
Further, free speech must be defended despite the modern liberal tendency to cut off the majority’s noses to spite nazi faces. If you’re gonna fight nazis, fight nazis, don’t throw out fundamental human rights. They know they can taint principles, signs, and symbols with their stench. Don’t give up essential freedoms out of guilt by association. These charlatans have no political theory, no examined ideology. It’s a power struggle and we’ve already ceded too much power.
There was nothing in his comment that alluded to anti-communism sentiment. In my opinion, the parent comment was categorically anti-fascist. Current day CCP conforms to the definition of fascism far more than the definition of communism.
I'd love to hear your thoughts on how they were being anti-communist or fascist in your eyes.
It's easy in theory to say "oh anti-ccp isn't anti-communist", but in practice, do people actually understand the difference?
Consider the phrase "tankie", what was once a term used by communists to describe a militaristic member who supported the USSR sending tanks into Hungary, has become a general phrase for anyone showing critical support to any socialist project.
Socialists are essentially told they are not allowed to support any previously or currently existing project because bad things were done, are told they're doing whataboutism if they compare the actions to western actions, and are called a tankie if they decide to stop caring about what liberals and right wing people say.
China IS a socialist project, are they strictly a socialist country? No. Did they perform the most thorough and equitable land reforms in the history of Humanity? Yes. Do they wield central power for central planning economic activities? Sometimes. Are they operating on a 100% worker ownership of industry? no, but they have a non-insignificant public ownership of industry, co-opting privately owned industry to steer activities with greater control and hold certain business leaders accountable.
I'm sorry to say, but "current day CCP conforms to the definition of fascism" just isn't correct and goes to prove the point that the meaning of words is mostly ignored. Fascism != Authoritarianism. There was a massive effort post WWII through the cold war to create anti-communist propaganda that simply wasn't true. You had actual ex members of the Nazi party leading anti-communist endeavors. The black book of communism counts Nazis as deaths from communism. The Victims of Communism memorial foundation is literally a mask on far-right thinktanks such as the heritage foundation.
That being said, the West is grossly lied to about China day to day. It is in various interests to have an enemy. To the point where one man can write a report identifying a "future cultural genocide" which was simply a reduction in growth of a population due to 1 and 2 child laws being imposed on a group that was exempt prior, as an actual, in-progress genocide. If you point this out, people call you a genocide denier.
That same man is a director of China Studies, at the Victims of Communism Memorial Foundation.
I apologize for this long winded rant, but yes, if you found an internet presence on being "anti-ccp", you're starting off on a literal fascist foot. The community will deride any left leaning voice, call any voice that says "hey china did a good thing here", as a "tankie", and it will become an echo chamber for right-wing hate speech.
It won't do anything. You don't think they've anticipated random angry outbursts going into this? Plus, the people you're harassing are simply implementing a policy that they don't have the power to change.
The only pressure that Google has been shown to consistently respond to is political. Get a couple of senators (... of the right party) to send them a mild rebuke and they will indeed retreat a little (... and try something else later). But that's a lot harder than posting angry comments until the next piece of outrageous news comes along, isn't it?
Directly sending a message to the implementers doesn't preclude involving politicians in this too, and I absolutely agree that the latter should be involved.
- ban Google all together in your personal life. No chrome and no excuses. Stop your bullshit or leave this profession.
- develop with and for firefox and friends only, introduce usability problems for chrome
- employ the same tactics as google.
-> Bundle firefox with the software you are distributing.
-> Like google did, remove the competition altogether from the users device.
-> make your npm-module or your website slower in chrome
-> show a popup urging users to download firefox, provide a link.
Refer to their current chrome as malware.
-> use as many tricks as you can think of to spoil the well for google.
Destroy search results, fill their storage with /dev/random, whatever your imagination leads you too. You keep telling us you are so smart. Show it.
- remember, Google's capital is data. Hit that and the beast will die.
If you are not ready to do this, you are part of the problem. "Maybe later". No, people have warned for years. I wrote that using chrome is "less than smart" years ago, and some people took real offense when I wrote that. If you don't act now and update your projects like I wrote above, you will never do it.
Secondly, tweet, write to tech journalists. But only after you did the above.
Thirdly, Google is evil and they know it. They care only about money and they trust you to find excuses. There are already some people who talk to themselves "Well, I see both sides really". Don't be that one.
Fourthly, I am very worried that the window of opportunity is closing now rapidly. It is late to defend our values, rights and future all by ourselves while all political parties gladly take donations by the millions. I am not an anarchist (nor a libertarian), and I would rather sit on my lazy ass like you.
However, the amalgamation of tech oligarchs and ruthless political factions is accelerating. They are happy to trade civil rights for something more tangible. Your legal rights are being eroded one after the other and you might lose the right (or means) to stand up for them.
If things go really wrong, keep in mind that while in theory one could burn the whole thing down, well, yes, a statement in public life would help for publicity. But PR is a hard thing if you don't have money. The easiest steps are outlined above.
Shame on all knowledgeable people that happily keep using Chrome and giving Google money. That make the web more centralized by giving more and more power to entities that benefit from this like CloudFlare.
HN is full of people that are indirectly helping to push these changes forward. You're preaching to the choir, and the choir is too lazy to switch browsers or learn how to configure a web server, so they just shrug and carry on.
Currently development and standardization occurs in the open, on GitHub and elsewhere. When it's decided that's no longer possible, I hope you realize that this kind of targeted harassment is what led to its demise.
All of the major tech companies are in on this. Google and Apple already deployed it for their phone and desktop platforms (iOS, Android, macOS, ChromeOS, all support attestation already). Microsoft is getting there with Windows 11, and all new devices shipping since ~2015 have the hardware support. Google is now closing the gap on desktop browsers.
Soon the percentage of people supporting it will be high enough to make it mandatory - the last 5% can just get a new device or something like that. They'll do it when their bank website tells them so.
The day Cloudflare flips the switch to require it for all connections is the day the open web dies.
And somehow this barely registers on HN, there have been over thousand comments on WEI this week, this was mentioned maybe in 5 (few of them mine - yes I'm repeating this point because it is important).
Attestation bad. Chrome is just catching up to what Safari is already doing, with in fairness more open standard.
I was watching a video about nesting in CSS and how it's just in Chrome and comments were all about how cool it is and how they can't wait to use it, and so on, and so forth. I think it's quite a representative example: we can do that much better with SASS today, but I guess Google needs to keep features pushing at full speed so no one else can keep up.
We developers are so gullible. Just give us some shiny things and we don't even realize they're heating up the pan.
I hovered over the green box for Firefox 117 and it said “Released”. I see now that for browser versions that have actually been released, it says “Released <release date>” and it’s just a very misleading bug because all unreleased browser versions will just say “Released”.
I realise all the negative effects if this starts becoming a thing, but could someone explain how is it they propose to technically enforce this "signed browser binary" requirement? What's stopping me from writing my browser to submit false info? Any encryption keys or hashes present in the "certified" binaries can be extracted (the binary after all needs access to it to use it, right?).
The only way this has a slightest chance of working is in connection with trusted hardware. Microsoft has been trying hard to push tpm on everyone and failed. What makes them think they'll succeed?
https://vivaldi.com/blog/googles-new-dangerous-web-environme...