Hacker News new | past | comments | ask | show | jobs | submit login
“Web Environment Integrity” is an attack on the free Internet (fsf.org)
415 points by jrepinc 7 months ago | hide | past | favorite | 79 comments



Related. Others?

Google's browser security plan slammed as dangerous, terrible, DRM for websites - https://news.ycombinator.com/item?id=36893071 - July 2023 (63 comments)

Google Web Environment Integrity Is the New Microsoft Trusted Computing - https://news.ycombinator.com/item?id=36888156 - July 2023 (282 comments)

Google employee responds to negative feedbacks on WEI - https://news.ycombinator.com/item?id=36881506 - July 2023 (25 comments)

Google is already pushing WEI into Chromium - https://news.ycombinator.com/item?id=36876301 - July 2023 (832 comments)

Unpacking Google’s Web Environment Integrity specification - https://news.ycombinator.com/item?id=36875940 - July 2023 (431 comments)

Google engineers want to make ad-blocking (near) impossible - https://news.ycombinator.com/item?id=36875226 - July 2023 (468 comments)

Google vs. the Open Web - https://news.ycombinator.com/item?id=36875164 - July 2023 (191 comments)

Apple already shipped attestation on the web, and we barely noticed - https://news.ycombinator.com/item?id=36862494 - July 2023 (421 comments)

Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web - https://news.ycombinator.com/item?id=36854114 - July 2023 (456 comments)

Web Environment Integrity API Proposal - https://news.ycombinator.com/item?id=36817305 - July 2023 (441 comments)

Web Environment Integrity API - https://news.ycombinator.com/item?id=36808231 - July 2023 (2 comments)

Web Environment Integrity Explainer - https://news.ycombinator.com/item?id=36785516 - July 2023 (45 comments)

Google Chrome Proposal – Web Environment Integrity - https://news.ycombinator.com/item?id=36778999 - July 2023 (93 comments)

Web Environment Integrity – Google locking down on browsers - https://news.ycombinator.com/item?id=35864471 - May 2023 (1 comment)


Why are we letting Google get away with such nonsense? First(?) was the toast component, then removal of alerts, manifest v3, FLOC, now this. Sure, corporations are going to corporate away, so what are the options for us, users, and future users, who currently do not care, but might find current iteration of internet useful? I don't mind Google shutting all their products behind some wall, that requires using custom unmodifiable browser to access them, but do not spread it all over the place. We are still "enjoying" unsolvable recapthas everywhere.


I take strong issue with the CAPTCHAs.. You're essentially training Googles' image recognition engine for free.


No, you're not. A captcha already knows the correct answers. Otherwise, it wouldn't know if your selections are correct.

Besides, Google doesn't need help in picking out pictures of motorcycles or buses or bridges.


The original reCAPTCHA, with two words: It knew the answer to one of the words and didn't know the other. At one point some users were inserting purposefully wrong answers or slurs into the unknown word to mess with the data collection.

I expect the idea is the same with images, if there are 4 buses I expect 2 it knows are correct and used as a sanity test, 1 it's pretty sure it's correct (from majority of users selecting it), and 1 has some heuristics that might be a bus but it is currently testing to see whether users believe is or not. Similarly with the 5 not a bus images.


> No, you're not. A captcha already knows the correct answers. Otherwise, it wouldn't know if your selections are correct.

It doesn't need to know that your selections are "correct", only that they match responses given by most other users.


That may be what makes it correct, but that's known in advance.

My intent was to disabuse the notion that captchas are how Google trains for image recognition.


It doesn’t know the answers are correct. I intentionally give it the wrong answers. Sometimes it realizes my answers don’t Match what is most common. So It doesn’t give me hard questions then. And doesn’t give me more than one prompt.



Any link regarding the toast component?



> We are still "enjoying" unsolvable recapthas everywhere

You know, I hardly ever see those things.

They come up as part of a challenge-response when the server thinks your traffic is sus. I generally avoid them by staying logged in, not blocking cookies, and not using Tor or another route obfuscator.


In other words, enabling precise tracking of your internet activities. Maybe it doesn't bother you, but I'm pretty sure it does many others (myself included).

(BTW, the "server" is very often a reverse proxy hosted by Cloudflare that decrypts your connection to the actual server by design. In all likelihood, there's more data mining done there than we're made aware of :)


Yes, that's the main problem, that captchas are "invisible" to users logged into Google account. Not to mention some smart developers who are putting recaptchas on government websites, even when you authenticate in with your digital ID.


> They come up as part of a challenge-response when the server thinks your traffic is sus. I generally avoid them by staying logged in, not blocking cookies, and not using Tor or another route obfuscator.

Which sounds great until you leave your cozy little corner of the first world and discover that millions of people are behind CGNAT.


By the way, a very similar API has apparently been implemented in Safari since 2022. Seems like better marketing does wonders, as I haven't seen any discussion of this.

https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

Some interesting bits:

> [...] We don’t actually need or want the underlying data that’s being collected for this process, we just want to verify if a visitor is faking their device or user agent. [...]

> [...] In the example above, a visitor opens the Safari browser on their iPhone and tries to visit example.com.

> * Since Example uses Cloudflare to host their Origin, Cloudflare will ask the browser for a token.

> * Safari supports PATs, so it will make an API call to Apple’s Attester, asking them to attest.

> * The Apple attester will check various device components, confirm they are valid, and then make an API call to the Cloudflare Issuer (since Cloudflare acting as an Origin chooses to use the Cloudflare Issuer).

> * The Cloudflare Issuer generates a token, sends it to the browser, which in turn sends it to the origin.

> * Cloudflare then receives the token, and uses it to determine that we don’t need to show this user a CAPTCHA. [...]

Sounds an awful lot like WAI to me, but at least it's called a "Privacy Access Tokens" so it surely must be good...?

EDIT: turns out there was an HN thread about this a few days ago, I just missed it: https://news.ycombinator.com/item?id=36862494


> Sounds an awful lot like WAI to me, but at least it's called a "Privacy Access Tokens" so it surely must be good...?

Google's PR strategy is to say "no need to worry, it's just like this Apple thing". But as Google themselves note in their explainer¹, they're quite different, and Google considers PAT insufficient for the kind of enforcement they intend to do.

For example, PAT is ultimately just "not a bot" attestation and so doesn't involve the exchange of device and browser environment data. In contrast, WEI needs that data to enable the kind of "DRM for the web" use cases we're reading about.

https://github.com/RupertBenWiser/Web-Environment-Integrity/...


> we just want to verify if a visitor is faking their device or user agent

What does it mean to fake a device or user agent? Their intent is probably devices and user agents who say they’re one thing but are actually another. But browsers have been lying about who they are for decades. And what’s the difference between a fake device/UA and an unusual device/UA? Probably none, as far as they’re concerned.


I read about this last year in the original Cloudflare post. Cloudflare is a darling but I thought this one was dangerous for the web too.


I think the difference is that PAT allows ad blockers but WEI won't.


PAT and WEI can allow and disallow whatever the hell they want, there's nothing preventing WEI from allowing ad blockers just like there's nothing preventing PATs from disallowing them. They are exactly the same technology (remote attestation, entirely outside of the user's control).


Does the PAT implementation still require that the page content is being rendered live to a human user, or not exported or something?

(I know web APIs can't directly prevent those things, but they might be able to let a site determine whether a user is doing something to prevent CSS or Javascript tricks from preventing them.)


This is why I have started looking at gopher. And I just heard of gemini, which may be even of more interest to me.

Companies are doing all the can to create Walled Gardens after watching Apple's success. And to a lesser extent seems Corporations are starting to influence the direction of Linux Development. I wonder when will have full embedded DRM, validating streaming sites.

https://www.linuxjournal.com/content/diff-u-kernel-drm-suppo...


We need to approach this head on, not continue to find ever more esoteric workarounds. I can see a day when you will not be able to connect to an ISP unless a device successfully attests. "If I can't use their app I will just use their website in a browser" was already the defense when APIs like Android SafetyNet were first announced. Corporations will not rest until they have absolute control of every layer of the stack.


I'm all for alternatives to HTTP but they really aren't related to this. If you want your site to not be affected by WEI then just don't use the WEI API. And something like WEI could be implemented just as well over those protocols as it is over HTTP. It is just a completely unrelated concept.


Except that Google and MS search dominate and they can disprefer those not using WEI to "protect" users.


How does Gopher solve that?


I read this stuff and I feel super cynic about it. I feel like "no way, not on my watch!", and then I realize that all I can do is sign a petition, or send an email to a representative that has zero fucking clue what this means... Same reason it does not matter to my zoomer brother its contemporaneous TikTokers.

People DO-NOT-GIVE-A-SHIT. Because there are bigger problems, like "what the fuck am I going to pay the rent with tomorrow", and more entertaining spectacles, like watching a person pretend it's an NPC for 5 hours straight and give them money for it.

And I feel a lot of the people I have worked with are the same type of individual, used to realizing they are getting screwed sideways, addicted to complaining, but only as long as it's among a very select group of individuals sharing common interests.

It's the most draining type of revolution. Nothing ever gets done, fucks are handed left and right: DNS, JS-fiasco, web neutrality, browserland... And we always just kick the buck and revisit the good 'ol days on another thread further down the line, once no other rights are left be destroyed...

And yet, what am I going to do? reject the PR?


What is all these negative nonsense about "people don't give a shit" on every thread about this. We don't need every single person in the street to give a shit. We only need enough influence within the industry and regulatory to give a shit. And they are. We are all upset by this and upvoting it and companies and organizations are writing about it. Keep that up and push for other companies to reject it or for regulation to stop it.

You know what Google fears most? Being broken down. If they push for this, we can organize calls to our representatives and raise our concerns and call for regulations and/or breakdown of Google's anti competitive behavior.


Here's an idea: websites should show an annoying window when the user agent supports this crap, regardless of whether it's relevant to the website.

Activism isn't restricted to the real world, or to "regular" people.


Hah, I like this idea, "It appears your browser passes web environment integrity, please come back when it fails"... I'd love to see a similar thing for SafetyNet on Android.


Why not. There are countless job positions for UX-designer unicorns while almost every page will give you anti-UX pop-up. One more banner will not going to harm the page.


What are iOS users to do? They have no choice but to use a browser with PAT support.


I don't know that protest by mass suicide has ever changed anything.


Most protesting has some negative consequences for the person(s) doing it. Suicide is a bit strong, to say the least.


> We only need enough influence within the industry and regulatory to give a shit.

What exactly is this supposed to mean? All we have to do is control the government and the industry that we're complaining about, and we can win? They already have that. Doesn't that mean they already won?

> Keep that up and push for other companies to reject it or for regulation to stop it.

They are being paid to push in the opposite direction. You are paying to try to defeat them. Each of their victories brings them more money and influence, each of yours means you have to reset and construct an entirely new argument to defeat the same thing again, differently worded. The outcome is obvious.

And in this special case, Google needs no approval to take the web, because they bought Firefox and cooperate with Apple. There is no pressure that you can bring to a politician that will counteract the campaign funding, or access, or future employment, these awful companies can offer.

edit: This is a "why didn't the slaves all get together and end slavery" type argument. It's not cynical to resent the suggestion of the same tactics that have failed before so many times. Our problem is government, not any particular company.


> All we have to do is control the government and the industry that we're complaining about, and we can win? They already have that.

Nobody controls all of the industry or all of the government. Half the people on this site work in the industry, often in prominent companies in a position of influence. Many of them own a major stake in a prominent startup, or operate a community with a large number of users.

Legislators care about whatever they think voters care about, and use voters calling them as a proxy for this. Don't pretend this doesn't matter.

> They are being paid to push in the opposite direction. You are paying to try to defeat them. Each of their victories brings them more money and influence, each of yours means you have to reset and construct an entirely new argument to defeat the same thing again, differently worded. The outcome is obvious.

Every time they do something like this, another person gets pissed off enough to extricate the perpetrator's services from their life even if it means re-implementing some of them themselves, and then post what they used to do it on Github. Which makes it easier for the next person to do it.

Some of them even find a way to make a business out of it and make money. I know it's not a popular belief, but it's actually possible to build a sustainable business by giving customers what they want for a fair price and not screwing them over -- businesses may find that customers even prefer this.

We're not all connecting to AOL using AT&T Unix(R) on Itanium. Why not? Those companies had real power. How did they lose?

> This is a "why didn't the slaves all get together and end slavery" type argument.

Your argument is what, that no one should make any attempt to end slavery because the slavers have too much power?

No, you keep fighting until you win. Be creative, coordinate with like-minded people. This is not a community of powerless victims. There are people who hate this who have money and skill in surplus. It's not illegal to do something which is net negative for you but net positive for society purely out of altruism, or anger, because it's your life and you get to choose what you do.

Reallocate the time you spend advocating defeatism to building something which is a threat to the people attacking you.


[flagged]


Please don't do that. People with different ideas aren't shills - sometimes people disagree with you, see things that you don't or just understand the situation differently.

It's a bullshit way to dismiss people's opinions.


At the same time, astroturfing exists. It’s also incredibly frustrating how every time there’s a movement, people try to dampen its momentum by drawing attention to general apathy, a complete red herring for reasons explained in the GGP comment.


I’m pretty sure they’re referring to people that promote an idea/say something solely in exchange for money


I'm actually heartened by the amount of public debate and pushback there has been already. Remember that this issue only came to the forefront about a week ago. You can't expect just to win overnight.

People do care, but there are steps to creating public pressure. The public needs to become aware of the issue, to learn and understand the technical aspects of it, and to organize opposition. This is not necessarily a quick process.


Don't write to your politicians, write to the appropriate competition authorities. See this recent discussion[1], as an example.

[1] https://news.ycombinator.com/item?id=36877310


https://news.ycombinator.com/item?id=36881511

Google's address is 1600 Amphitheatre Parkway, Mountain View, CA 94043.


You can write to them, but I promise you: incoming mail basically gets circular-filed if it's addressed "To whom it may concern," and if you try to inconvenience an individual Googler by calling them out they'll eventually leave directions with the front desk team to circular-file their mail for them and all you're doing is inconveniencing someone in the mail room every morning.

Which, hey, if you think that's worth it, it's a free country and I can't tell you not to. Maybe you'll convince a front desk receptionist to petition the temp agency she works for to change companies.

Google maintains a physical address because Googlers sometimes order packages and it's a legal requirement so they can be served formal court papers. That's it.


Seems to be some misunderstanding:

1. Contact antitrust authorities: https://news.ycombinator.com/item?id=36880224

2. Use a template: https://news.ycombinator.com/item?id=36881511

3. Provide Google's address to the authorities: 1600 Amphitheatre Parkway, Mountain View, CA 94043.


There is something you can do. Becoming a privacy tool power user helps change the landscape of how people use and interact with tech.

My question reading, assuming it’s main purpose is preventing as blocking, this is whether my pinhole dns blocker would be affected. If the new standard is dns blockers for everyone that’s an improvement in the landscape, at a small cost to the users.

There is little adoption or support of privacy tools when there is no need for it and we trust our systems to be free and open, everyone is a tinfoil hat wearer until they aren’t and the boundaries have shifted. People should generally have better understanding of personal data protections, control over their services and the like but we are lazy until there is no other option but to take back control.


> People DO-NOT-GIVE-A-**

you are upset so.. empathy on that, first. Please consider that the pressure of the situation somehow escalates blame on exactly the people who are not doing this.

Consumer electronics users are not the ones who "vote" on the content. Closed-box computer systems with hierarchical, private and internal decision making, are arriving at decision points.


Frankly I couldn't have put it better myself. Even voting with your feet doesn't work because the platform just moves on without you.


Yep, Microsoft did just that. Moved on.


MSFT may have lost their web edge (and I'd argue that had more to do with Google legitimately out-maneuvering them by starting over on a new browser design from scratch than anything MSFT did), but in a sense they did "move on." Their stock value in the '90s when they got regulated was around $37; it's around $340 now.

They pivoted to cloud services and their server products still do robust business.


Not really "from scratch" though, Blink is a fork of WebKit. Sure, it's taken its own path since forking, but it's damn near impossible to start a browser from scratch these days (which is why ladybird is so impressive).


Nobody cared about superstitions, but they are solved.


I'm glad there's people who appreciate knowing about this. When I try to spread it, I'm mostly getting confronted with ignorance.

This really isn't just Google. They apparently just want to be the first.

This is what the "conspiracy theory" about the digital lockdown (i call it that) is about. It's one more step in that direction and from the looks of what this does, we're getting too close to the destination.


As if verifying that we are all using Google's browser somehow makes us safer. Because they are such perfect coders over there. The level of arrogance at these big tech firms is astounding, and irritating.


"You can visit our website, please show your digital handcuffs"


Can someone ELI5 what will happen? Will Firefox stop working on most sites? Will ublock stop working? Will I have to send a retina scan before accessing world wide web sites?

Fine, I lived without Internet before ... installed Microsoft Flight Simulator from floppy disks. Will be a little more floppies this time, I guess. No big deal.


Presumably the end game is for Google and a few other corporations to control what web browsers you can use to access most of the web. Mozilla may or may not play asking (they did on EME). Linux won't work except maybe for Ubuntu and Red Hat build if/once they get around to adding support for it. That could be a long time since you need a long chain of verifications to pass thru the browser, OS, kernel, boot environment, and TPM to work AND you'll need to convince Google that the chain is strong enough to not be hacked. Ad blockers will be shut out at some point.

And no, you can't just go back to playing flight simulator off of floppies. Your bank, your airplane and concert tickets, heck even your child's pediatrician will require it. Not that doctors are hungrily reading up new web specifications, but they'll be using a medical services platform that relies on some cloudflare defaults that all the security guys like because it cuts down on bots and DDoS.

You'll be left using walled garden operating systems that spy and advertise as incessantly as cable TV.

Maybe a big stink will cause Google to backtrack a little, or make promises they won't and can't ultimately keep. The only real solution is to use the government to prevent users from losing control.


> Linux won't work except maybe for Ubuntu and Red Hat build if/once they get around to adding support for it

They could have stopped Linux support from Chrome at any time, or not created it to begin with. Plus there are lots of people at Google who are using Linux, not to mention Chromebooks which are built on it.

There is no reason to think that Google will kill Linux support with this or any feature.


They're not trying to kill Linux per se, it'll just be collateral damage. Only specially blessed builds of browser and OS will be allowed access to sites that use the new api. It defeats the point of the API if the user can control the behavior of the client.


Well, obviously ChromeOS will be certified as is Android (their other popular Linux). I assume OP was talking about random non-corporate Linux distro manually installed on someones PC (e.g. Arch on my Thinkpad). These won't be able to access significant chunk of the Web anymore.


>Well, obviously ChromeOS will be certified as is Android (their other popular Linux

Specifically, ChromeOS running the google-signed, untampered, OS image


Those same employees at Google have plenty of opportunity to tell their leaders this is a shitty idea, and yet here we are.


I'm somehow rely on hackers to promptly hack that chain. I believe in humanity.


Nah!!!

Lets all use chromium-based browsers!

What could possibly go wrong?

XD


I don't think minority browsers being Chromium-based has any effect on this disaster one way or the other. The problem is Chrome's near-monopoly.


One more thing, some said that not letting DRM being added as standard led to Widevine being controlled by single entity. Does having standard might help prevent a lock-in?



Okay, then we should be able to answer: Does having standard help prevent lock-in? AFAIK, the answer is a resounding "no"; only the big browsers can use EME and everyone else is locked out.


Does this affect all sites with google ads, all sites on chrome or…?


Hypothetically, if generally adopted as a standard: it would enable any site to decide that it only works on a specific (cryptographically-signed) hardware / software configuration.

So "Your bank will require you to login with Edge on Windows 11, or with their smartphone app."

The social concern enabled by the tech concern is that we might see, say, Google go "GMail can only be accessed by a browser running Chrome," and they lock-in their market dominance not on quality of the application but on network-effect necessity of installing it to access your data.


>"GMail can only be accessed by a browser running Chrome," and they lock-in their market dominance not on quality of the application but on network-effect necessity of installing it to access your data.

Google can do that right now. They don't need attestation to do so. They can take gmail off the web and build it into Chrome itself.


wei is a very bad idea, it will incite violence


Sure, I agree but I feel like nobody who doesn’t already agree is going to read that article and think “oh yeah this is bad”. It honestly sounds like a Trumpian rant on whatever his topic du jour is.


They are a bit late to the party. Not even a blogpost from the FSF when the news around Pluton dropped for example.


No, this seems like about the right time. The proposal is in very early stages and hasn't been accepted by any party yet.


The post refers to https://github.com/chromium/chromium/commit/6f47a22906b28994...

Wait until they implement verification cans :)


Can you elaborate? I don't know the relevance of the commit or what you mean.

It is normal for proposals, even very early ones that are not accepted, to be implemented before becoming a standard - that way there's an actual implementation to point to when saying "and it would work this way".

It isn't "proposal first, implementation later".


.. better late than never


Time is now.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: