The EFF stands alone in its commitment to actually speaking truth to power. The ACLU has become just another arm of the DNC, same with the SPLC etc - repeating CNN-esque talking points. Same with the NRA - milquetoast arm of those in power.
The EFF will go after orgs that fund it, which requires true compunction.
FIRE is a good replacement for the ACLU, FYI. And John Brown Gun Club is becoming a better NRA.
that's all great but you realize a lot of readers here are not USA, eh?
"web-TPM" needs to be named-and-shamed among literate people in all nations IMHO. It is clearly political -- there are private winners and public losers in the change to locked and enforced access to digital content on the Internet. Any commercial company in any country that can successfully block the roads and check ID will make money, and they know it.
They are not even merely similar, they are identical.
They are both someone else controlling some part of your property, to control your use of the rest of your property.
Neither is benign or honest. Neither actually does what the sales pitch claims. The sales pitch is a Sales Pitch. It is what you say when you need to convince someone to do something they normally would not want. Anyone can make up a good sounding sales pitch for anything. Quoting the good sounding sales pitch does not show that the thing is good. It just makes one wonder about the speaker.
TPM is not merely "safe secret storage", it's someone else's secret used for someone else's purposes, and one of those purposes is absolutely to "attest" that WEI is valid on this machine at this time.
I can only assume that you know all of this perfectly well and can only guess at possible reasons why anyone who knows what these things do would try to sell the bs cover story that TPM is just another bit of neutral useful handy tech that users can use like a special kind of thumb drive, without mentioning anything about Microsoft and the reality of most actual manufactured devices, and what it actually means even on a machine where it's "disabled".
Why do Linux bootloaders have to get a blessing from Microsoft? Why does even one machine exist that has a bios that lacks the supposedly spec mandated option for the user to install their own keys? Why are there keys preloaded on every machine that the user did not provide? Why do they all come from Microsoft? And why can't the user edit or remove them? Why can't the user decide that the MS keys are invalid and that things signed by them should not be allowed to run?
There are so many ways and proofs that this tech is not what it's sales pitch claims it's not even funny.
I can understand not being aware of the underhanded aspects by simply not being aware of anything about it. I can not understand being aware of what it is and how it works, and still being OK with it and defending it as reasonable, useful, not dishonest at all, and exerting no outside _and superior_ control over what is supposed to be the users own property and actions and associations.
They graciously, most of the time, allow you to also store some keys of your own in their vault they caused to be placed on your machine even if you didn't want it? How magnanimous and generous of them!
It's not a sales pitch, it's a very practical application for a TPM. Easy-to-use LUKS is nothing to scoff at for example. If you can't use it, that's your fault.
> Why do Linux bootloaders have to get a blessing from Microsoft?
Nothing to do with TPMs. The rest of the paragraph is nearly as misguided.
> They graciously, most of the time, allow you to also store some keys of your own in their vault they caused to be placed on your machine even if you didn't want it? How magnanimous and generous of them!
Yeah, it's so bad when you have extra hardware that you can utilize for your own purposes. It really is like blaming AES-NI being used for doing public key encryption with someone else's public key. Nobody should ever have anything they should want securely stored because some other technology out there is used in restrictive ways, sure. Obviously that's not true, you're simply pointing your finger at the wrong thing.
Your ability to mischaracterize it as "webtpm" makes me question your credibility entirely. It's fine to be opposed to the proposal, but it would be best to stay truthful and not exaggerate.
It is web-TPM. Yes the spec theoretically allows for any kind of attestation, but in practice it's only useful with hardware security like TPM involved.
While I agree that the ACLU has become defanged, there are many more civil liberties to protect beyond simply free speech, which seems to be the only concern of FIRE.
I agree with you, but I don't see a big attack on freedom of religion, assembly (post COVID) or movement lately. Freedom of Speech is under massive, coordinated attack by gigacorporations and https://freddiedeboer.substack.com/p/please-just-fucking-tel...
JBCG doesn't really replace much of the NRA. Even if hypothetically people could join JBCG at mass scale, which they can't due to the way its structured.
The NRA-ILA is increasingly useless for 2A advocacy and legal efforts, but JBCG isn't replacing that at all. FPC, 2AF, to a lesser extent GOA do more there.
NRA courses are crufty but don't really have a replacement approaching anywhere near the same scale. Certainly not JBCG.
Maybe USCCA for just the pistol side of things, but that has its own issues since their business model is fleecing people.
NRA competition... there's no replacement for bullseye, but that's because bullseye is becoming an afterthought compared to e.g. USPSA in a lot of areas... smallbore and air as a college&younger sport notwithstanding. And nothing is close to trap/skeet/sc in popularity in the US, but that's not NRA either.
NRA club/range support and insurance.... also nothing replaces this.
---
What JBCG has that the NRA doesn't, and never had, is the same thing that the black panthers had in the 60s - armed support of disenfranchised subsets of the population. It's harder for the police to shut you down, or stand and watch as an adjacent supremacist group shuts you down, if you have your own armed guards.
Same as armed guards prevented mobs from attacking schoolchildren during desegregation in the late 60s, you see JBCG in a lot of places protecting pride events, drag events, etc. 'cus the police often don't. (In the US, it's not the police's job to protect anyone, that's been tried in the Supreme Court multiple times)
> What JBCG has that the NRA doesn't, and never had,
(Corollary: maybe that makes them a "better NRA", but it's an odd statement to look at because it sounds something like "DuckDuckGo is becoming a better Nvidia". Yes both are computer-adjacent, but they do completely different things, and have roughly never had any overlap in activities)
So much better written than the articles that were at the top of HN originally. People somehow thought this would mean checking for ad block? The original proposal specifically called out that browser extensions are completely unrelated to WEI, which just calls into existing OS and TPM-based attestation APIs and makes the status of this attestation available to sites.
> People somehow thought this would mean checking for ad block?
No, the worry about adblock was that Google could now just remove the ability for that work in chrome and there would be nothing you could do, because your forked chromium wouldn't pass the attestation check (cause it would never be blessed by Google). This concern extends to other browsers as well. Because Google is making themselves the signing authority here, they can choose which browsers are allowed and which aren't, letting them force other browsers to add or drop certain features if they want to be granted attestation.
Not sure why you were downvoted. This is the exact scenario that will unfold in the mid term future.
Not to mention that chrome on android already does not have any access to extensions and thus adblocking. Isn't that awfully convenient? For GOOG that is.
> People somehow thought this would mean checking for ad block
This is an obvious consequence of this proposal, yes. Ad-block prevention isn't an explicit goal, just a very obvious consequence when you create a mechanism that whereby attesters (OS) inform the server about the presence or absence of software on your computer. It doesn't require a logical leap, it's a plainly obvious use case.
> Goals:
> Allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device.
People think it's about checking for ad block because protecting ad revenue is the very first concern the proposal addresses. The obvious path is that Chrome implements WEI and disallows ad blocking, and then Google gradually starts pushing websites to favor approved browsers that don't allow ad blocking. Perhaps they pay out a bit extra for "authenticated" ad impressions made using an approved browser. Or they could start suspending AdSense accounts for "invalid traffic" (https://blog.google/products/ads-commerce/understanding-acco...) because a high percentage of visits have no WEI token or a token from an "unrecognized" browser. I'm sure you can imagine Google doing something like that: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
EFF clearly explains why the holdback mechanism doesn't make sense, and why the proposal authors' personal beliefs are not relevant. What matters is what capabilities this technology allows, and what Google's corporate motivations are.
Nope, not really. Still looks like the equivalent of anti-encryption people saying "think of the children". I still see no explanation on how WEI will magically change the behavior of website operators. They can already take steps
to block unwanted clients, but no one is in any significant way which hinders the "open internet". WEI is meaningless unless Apple implements it. The only effect the current discussion will have on Apple is how they publicly frame their choice.
Maybe maybe it’s meaningless without Apple agreeing as things stand, because of iOS. But if the EU proposal about side loading forces Apple to allow Blink-Chrome instead of just WebKit-Chrome on iOS, then there’s not much holding Google back.
The missing explanation is to just assume websites become like smartphone apps in terms of restricting clients, for better or worse. This path has already been explored, so not much imagination is needed: https://stackoverflow.com/questions/27540545/how-to-prevent-...
Can anyone speak to the quality of the shirts? I bought one many years ago at a Linux conference and the design was cool but the shirt itself feels like cardboard and sandpaper, so I never wear it.
If the shirts are Bella Canvas or American Life or something else high quality, I'd happily buy some. Tshirts are a great way to raise funds IMHO, and the EFF is doing extremely important work and needs to be funded.
I had donated to the EFF in the past, but their stance[1] that CDNs/hosted services shouldn't be allowed to choose the customers they are willing work with is not only wrong, it's causes harm[2].
I agree with you in disagreeing with EFF's stance on that issue. However, I think the good work they do in other areas makes them still a worthy place to put money, so I continue to donate to them. I definitely understand if others feel more strongly about that issue, though.
I'm a strong supporter of EFF -- but you know what? I don't agree with every position they take. I can't think of any organization (or person) that I agree with 100%. If perfect alignment with my worldview were a prerequisite, I'd be unable to support anything or anyone.
Instead, I look at the total effect. On the whole, EFF (in my opinion) does far more good than ill, so they have my support.
You are essentially saying that we should have to ask permission from large corporations to be able to effectively run a website. For all practical purposes that means no free speech on the internet.
As a society we have held that in most cases corporations do not have freedom of association when providing vital services. e.g. your electric company has to offer you access to its services as long as you pay. This clearly needs to be extended to preserve freedom of speech on the internet. I care a lot about individual rights to free speech and very little about freedom of association for large corporations.
I'm more on the side of the EFF on this one. I don't think that infrastructure (and banking) companies should be able to deny lawful access as a default. What is able to be done in China in terms of cutting people off based on social credit scores should be terrifying and the only way around this is to expressly make certain markets open to anyone, even if you don't like them.
You know what I love about donating to EFF? They actually ask you which positions of theirs you agree with and will only use your money on those issues if you ask them to.
>hosted services shouldn't be allowed to choose the customers they are willing work with is not only wrong,
Cool. So since you do think multi-billion dollar companies should be allowed to deny services to a paying customer, I assume if they deny offering their services to gays or blacks, for instance, you are also fine with that? Like, we shouldn't force corporations to do business with anyone...
I mean, devil's advocate here, this tech already exists and the question is do we do client attestation in a browser or pretend remote attestation doesn't exist.
If this gets rejected, would that mean that services that need a "trusted client" simply deprecate their web apps and rely on a iOS/Android app?
I'm not trying to argue in favor of WEI, I just think this doesn't magically disappear if Google doesn't implement in Chrome, it just moves the problem elsewhere. The fight was implementing TPM in the first place.
The problem is, this is very open (or even designed) to be abused by their implementers. It's akin to having only Microsoft as the Secure Boot key authority.
Mobile devices already has tons of attestation features. Secure enclaves, security processors, cryptographic capabilities of SIM cards (e.g. I carry my private key inside my SIM card, and use it as a wet signature, legally).
We do not need this tech which can and will be abused to lock any tech savvy person from daily internet based on arbitrary rules. There are no checks and balances. This is a very broad set of capabilities which is forced upon users.
This is no proposal, or experiment. It's a force-push attempt.
It looks like they propose to mix false signals to prevent this from being abused, but oh. That's easy to bypass. Require two attestations back to back to see whether they differ, or put up a page saying, "can you please try again?"
The open question is circling around the question, can we make it work in a way, such that it doesn't work for bad guys, but works for good guys.
Mathematics & cryptography doesn't work like that. It doesn't discriminate. It levels everyone. It'll either become an iron fist or a Swiss Cheese. There can be no middle. This is maths.
Yes, because it's stupid; they don't need to. The bank cares about correctly identifying who I am, not what client I am using. Nor do they exclude certain browsers because those browsers make it easier for a user to lie about who they are; they don't. Banks exclude certain browsers because their technically incompetent coders convinced their technically incompetent managers to do so.
What about neurodivergent people who cannot function on an "approved" OS because of the inherent ways it manages, stores, and presents information? What if that OS has an ACID compliant browser capable of accessing the banks website if they didn't have remote attestation?
What about the millions of people unable to afford to upgrade their hardware to Windows 11? Or that don't have TPM available and therefore can't use any other Windows version because 10 fell out of support, so they're running a Linux distro with an unapproved web browser?
Some people can't help bringing this up in every WEI-related thread only to be debunked each time. This very article graciously mentions it and explains why it's a non-solution.
That "proposal" is doublethink in its purest form. WEI is a technology for restricting access to web services. But at the same time, it would try to prevent web service providers from doing exactly that?
Sure, if your mobile device is only allowed to use "approved" web browsers. Which is one of the key harms to users that the proposed WEI standard will inflict.
Based on what you're saying though, it's already been forced on users through mobile devices. This is the next step in a series of steps which weren't argued against. It's not that we don't need this tech, is that we didn't need this tech and are making noise and it now.
Putting boot signing and “OS integrity control” aside, current iteration of TPM devices are not this intrusive. They allow me to generate and/or store keys and do cryptographic things with these keys securely. They store my information locally, and if implemented right, this data can’t leave that chip.
Even OS integrity check is done locally. You can’t ask arbitrary measurements out of it.
WEI is different. Rules come from outside. Acceptable parameters are decided by another party. You have no pieces of the system in your possession. You are a Furby forced to tell something with the will of the attester through the filter tuned and configured elsewhere.
I can disable TPM or force it to reset itself if I want to. Even Apple’s security processors can be wiped clean of your data.
Treating end-users as a threat is galling, given the crappy security all over the web - IOT, infrastructure (BGP,DNS), leaky S3 buckets, misconfigured government sites, etc.
You are correct, and that is fine. If the ecosystem becomes "You control your browser but not the apps on your mobile device," that's pretty much the status quo.
This. Nothing in my skim of the spec prevents me from using your hacked machine as an attestation oracle. This does nothing but add additional value to compromising end user devices.
I would suggest reading the TAG's Web Platform Design Principles document, it does a really good job laying out why the web is different from mobile and native applications and the reasons why some APIs, like client attestation, work in a mobile environment but would damage the web platform if they're implemented. For example, the WEI proposal violates the "It should be safe to visit a web page" principle (https://www.w3.org/TR/design-principles/#safe-to-browse):
When adding new features, design them to preserve the user expectation that visiting a web page is generally safe.
The Web is named for its hyperlinked structure. In order for the web to remain vibrant, users need to be able to expect that merely visiting any given link won’t have implications for the security of their computer, or for any essential aspects of their privacy.
For example, an API which allows any website to detect the use of assistive technologies may make users of these technologies feel unsafe visiting unknown web pages, since any web page may detect this private information.
If users have a realistic expectation of safety, they can make informed decisions between Web-based technologies and other technologies. For example, users may choose to use a web-based food ordering page, rather than installing an app, since installing a native app is riskier than visiting a web page.
I know a lot of savvy, non-technical users who absolutely refuse to install mobile apps on their phone except from the most trusted of sources, and I think this principle is a good structural framework for reasoning through why users still prefer the web.
Likewise, and that's the advice I give everyone. Most things are perfectly fine as a web page. The app offers no benefit to the user. It only benefits the app owner.
The people pushing these things do not care about this at all. To them it's like something a child would say and marks the speaker as utterly irellevant and silly, not even a real person due any respect at all.
> If this gets rejected, would that mean that services that need a "trusted client" simply deprecate their web apps and rely on a iOS/Android app?
Yes, and this has already been happening. For example, Venmo used to have a fully-functional web app, but now you can't send/receive money on it. Many Chase features are also phone-only.
Edit: And a lot of these apps block jailbroken iPhones or rooted Androids if they can detect that.
We choose neither of the options you presented. Instead we recognize that remote attestation is inherently abusive technology and ban it in all its forms. It should be illegal for any kind of service to ever require a "trusted client" in any context. Interoperability should be law whether they like it or not.
On my machine, it wouldn't be pretending that remote attestation doesn't exist. It does not exist, and if e.g. banks decided to require it, that'd just be locking me out. I have no attestation daemon, and if I did, it wouldn't be trusted by them. It doesn't matter if Firefox adds it too; it straight up won't work on my computer. People keep talking about browsers, but I'd prefer to continue running an operating system that doesn't have adware and spyware built in. My computer that I own is under my control, which is what these remote attestation features are meant to prevent. That is the fundamental problem.
If this kind of thing gets implemented by my bank/brokerage, I have to either buy a new computer just for them, or do all my banking over the phone or in person. It's incredibly wasteful and doesn't even help with security, but once it exists, it will get added to a checklist that banks will adhere to.
This is entirely about Google trying to deal with ad click fraud. They desperately want a solution in the browser.
They will ship this, standard or not. But I don't see a reason for Apple to ship this in Safari, or Firefox neither. So I expect this will be a real test of Chrome's market power. Will any sites start blocking non-WEI browsers? Locking out iPhones seems insane. Or will we see differential ad rates for WEI environments?
> do we do client attestation in a browser or pretend remote attestation doesn't exist
Neither. The issue is that this is being framed as a "client attestation" problem, when the actual problem that needs to be solved (as opposed to a "problem" that certain companies would like to "solve" to benefit themselves at users' expense) is a user attestation problem.
My bank has no reason to care what client I am using to access their online services. They do have a reason to care about correctly identifying who I am. But there are already ways to do that that are just as good as anything WEI will provide.
Companies that do care what client I am using don't care for my benefit. They care for their benefit. But as long as they can't get the law to tilt the playing field in their favor, I can just refuse to use their services if they refuse to accept my client. As soon as "client attestation" becomes a legal requirement, though, then it's not just those particular companies that will use it; everybody will have to, including my bank, even though my bank has no reason to do so other than the law if such a law passes.
Good. The point here is to shrink the space where client attestation is used, not to expand it. Every time it shrinks a little bit more is a victory. Let's get it out of the browser and then we can tackle native attestation for apps next.
> If this gets rejected, would that mean that services that need a "trusted client" simply deprecate their web apps and rely on a iOS/Android app?
This is verbatum the argument that was brought up for EME. But now we have the benefit of looking back at EME and seeing what the impact was. It didn't stop the movement towards native apps, businesses like Netflix implemented EME and kept many of the same restrictions they were going to implement anyway. It did end up harming browser diversity.
I understand that it sounds scary to say "we're just not going to do this" on the web when sites might be pushing a scare tactic of "we're just going to go native then." But... we've been through this, caving doesn't work. The sites that want to go native will go native, WEI on its own will not be a business justification for websites to stay on the web or to leave the web. The sites that do want to go native-only will not suddenly make a website just because WEI exists. They'll do the same stuff they wanted to do anyway, and if WEI is available, they will simply add that to their toolkit as a way to limit user agency alongside everything else they're doing.
It's good if businesses that want to rely on client attestation are "punished" by being forced to abandon their web presence. And frankly, people underestimate how much power the web has. Refusing to support WEI will not kill the web.
> Originally, secure computing relied on a second processor - a "Technical Protection Module" or TPM - to monitor the parts of your computer you directly interact with.
TPM stands for Trusted Platform Module, not Technical Protection Module
That's wild. It seems these blog posts are outsourced.
Edit: I'm wrong about this one. It's an actual article, and a pretty good one at that. But it is either a mistake or they are introducing an alternate expansion for TPM (other acronyms have been given different sets of words).
I've also seen that exact incorrect explanation of what "TPM" stands for in several other places now. I'm guessing that someone authoritative made the error and now it's being propagated by people who aren't otherwise familiar with the terminology.
Hmm I thought it was ChaiGPT. People were calling the API ChatGPT so they changed the name to that of a beloved beverage and JavaScript assertion library.
I beg to differ, it is "Chat Guanosine TriPhosphate", a talkative nucleotide composed of guanine and three phosphate groups (the tri- prefix indicates three of something).
I'm guessing it's an alternate expansion that was popularized by some group who was deeply doubtful about this technology.
"Trusted Platform Module" sounds good. But what it actually means is that the platform can be "trusted" to place the interests of third parties over the owner of the device. Stallman referred to it as a "Treacherous Platform Module" because he saw it as betraying the user.
I'm guessing that "Technical Protection Module" is a similar attempt to "de-propagandize" the acronym, and that it caught on with some group of users long ago.
That makes sense, but instead of long ago it would be today, as the search engines aren't showing prior use of "Technical Protection Module". I don't know if will catch on or not.
Exactly. Whenever the name of some computing concept makes the end user into the adversary, we should de-propagandize that name. See also: Digital Rights Management (DRM). Whose "rights" are benefiting from it? Certainly not the users'. See also: Copy Protection. What is being protected? Not the user.
Would it be possible for attackers/fraudsters to just set up "proxy farms" of real hardware that provide the device details for attestation? It would make bots less efficient but surely the incentive for ad fraud would still exist and adaptations would be made.
Yes, but in theory if suspicious behavior was detected those devices could be permanently blacklisted from a website, making the investment challenging.
If WEI goes through we'll probably see cheap PCs popping up on eBay that are unable to access certain websites.
You thought having your google account banned was bad now, wait until they ban all associated hardware with a heuristic routine and most of the web doesn't work for you anymore. That should really cut down on the account support requests they didn't want to deal with.
I read the entire thing and it’s not clear how this reduces control of your own computer.
It seems the premise is that those with a computer should be able to access others servers wholesale unconditionally. This premise is obviously wrong.
> It also raises the barrier to entry for new browsers, something Google employees acknowledged in an unofficial explainer for the new feature, Web Environment Integrity (WEI).
This, however, is true for sure.
At the end of the day, even if WEI is implemented it wouldn’t necessarily get rid of an open web as it’s entirely optional. Those who implement it are those who are not interested in an “open web” to begin with and definitionally were never going to support it anyways.
It reduces control of my computer because without it my computer can identify itself to websites and advertisers in the way that I want, but with it, it can only use its TPM assigned identity. You can argue (I'd disagree) that it's a good thing that I can't make my computer spoof as something else, but unquestionably it does reduce my control.
It doesn't reduce your control, you are still welcome to identify your computer however you want to websites by using a browser without WEI or disabling it.
You will just have to live with the reality that a lot of servers aren't going to want to talk to your client.
This is always such a bad faith argument. When you have to choose between freedom/privacy and being able to perform daily tasks, that's not a choice, but coercion.
the better argument is just flipping the perspective. if your computer runs a web server this increase the control because without it other computers can connect to it and lie about their identity. that's not to say I think this is a good thing, I just don't think control over your computer is a good argument when both sides of a connection are computers, and both operators want not just control over their computer but also what the other computer can do.
That's fair, but it seems to me they could've done it differently -- require a signature from the clients but allow them to produce an unbounded number of valid unique signatures that are securely but anonymously tied to the client TPM. In other words the client would still be able to present a validated anonymized identity, but would not be able to generate someone else's signatures, and private-key-based revocation could still be available to deal with rogue TPMs.
>without it other computers can [...] lie about their identity
That's the point, I think. I own my computer, which means I decide whether it lies. If I want to serve "This website only works in Chrome" when it's actually cross-platform, that's my right. I might want the client to open the page in Chrome automatically, and I would have more control over the connection if I could do so, but that control would be over the client's computer. It's not a question of getting more or less control in general, but of getting rightful control over my own property.
> both operators want not just control over their computer but also what the other computer can do
Are you saying that my demand to not have a server control what my client does is an act of control over what their computer does? Like if I told you not to use your forklift to take my stuff, I'm asserting power over your property?
> >without it other computers can [...] lie about their identity
> Are you saying that my demand to not have a server control what my client does is an act of control over what their computer does?
Yes. The owner of that computer does not want to serve your requests and you want to prevent them from exerting that control over their computer.
>Like if I told you not to use your forklift to take my stuff, I'm asserting power over your property?
Yes that is what is being argued here. Forklift owners demanding the right to lie about using a forklift to property owners like Google who do not want to allow forklifts to take their stuff.
> it wouldn’t necessarily get rid of an open web as it’s entirely optional
The devil is just right there. If an implementor is dominant, and that the feature starts to be used extensively by banks / utility providers or other essential utility, nothing prevent those users to enforce using browsers implementing it, event if it's optional per spec.
The feature then become de-facto mandatory for all implementors, and in the long run google can start refusing serving apps on non-compliants to their de-facto standard without much fuss outside the tech people.
Right. Some people are thinking about this really black-and-white, like you either have control or you don't. In the very end, WEI aims to collectively reduce the users' control.
You buy a house. Your house has a little box by the front door. The box holds a small House Environment Integrity (HEI) module. This HEI is something your local Home Owners Association installed. They say you cannot open the box or investigate how the module inside works, as this is against the HOA and you will be fined. They tell you this HEI module is meant to help and protect you. To make sure the plumber you hire didn't do a bad job or that the paint you used on your walls doesn't contain lead. They say it's for your benefit and to make your home a better and safer place. This does not reduce the control of your own house.
> This does not reduce the control of your own house.
Just make sure your visiting friends register with the HOA, and don't get excited about being handy with the curtains, that's gonna require an HOA approved contractor.
> it’s not clear how this reduces control of your own computer.
It eliminates a computer user's ability to have their user agent lie about the platform it's operating on. Such a capability is crucial for privacy and adversarial compatibility.
Simple example: your bank of choice starts sniffing your UA string and refusing to serve Firefox, as they only test the site in Chrome and don't want to service support tickets for any other browsers. Presently you can spoof your UA string and visit the site with Firefox anyway. With WEI the bank site now has the technical means to ensure your browser accurately reports its identity and to refuse access to anything but Chrome.
I'm not necessarily claiming that this is how WEI will be used, but the point is it's now up to site operators to choose what makes a valid visitor, rather than the UA being just a transparent medium between you and a website (provided that each is implemented to spec).
It absolutely is how it will be used. Try banking on your rooted Android phone, today. That’s the future for banking on the web.
Streaming video sites are another prime example. They serve low resolution video to Linux machines because the DRM won’t attest to a secure video decoder. I’m not sure I look forward to similar discrimination from the entire web.
> I read the entire thing and it’s not clear how this reduces control of your own computer.
Requiring to run a software stack signed by a third-party to access a basic Web page definitely reduces my control over my own computer.
> It seems the premise is that those with a computer should be able to access others servers wholesale unconditionally. This premise is obviously wrong.
That is not the premise since you can already run a closed-club server and only provide accounts to people you want with whichever conditions you chose. You just not entitled to verify the software that clients run.
> At the end of the day, even if WEI is implemented it wouldn’t necessarily get rid of an open web as it’s entirely optional. Those who implement it are those who are not interested in an “open web” to begin with and definitionally were never going to support it anyways.
This will be forced on the Web by ad networks. For our own good and to prevent fraud by the bots of course.
> It seems the premise is that those with a computer should be able to access others servers wholesale unconditionally
No, the preimise is that a server that offers an HTTP endpoint should provide the same behavior at the endpoint regardless of the nature of the device or software that is accessing it.
Obviously, we have some exceptions already, hence robots.txt
But the idea is that if I am a user pointing something with a reasonable functional distance of "a web browser" at an HTTP server, the server should not alter its behavior based on an attempt to verify the internals of my browser.
> It seems the premise is that those with a computer should be able to access others servers wholesale unconditionally. This premise is obviously wrong.
Yes, that is obviously wrong. Accessing a website doesn't give you anything like the ability "to access other servers wholesale unconditionally". Requesting files over HTTPS isn't a gorram root ssh session.
All a user-agent does is ask "Can I have file `/x` please?", "Can I have file `/y` please?", "Here is the data `foo=bar` for `/quux`" etc., etc., etc...
The server is free to say "200 OK" or "400 Fuck off" to any request it receives, at its own discretion, based on whatever rules the server administrator wants to put in place. Which they have the absolute capability to do. That is nothing like "unconditional wholesale access" to a server.
> It seems the premise is that those with a computer should be able to access others servers wholesale unconditionally. This premise is obviously wrong.
"Obviously" is a very strong word for what is pretty much your opinion.
As the system was designed browsers are an agent of the user, not of the web servers or the ad businesses. If you want guaranteed ad impressions and control go make iPhone apps. Taking an open system such as the web and forcefully closing it up using overwhelming monopoly power like Google is doing is not only disgusting but also incredibly anti-competitive.
> At the end of the day, even if WEI is implemented it wouldn’t necessarily get rid of an open web as it’s entirely optional.
For now. "Entirely optional" can be stretched very far. If you were banned from AdSense revenue and from appearing in search unless you enforced this, it would still be "entirely optional" but also pretty much trash your site unless you complied.
> It seems the premise is that those with a computer should be able to access others servers wholesale unconditionally. This premise is obviously wrong.
The premise is that I shouldn't have to give that server control over locally-running code on my PC as a prereq for access. They can enforce whatever conditions they want server-side.
Ok but seriously, this might be the only way to combat WEI. Don't even preach to the user about the evils of WEI (ain't nobody gonna read that wall of text), just say it is not supported and tell them succinctly how to turn it off / get a different browser.
I agree; this may well be an effective last-resort action if Google Chrome does implement Google's WEI proposal. However, I sincerely hope that it won't come to that, because it's not a foregone conclusion that Chrome wouldn't win :(
> A handful of companies have established chokepoints between buyers and sellers, performers and audiences, workers and employers, as well as families and communities. When those companies refuse to deal with you, your digital life grinds to a halt
This short paragraph summarizes the (ex-ante) improbably unusual situation we have drifted into.
The negatively affected stakeholders being enumerated are more or less the entire society.
These gatekeepers and chokepoint operators do have a few natural allies (the captured politicos, others in direct or indirect payroll, externality-blind markets). Yet somehow they can bully into submission basically the entire universe. With its infinite financial, political, intellectual resources.
Rather strange dont you think? It almost as if they already operate effective mind control at systemic scale.
The solution in Canada is to break up some of these huge companies. The free market can solve things, but only if there's a free market. When you have 1 or 2 companies, there's no competition.
> The solution in Canada is to break up some of these huge companies. The free market can solve things, but only if there's a free market.
I'm not familiar with Canada but this sounds like oversight there is similar to how the US DoJ operates - which is to say it has a long history of rubberstamping (massive, competition-killing) mergers
It's more allowing foreign competition. If you let US (or whoever) telecom into Canada, Rogers Bell and Telus would have to get their act together or die overnight. Same with banking, air travel, etc. Canadas oligarchs have complete regulatory capture so they don't have to worry about being competitive, that's the problem.
The difference is one of degree (comprehensiveness) and potential impact. Total control of a mobility mode is bad, total control of a certain type of communication infrastructure is worse, but the fingeprinting and tracking and exploitation of every single digital device and information exchange is just out of the scale.
> as if they already operate effective mind control at systemic scale.
If the logical conclusion of your reasoning is a mass mind control conspiracy, you should revisit your assumptions.
> somehow they can bully into submission basically the entire universe
I don't think anyone is bullying all of society. I think most people just don't care. It's really not that crazy, no mind control involved. Just good old fashioned apathy and ignorance.
it's like any kind of other long tail problem. if it doesn't directly effect you or someone you know you generally don't care about it too much as an aggregate.
If they can kick the former president off his platform they can bully joe schmo off there platform. Whether you agree with the former president, he was in theory the most powerful person on the planet and had to submit to the powers of large tech companies. I think the idea that most people don't care is not a supported or found assumption either rather you just asserted it.
He had the ability to give the order to start thermonuclear war and end humanity... He had the ability to radically tariffing and regulatory execution in America. I argue that it something that a more precise definition is excels from but I also think a more robust definition isn't really required to demonstrate the point. I'd felt that the president of the US is extremely powerful more so either one of us most likely
You are demonstrating that power is distributed, which many consider a good thing. Checks and balances and all that. What would be worse than the media having too much control is the media having no control.
Absolutely but the idea that you can basically "deperson" someone's voice without any review in the case of most large social media platforms seems more like a concentration of power than a distribution of. In this context its against a president so its a check but in the context of Joe Schemo its just an abuse you have to take. Regardless of if it is the CCP or Social Media Companies censoring its still censoring
I sort of accept the apathy and ignorance argument for individuals (though crowds would get worried, even enraged if they were to receive warnings from institutions they trust, so one still needs to explain why there are none).
But the list of affected entities involves far more than addicted consumers. Digital gatekeepers interfere and reshape the information flows which form the fabric on which all economic, cultural and political activity takes place. There is already plenty of evidence of the potentially dramatic impact. Highly trained and responsible individuals in the corporate world or the public sector cannot possibly be ignorant or detached from this extreme and unprecedented concentration of control that affects their very own roles and power bases.
I didn't really want to speculate as to what perpetuates this (by historical standards) rather extraordinary situation. There is clearly some accommodation taking place. E.g when the entity now known as Meta attempted to introduce a digital currency it was summarily pushed back into its corner.
The mind control possibility was a joke, but - mind you - conspiracy theories thrive in the lack of transparency.
Yeah this is a super deep issue but its not mind control.
It's a mix of middlemen being the only industry that can still extract more profit, and a level of control over markets by Capital that makes most opinions meaningless.
Its essentially a return to feudalism, where certain people own vast swaths of productive space, they're untouchable in the legal system and real life, and one is forced to work for them.
To escape the system means leaving behind most of society depending on your convictions. These groups can kill you physically(Monsanto poisoning people with pesticides) or metaphorically(you lose all connection to the general societal social media) and nothing can be done.
For the first one, if you were to suggest violence against those doing violence against you, you're essentially told that violence is never the answer, except when its in the form of collateral damage for profit motive.
For the latter, its not nearly as life ending, annoying, but not life ending or even altering unless your livelihood is based around grifting on social media. For social media it is ironically democratic, if most people find you to be an annoying asshole, they sorta kick you off so you leave everyone alone. No different than getting kicked out of a bar for demanding to see someone's genitals.
We need rules that make it easier to transfer data(including addresses), control your own privacy, more compatible options for storing, searching, sorting, ranking, filtering data.
>You can choose not to send this to the remote server, but you lose the ability to send an altered or randomized description of your device and its software if you think that's best for you.
The EFF is being misleading here by conflating the attestation taken and fingerprintable information like a user agent. An attestation taken does not contain information about the device that can be used to identify since the data the site gets is low entropy. WEI doesn't stop you from changing your user agent, nor does it prevent you from using your privacy web extentions.
>But, despite their valiant attempts to cast these benefits as accruing to device owners, these are really designed to benefit the owners of commercial services; the benefit to users comes from the assumption that commercial operators will use the additional profits from remote attestation to make their services better for their users.
End users are not the only stake holders in the web. I would say most changes to the web are for people who develop sites and end users benefit from sites using those features.
>Putting handcuffs on every shopper who enters a store would doubtless reduce shoplifting, and stores with less shoplifting might lower their prices, benefitting all of their customers. But ultimately, shoplifting is the store’s problem, not the shoppers’, and it’s not fair for the store to make everyone else bear the cost of resolving its difficulties.
This metaphor isn't the same since WEI is transparent to users. Physical handcuffs would be very intrusive, but that isn't what is happening here. Shop lifting affects the profitablity of the store. A better metaphor would be a bouncer for a club. Technically a club could have a set of rules of entering and customers could promise that they follow them. Unfortunately, people lie and just trusting them isn't good enough so clubs end up adding bouncers even though they don't directly make the experience for customers better.
>The problem is, there are lots of websites that would really, really like the power to dictate what browser and operating system people can use
This claim needs a citation of where user agent based blocking isn't enough. People spoofing their user agent won't make much of a difference to support costs of the site.
>The web is the last major open platform left on the internet - the last platform where anyone can make a browser or a website and participate, without having to ask permission or meet someone else’s specifications.
WEI doesn't prevent you from participating in the web or needing to meet someone else's specification. You can even make an attestation service for your own browser.
>We sympathize with businesses whose revenues might be impacted by ad-fraud, game companies that struggle with cheaters, and services that struggle with bots. But addressing these problems can’t come before the right of technology users to choose how their computers work, or what those computers tell others about them, because the right to control one’s own devices is a building block of all civil rights in the digital world..
To prevent ad fraud either you need to increase the fingerprintablity of users on the web, violating people's privacy, or implemented a form of remote attestation, which protects people's privacy.
If EFF cares no much about privacy on the web they should be in favor of this proposal.
I disagree that beivg a to lie about what your device is running in a building block of all civil rights because the physical analog, fraud, is illegal, and the world seems better without people commuting fraud to one another.
> WEI doesn't prevent you from participating in the web or needing to meet someone else's specification. You can even make an attestation service for your own browser.
As always, Google will do its best to ensure it PRACTICALLY does, while denying it at the same time by pointing out that "you can make your own Google".
> because the physical analog, fraud, is illegal,
I don't know about the US, but in Poland abusive and anticompetitive clauses are not enforceable. Lying about the device seems to be the digital equivalent.
I can even agree here, however the question is - does this justify the entire mechanism when it's known it can be used for other purposes which are not as non-controversial as your examples.
> An attestation taken does not contain information about the device that can be used to identify since the data the site gets is low entropy.
Citation needed, how does WEI make it _impossible_ for attesters to return higher entropy information? Pinkie promises are insufficient.
> WEI doesn't stop you from changing your user agent
False, this is an explicit design goal: "Allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
> nor does it prevent you from using your privacy web extentions
Not an explicit goal, but a very obvious next step with strong economic incentives.
> Physical handcuffs would be very intrusive, but that isn't what is happening here.
Seeing a message that says "Sorry, this website is only accessible by browsers that support WEI" is very intrusive.
> WEI doesn't prevent you from participating in the web or needing to meet someone else's specification. You can even make an attestation service for your own browser.
Categorically false, no website is going to trust your attestation service. This is equivalent to saying "Just create your own CA".
> I disagree that beivg a to lie about what your device is running in a building block of all civil rights because the physical analog, fraud, is illegal, and the world seems better without people commuting fraud to one another.
No, the physical analog is "lying", which isn't illegal in most situations, and required in some - such as when a stalker asks you where you live.
>how does WEI make it _impossible_ for attesters to return higher entropy information?
It isn't impossible, but doing so would violate users privacy which isn't the goal of the proposal. You don't need WEI to violate people's privacy.
>False, this is an explicit design goal: "Allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device."
That statement means that the site would learn that for example the server can trust that the user is using Chrome on windows. A feature of Chrome is that it's possible to spoof your user agent.
>Seeing a message that says "Sorry, this website is only accessible by browsers that support WEI" is very intrusive.
This can apply to anyone API. It's happened for WebGPU. It's blocking users is not a goal of the API.
>no website is going to trust your attestation service. This is equivalent to saying "Just create your own CA".
It is possible to create your own CA. How do you think things like Lets Encrypt came into existence. Trust is hard to earn. That doesn't mean that it is impossible to get people to trust you.
>No, the physical analog is "lying", which isn't illegal in most situations
I agree, but WEI is meant to be used in situations where lying should be illegal.
> but WEI is meant to be used in situations where lying should be illegal.
But here I once again have to point out that in practice this will look very different.
The practical effect is that if someone installs LineageOS or even AOSP to get rid of Google spyware and preinstalled bloatware, then these attestation checks will fail and that user will not be able to use apps that are necessary in practice.
The question is whether this is really a "side effect" or just the actual goal.
The actual goal is probably that Google and others prevent ad-blocking. WEI itself is not meant as a fingerprint, but with unblockable ads comes unblockable tracking (not that I personally care about tracking). Like, look at YouTube on iPhones, they blocked background playback in the app and even got Apple to block it in Safari in iOS update 10.
They don't need WEI to keep the vast majority of users away from obscure alternative OSes, but as a side effect those would be impacted.
your business model involves selling ads. but its being undermined by fraud. you should be able to _change the internet_ so the business model makes sense again.
Yes, because ads are beneficial to the web. So is account security, spam detection, anticheat, etc. The current implementation of the web is not set in stone and we should take steps to improve it.
>We should not destroy the entire internet to protect/increase adtech profits.
Yeah, ideally businesses wouldn't be built on this model (free service funded by ads at the expense of privacy and now user control). Then we might not have had to worry about widespread fingerprinting AND we can maintain user control too.
>There does not exist a website that is better WITH ads.
Ads can fund the development of the site, the services of the site, and the content on the site. The amount of additional value that the site is able to provide users is much more than the value that gets taken away by including ads. I haven't even mentioned how the ability of users to advertise things on the web is also very useful.
>Ads are beneficial to adtech and companies with ad spend.
>To prevent ad fraud either you need to increase the fingerprintablity of users on the web, violating people's privacy, or implemented a form of remote attestation, which protects people's privacy.
>If EFF cares no much about privacy on the web they should be in favor of this proposal.
Privacy on the web by implementing remote attestation across the web will inevitably in practice reduce digital rights and user control/freedom. The EFF also cares a lot about this, so it makes sense that they would be against the proposal. Both of these goals could be achieved by websites providing the same behavior regardless of the client browser/software that is requesting pages. The reason we have to lie is because user-hostile businesses/sites don't want to adhere to this (advertising, DRM). (ignoring useful things like providing a mobile version of a site)
To note, fingerprinting is always going to be technically possible (especially given the larger and larger feature scope that businesses have wanted to impose upon the web since its inception), WEI is just an attempt to stop ad-driven sites from trying to do it.
> If EFF cares no much about privacy on the web they should be in favor of this proposal.
Not true at all in the slightest, even with the sorry explanation Google employees tried to conjure.
> To prevent ad fraud either you need to increase the fingerprintablity of users on the web, violating people's privacy, or implemented a form of remote attestation, which protects people's privacy.
Not true either, you don't have to do any of that. And why exactly should the client be responsible for ad fraud? These suckers, advertisers, try to track me without consent for years and abuse every legal gray area there is. Boot me from a service if you don't like my client for all I care, just be transparent about it.
> You can even make an attestation service for your own browser.
I don't want that. I do indeed vet clients connecting to my service to defend against attacks, but WEI comes with a cost I would never be willing to pay.
I think a realistic description/story from real experience I've had as a security engineer might help some people understand why this will end up so bad.
I've worked with banks, who are among the most security-minded of organizations. It's not because they're security nerds, it's because the cost of getting hacked is astronomical, and because regulations require them to be "as secure as possible."
Banks won't be chomping at the bit to implement WEI because they hate the open web or they hate Linux users. They'll be chomping at the bit because if they don't it will be a liability, and a "you're not doing all you can for security" type of risk that can open them to lawsuits, regulatory punishments, and even higher insurance costs. WEI is not a requirement right now because it doesn't exist. Once it exists though, you can be sure it will become a standard practice requirement, and anyone arguing against it might as well be arguing that using CC cameras is a privacy invasion: they'll seem absurd and won't last long in that position.
In short order it will be implemented by all the CDNs like Cloudflare, and it will be a simple checkbox for site owners to add to their site. Failure to implement this would be a fiduciary disaster, so they will have no choice. Once that is there, nobody who cares at all about security for their site (which is pretty much all people) are going to uncheck that box.
> Once it exists though, you can be sure it will become a standard practice requirement
Yes, this seems inevitable. At which point, I will no longer be using the bank's website.
> they'll seem absurd and won't last long in that position.
I'm not sure what you mean here, though. People who object to ubiquitous surveillance don't seem absurd to most (even those who aren't so upset about it), and they certainly aren't changing their position.
Hey John, I love that we are in the same threads on HN so much :-D
> I'm not sure what you mean here, though. People who object to ubiquitous surveillance don't seem absurd to most (even those who aren't so upset about it), and they certainly aren't changing their position.
Yeah good question/clarification, I'm referring to the CCTV cameras in the bank itself (such as in the vault, in the lobby, etc).
> I'm referring to the CCTV cameras in the bank itself
Ahh, I see what you mean. I do know people who hate even those cameras, but they do also understand why they're there and just silently put up with them while minimizing the amount of time they spend on-premises.
I think there's a bit of a difference, though. If I'm in a bank branch, it's effectively "their house, their rules", so CCTV cameras don't offend me there.
But if the bank required me to be searched when entering the place, I'd be strongly offended by that. To me, WEI is more like being frisked than being surveilled (although neither analogy is great).
What I'll do instead (and, honestly, this is what I already mostly do anyhow so it's not really a sacrifice) is physically go to the bank branch to conduct my business.
At my bank, they will then send you to the online banking, or the phone (with it's 20 min plus waits).
The Mobile app is required to use the debit card anywhere but card present, because 2fa. The Mobile app is required to do interesting things on the website, because of their 2fa. The iPad can't use their website (because reasons, they think it's mobile) and can't use the mobile app because it's not the configured phone with the account.
Credit cards really aren't a thing in this country, and if they are, they will generally have a phone based mobile app for 2fa/strong auth.
If things were like that where I live, then I'd have to have a different response, obviously. I'm sorry that your options are so limited.
I'm not sure what my response would be, but I'd probably lean toward having a separate device that's acceptable to the bank and that I use only for banking purposes. But I don't know.
I don't know about your country but here the only people who physically go to the bank are 80+ grannies and granddads who think they're too old to learn this bloody computer stuff, and who are also willing to pay exorbitant 10-30 monetary units for each bill paid by a physical person in the physical bank, and to do even that they must accept that it's ok if you have to book an appointment at the bank's counter in advance.
It's nothing like that here in my part of the US, fortunately. I am becoming increasingly aware at how lucky I am about this in these comments, though! As I said in another comment, if I had these obstacles, it would absolutely alter my response to this.
I don't pay my bills at a bank or bank website regardless, there is no surcharge for going to a bank's physical location, and I don't have to make an appointment.
And people who go to branches aren't exclusively elderly and/or technophobes -- but even if they were, what does that matter?
Having visited my local one last summer, and after waiting in line for a good twenty minutes, I wish you luck. Thankfully I can do 99% of what I need through my app/online.
That's a great temporary measure, but once this has rolled out everywhere and is part of standard commercial experiences, are you really willing to completely opt out of online banking because you're not permitted to send fake browser identification?
It's a fine philosophical position, but it feels akin to refusing to use public streets because of the existence of surveillance cameras.
> are you really willing to completely opt out of online banking
Sure, why not? It's not like it's a huge sacrifice on my part. It's just a little reduction in convenience. No big deal.
> because you're not permitted to send fake browser identification?
That's not the issue for me at all. The issue is if sites require me to use specific browsers, to not use specific extensions, to not be able to modify the browsers, or to adhere to specific requirements in terms of the OS I'm using. Having to maintain a completely different environment in order to use certain websites really is a loss of convenience that I object to.
Don't get me wrong -- I don't see this as a huge moral issue. Sites can do what they want, and if I don't like what they want, I don't have to use them. Opting not to use them strikes me as a reasonable and proportional response.
The only thing that makes me a little sad is that it's just another thing that makes the web worse and less useful.
> It's not like it's a huge sacrifice on my part. It's just a little reduction in convenience. No big deal.
Sure, I get that. I just feel like it's only a little inconvenience now, but in a few years it will be a big one, and so on. After all, the US is _already_ way behind the rest of the developed world in mobile payment/banking tech.
> The issue is if sites require me to use specific browsers, to not use specific extensions, to not be able to modify the browsers, or to adhere to specific requirements in terms of the OS I'm using.
Ah, I didn't think about that angle. That would be pretty draconian. I foresee a shift to dedicated embedded apps for that, like a restricted VM inside of a browser tab. We'll see!
> Sure, why not? It's not like it's a huge sacrifice on my part. It's just a little reduction in convenience. No big deal.
I can easily imagine a world where in ~20-30 years, there are no bank branches or phones or ATM machines or cash--because 99.99% of people have no interest in using those things anymore. In that world, suddenly it becomes an almost insurmountable inconvenience not to acquiesce to whatever is required to use online banking.
Unless they're going to trust my own attestion provider (unlikely, and then what's the point?), I would have to buy another computer to use online banking. My computer does not have attestation. I'm not going to move to Windows just to use my bank's website (and I think I saw Windows 11 requires a new computer anyway, exactly because of this attestation stuff?). All of the programs I use and workflow are on Linux. I can't virtualize it since that's the point.
Attestation requirements from banks would mean I must run an OS with adware and spyware built in to use online banking. It's not (just) about browsers.
all valid points - but if every bank requires attestation your solution will be? go use the ATM? I guess you're in the U.S probably so that's an option but basically for some parts of Europe this will mean people will have to use attestation to basically exist.
Given that most people don't use ad blockers, I suspect most people will not stop using the website, at which point, it becomes safe to assume most people will have a browser it works with. Once that point is reached, there's no reason it wouldn't proliferate to any number of sites, including ones you likely do use.
While I'm willing to believe banks are very security minded in terms of their core infrastructure, banks do not appear to be with regards to their customer access and usually seem to move very slowly to secure that end of things.
Hell, many/most of these large institutions seem to still only support SMS for 2FA and even that's a relatively recent introduction to actually mandate.
Which is to say, I expect banks to be about the very last significant account you use to mandate this technology (if it takes off), not the first.
If Google wants to force WEI to become common, all they really have to do is mandate that sites have to implement WEI in order to be listed in their index.
Are you saying the outcome of previous antitrust cases (especially against big tech) hurt those businesses sufficiently that they act as a deterrent? It doesn't look that way from my position here in the peanut gallery.
I absolutely agree. I was making the case for how Google could manipulate a theoretically-resistant banking industry.
I get banking is regulated from a variety of directions. However, the path of lobbyist influence->federal manipulation is so well worn it impacts many (probably most) exertions of power.
As the parent pointed out, banks don't care about customer access or even customer security per se. They care about not getting fined or accused of not being "as secure as possible." You and I know that using SMS for 2FA is a non-great idea. Banks mostly know it too. The reason they continue to use it is because regulators will not ding them for using it, and there's currently no better alternative that the average muggle customer can handle.
One of the banks I work with had 2FA fobs since the beginning of 2000s. Now they have the same "fob" as an app in the phone, and using it is mandatory IIRC.
Most banks lock your phone access to your IMEI + phone model + some phone specific data, so people knowing your details can't login without your phone. Web side needs 2FA or special activation depending on the bank.
Forgot your password? You need your biometric ID and your actual face to match at that very moment to make that work.
These are by regulations, yes, but this is very far from a "security theater".
Yes, I understood what the parent post tried to say, and just wanted to provide a counter example which is not a security theater in its nature.
Ah, also the same bank doesn't send SMS anmymore. Everything arrives to their app. Only they fallback to SMS if the app fails to acknowledge receiving the notification, which happens once a year?
Also, banks do not mail financial information by default to prevent wiretapping by 3rd parties.
Email, unless you encrypt it yourself, is not encrypted at rest. This means any mail server or relay which your email lands on can be openly mined and analyzed transparently, and without any evidence (which is how GMail works, BTW).
If you're sending sensitive financial information over the mail, it can be read, classified, tied to you and be used against you if required.
So, we have a directive to not email anything financial to the recipient by default.
U2F is starting to take off, thankfully. I'm worried about what happens if it gets lost/stolen/mugged and the token is gone, but at least no SS7 attack.
If banks were security minded for their customers they would have enabled read only app passwords 15 years ago. Instead, they made it unsafe to use third party software with their online banking front ends to deter you from owning your data.
I suspect cracking this will involve attacks like the recent Tesla one that require an extreme amount of technical skill and risk of destroying/damaging the system in the process. Then cue the cat & mouse game. Widespread breaking of it is not going to be remotely practical.
The idea of relying on cracks / security flaws to get basic freedom causes me great anxiety. Sure, it can be cracked. It shouldn't have to be because it shouldn't exist to begin with.
Meanwhile, arms race being what it will, the freedom gained will be short-lived and can't be relied-upon.
Mr. Anderson... don't you like the idea of a future where caring about privacy and control means you're marginalized to the sewers of a Matrix arcology, eating nutrient slurry on the Nebuchadnezzar?
That sounds like a cat and mouse game that I would rather not play. Look at iOS jailbreaks. They were fairly common early on and still regularly occur. But they are not frequent. Maybe a full jailbreak every year or two. The verifier for WEI can also revoke access to old versions of the software. I don't want to be playing that game to access critical services such as my bank.
my experience with banks has been the opposite - they're always a ways behind the rest of the web on security measures. some banks are still rolling out 2fa. and look how horrifically insecure credit cards are. not because they don't care, but because they see technical measures as only a small piece of their overall security strategy, and online access as only a small part of their business that they consider untrustworthy no matter how much security is implemented.
where most of the web treats authenticated users as trusted, banks still treat an authenticated user as mostly untrustworthy, and all of their actions as still being a potential risk, so securing the authentication isn't so important.
Some banks are definitely behind on the curve, but notably I think that tends to be around customer-facing stuff. Given that whatever they use has to work for very elderly people as well young people, it surely makes it difficult to move/change things. WEI though is entirely on the backend though. It can be implemented as soon as the major OSes have it integrated, and it requires nothing from the user (besides installing their updates, which is mostly forced).
As others have noted, banks are governed by (often multiple) regulators, at the local, state/regional, and national levels typically.
As Brian Krebs has noted, on top of the already-oligopic banking sector is an even more ologopic banking-computer-services sector: "What Is Your Bank’s Security Banking On?" (2018).[1] Sadly, the industry is dominated by a small handful of banking platform providers. Four, Fiserv, Jack Henry, FIS, and CSI, serv over 80% of the market. Bank regulators, responding to Krebs, said that "small to mid-sized banks are massively beholden to their platform providers, and many banks simply accept the defaults instead of pushing for stronger alternatives."
This does also suggest that there may be a small number of points of control over which to enact useful change, though of course there's also a concentrated lobbying interest in avoiding or counterinfluencing same.
A couple of decades back, I worked on middleware applications for banks. So my knowledge is 100% dated and things may have changed.
But back then, bank security was terrible when viewed through the lens of how hard it is to break in and do bad things. On the other hand, bank security was fantastic in terms of being able to detect when this happened and to be able to find the perpetrators.
I work in a bank. Until a year ago, our passwords are 8 characters max, no special characters, upper and lowercase letters are equal. We were running IE7 up until 2 years ago. A huge amount of the business is still organized around sending excel sheets to each other, with no sidechannel validation. The fact that you recieved an excel sheet from some email is treated as proof that it's valid. Last I checked we were also operating an unauthenticated SMTP relay. They will shit on actual security while telling me that I have to run windows on my work laptop because otherwise they can't run their favorite RAT powershell script to recursively unzip every jar on my system to look for log4shell (yes, still).
The same people who instituted and backed these rules and practices are also running the core system for clearing in the national bank of Denmark.
Banks are not secure. They are conservative and political. They will do everything to tell you they are secure. They will make your life hell to uphold their security theater, but it's just a facade. I have no doubt they will implement WEI, but it will not bring security.
Banks do have a pretty good trackrecord of protecting people's money, but they do that through a defense in depth strategy of having a bunch of compliance officers manually reviewing transactions for suspicious activity.
WEI sounds like another security theater play by Ad corp. When web first come out it is because it's sandbox that made it so attractive. The server doesn't need to know what client it is, as long as it is speaking http.
With intro of html5, (webgpu, webgl, web audio api), that sandbox has being slowly opened up.
That will be pretty much the same situation as on mobile where the third party rom developers and users are pretty much the only ones affected by design by this concept.
Who will have some trouble with this new concept on the web? Smaller browser maker, software developers and crawlers from competitors
Not a single scammer or ad fraud will be affected, same as on mobile.
Easy to see why Google wants that, its attacking the competition
> Until a year ago, our passwords are 8 characters max, no special characters, upper and lowercase letters are equal.
That’s pretty good. A major Canadian bank until ~2020 had 6 character limit passwords (possibly you could enter more, but only the first six count) and mapped all alpha characters to numbers in groups of 3 (so your assigned telephone banking PIN was just a “hash” of your password).
My health insurance portal (Aetna, no I am not above naming and shaming) did something annoying. When I signed up I used a randomly generated three-word passphrase from my password manager. It was around 32 characters or something.
They have the fun pattern of logging you out of your account whenever you are inactive. A bit excessive for a health insurance provider imo, but whatever.
So I tried to login and guess what? Max input length for their login password is 16 characters. I literally couldn't input my password.
I had to go through a stupid process to reset my password because their sign-up front-end validations were different from their sign-in front-end validations. I had to purposely choose a less secure password even though I could technically create a password that was pretty secure, I can't sign in with it.
Heh, I had a health insurance portal that when you changed your password with their mobile app, it would let you use all the special characters. However the web app blocked (or stripped) those characters out, meaning you couldn't log in to the web app because it literally wouldn't let you type your password. Every so often the mobile app forced re-auth, and it redirected you to the web version where putting in your password wouldn't work... I likewise had a nightmare process to get it reset.
Yes, I really dislike those companies that spend so much effort blocking pasting into the second password field when filling them out so they break password managers.
Luckily it's normally easy enough to edit the tags on the text box but even so, this shouldn't be necessary.
Right now, many banks require a mobile app, which can only be installed from an app store, which is only available on devices that you don't control. Even if they have a web interface, you need the mobile app to login.
I don't get how this would be seen within banks as any different to the existing endpoint security offerings offering remote attestation that - by the same logic - they would already be mandating customers to use to access banking platforms, because doing otherwise would mean not being "as secure as possible" and getting dinged by the regulators.
all the CDNs like Cloudflare, and it will be a simple checkbox
When this happens will this accidentally create a new business model of people selling VPN-like access that mimics WEI or uses a farm of cell phones to create a proxy farm of sorts? What else might people do to circumvent this?
This is already explained in the article- it shifts the burden on the honest consumer and in many cases is actually already illegal. In other words in no way is it a good development if I have to buy a service of questionable legality from some questionable 3rd party just to keep my browsing private like I want to.
This is one of the most detailed and balanced articles I have read so far on the topic. However, like every other one I've read, it omits one very important clarification about 'Web Environment Integrity':
It is not part of the Web. This is exclusively a Google draft for a Google Chrome feature, and whilst Google is a member of the World Wide Web Consortium (W3C), they are not doing this as a member. I don't believe such a proposal would get even as far as a working group charter, given how limited it is to Google's interests. The only reason that it's a threat to the Web is because of their overwhelming market dominance, which is approaching a monopoly already.
I fear that the prominent use of the term 'Web' in this kind of document is tarnishing the reputation of the W3C, who have a solid process[1] to avoid pursuing these short term interests when they come with the risk of long term damage to the openness of the Web.
Some historical context: WHATWG[1], the Web Hypertext Application Technology Working Group, was originally a spin-off of the W3C[2], and was an organisation formed in 2004 by W3C members unhappy with decisions made in the W3C at that time. In 2019, a 'Memorandum of Understanding' was signed[3] agreeing to various principles for coordination between the two organisations.
The W3C is still very much active, and produces the vast majority of specifications that are implemented by 'web browsers' (in the general sense) like Chrome, Firefox and Safari, and they have their own standardisation process which is comparable in quality to organisations like ISO.
The area in which WHATWG are most active, though, is HTML, for which they produce what they call 'Living Standards' that have a different process from W3C's. CSS is done inside the W3C, and JavaScript is formalised by ECMA, an entirely different organisation still.
Telephones came about gradually, but say the kind of phone and system roughly like a modern pots line, served up by Bell, started around 1930.
Breakup of ma bell (roughly the same time you were allowed to own a phone) 1984
And even today I can't buy or connect an ONT of my own to the new fiber that Optimum installed a few weeks ago to replace my coax cable and cable modem that I did own (but did not fully control thanks to docsis), somehow.
Have these people heard of the iPhone? It came out in 2007. That's 16 years ago. It was never controlled by its users, and that enabled many apps and features, like disappearing messages, that are impossible on devices that are controlled by their users.
I think after 16 years it's time to admit that this model is here to stay, and the only question is whether the web supports it, or whether there will be certain apps and features that will never be available on the web.
> Google is adding code to Chrome that will send tamper-proof information about your operating system and other software, and share it with websites. Google says this will reduce ad fraud.
Is it only to "reduce ad fraud" though, or the wider agenda is deeper entangle their tracking in one's life.
Why do I care about reducing Google's ad fraud and helping Google's ad business? This is their problem and should never involve relaying my personal computer's information to third party so Google can make more money.
Because I, for now, have the ability to make my computer say what I tell it to say, I have developed a small Firefox extension [1] that tells it what to say.
Silly? Yeah. Petty? Yeah. But sometimes it feels good to exercise your rights.
Maybe the internet ad the web specifically just wasn't designed to support a "business" like Google's. All data collection and advertising service. Paying enormous fines to regulators. Maybe it was not designed for this.
So, what can we actually do about this? The EFF doesn't mention anyone we can talk to. Are we all just waiting around for Google to do it or is there something we can do to raise awareness or campaign against google?
The EFF will go after orgs that fund it, which requires true compunction.
FIRE is a good replacement for the ACLU, FYI. And John Brown Gun Club is becoming a better NRA.
reply