And since you won’t be able to modify web pages, it will also mean the end of customization, either for looks (ie. DarkReader, Stylus), conveniance (ie. Tampermonkey) or accessibility.

The community feedback is… interesting to say the least.

  • tenth@lemmy.ml
    link
    fedilink
    English
    arrow-up
    59
    ·
    1 year ago

    Can someone give me an easy to understand example of what they are proposing? Assume that I don’t allow them to install any software/tool that helps them track me/my device.

    I saw this comment and found it helpful but its still not clear to me

    At its core, it establishes software components called “attesters” that decide whether your device and/or browser is “trustworthy” enough - as defined by the website you are trying to visit. Websites can enforce which “attesters” users must accept, simply by denying everybody access who refuses to bow down to this regime; or who uses attesters that are deemed “inappropriate”; or who is on a platform that does not provide any attesters the website finds “acceptable”.

    In short: it is specifically designed to destroy the open web by denying you the right to use whatever browser you want to use, on whatever operating system. It is next-level “DRM”, introduced by affiliates of a company that already has monopolized the browser market. And the creators of this “proposal” absolutely know what they are attempting here.

    • dragonfly4933@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      35
      ·
      1 year ago

      It’s basically how widevine works. The hardware “secure” boots the OS, and the OS only loads signed code. And there is a chain of custody all the way to the hardware, so the software that communicates with the server can attest that it is the same as what they expect.

      The simple explanation is that they wish to further erode property ownership by the proletariat by locking down operating systems such that they can’t do as their owners wish, but only what the corporation wants.

    • vvvvv@lemmy.world
      link
      fedilink
      English
      arrow-up
      30
      ·
      edit-2
      1 year ago

      Basically, it would allow websites to only serve users who comply with website requirements (i.e., no extensions, no ad blockers, only Chrome-based, whatever) whatever these requirements are.

      You (your browser) go to a website, example.com, which requires attestation. So you must go to an attestation server and attest your device/browser combo (by telling the attestation server whatever information it requires). If the attestation server thinks you are trustworthy, it gives you an integrity token that you pass to example.com, and then you can see example.com. The website knows which attestation server issued your integrity token, so you can’t create your own.

      So no extra software means no attestation server would attest you; means you can’t see example.com. End of story. It’s the same as the current “your browser is not supported” window, only you can’t get around it by changing the user agent.

      As usual with these initiatives, bullshit is spread across different specs - this spec by itself implies that any number of attestation servers can exist, and they can check whatever they want, and no browser should be excluded, etc., etc., but practical implementation would probably check installed extensions, etc.

      • Araozu@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        ·
        1 year ago

        Wouldn’t spoofing work? Like, if the browser just sends “yes, no extensions, adblock, blah blah” then how would the attestation server know if that’s true? Or does it require signed binaries, or some special hardware?

        • vvvvv@lemmy.world
          link
          fedilink
          English
          arrow-up
          14
          ·
          1 year ago

          That is conveniently left out of the speck. Attestation server may require signed binary on a client system, it may require whatever it wants really, because why not? It’s a website who decides to trust attestation server or not.

        • count_duckula@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          7
          ·
          1 year ago

          Depends on if they used cryptographic signatures. Those would be impossible to spoof because any change in the client would change the hash completely.

          • Araozu@lemmy.world
            link
            fedilink
            English
            arrow-up
            16
            ·
            1 year ago

            Google silently shipping signed chrome executables soon…

            And then people wonder why non chromium browsers are important

              • hismajesty@lemmy.world
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Nah, chromium by itself is okay. Its just google, microshit and everyone else using the chromium source to ship as much telemetry, ads, data as possible.

                • mihor@lemmy.ml
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  arrow-down
                  2
                  ·
                  1 year ago

                  I’m pretty sure Chromium is still phoning home just as it used to for almost a decade. It’s a piece of Google’s garbage.

    • const void*@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Haha

      This in a world where people have barely figured out that TLS1.0 isn’t really TLS at all.

      A complex product the consumer doesn’t
      understand and doesn’t help is doomed to failure.

      Imagine an ad driven site reducing its visitor count so it can sell its ads for less to fewer people?

      while people with no adblocker at all are rejected, resulting in irate Facebook posts, people with trusted adblockers continue on as before.

      This is great! HAHAHA.

      • maynarkh@feddit.nl
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I imagine the user experience would be just that “our site only works with Chrome”.

        And then Google could close the loop with requiring such requirements for Google Ads integration.

        • const void*@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          2
          ·
          edit-2
          1 year ago

          Here is the thing—say you do that. Then your advertisers call you and complain they can’t see their ads from their iPhone….and drop their ad campaign.