←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 9 comments | 25 Jul 23 14:10 UTC | HN request time: 0.464s | source | bottom
1. gooob ◴[25 Jul 23 14:31 UTC] No.36862804[source]
what even is the reasoning they have for proposing and implementing this?
replies(3): >>36862852 #>>36862893 #>>36862910 #
2. ◴[25 Jul 23 14:34 UTC] No.36862852[source]
3. capableweb ◴[25 Jul 23 14:36 UTC] No.36862893[source]
Pretty clear from the announcement ("Challenge: Private Access Tokens" - June 9, 2022 - https://developer.apple.com/news/?id=huqjyh7k):

> Private Access Tokens are powerful tools that prove when HTTP requests are coming from legitimate devices without disclosing someone's identity

The value add is pretty clear and good, but the downsides are probably bigger than the value add, so personally I wouldn't say the compromise is worth it.

replies(1): >>36864600 #
4. ezfe ◴[25 Jul 23 14:37 UTC] No.36862910[source]
Allow Apple devices to browse the web with fewer captcha interruptions, etc. and be more trusted as non-bot devices.
replies(1): >>36863657 #
5. FabHK ◴[25 Jul 23 15:22 UTC] No.36863657[source]
> Allow Apple devices to browse the web with fewer captcha interruptions

In particular, while using a VPN or Tor. So in one sense it’s even a pro-privacy move, insofar as it allows to distinguish a human user on a legit device using a VPN from a bot using a VPN (upon which the server can present a captcha or denial to the latter, but not the former, making it less onerous for average users to use a VPN).

replies(2): >>36864231 #>>36864276 #
6. concinds ◴[25 Jul 23 15:55 UTC] No.36864231{3}[source]
I hate how websites hinder VPN users. Google Search often shows me captchas on Mullvad, and sometimes blocks my request entirely (no captcha). Screw them.

I don't see the issue here at all. Apple added this because otherwise the web would be completely broken in iCloud Private Relay due to the constant catchas and hardwalls. Google wants to add it to kill adblockers entirely. It's not even the same ballpark.

replies(1): >>36865020 #
7. freedomben ◴[25 Jul 23 15:58 UTC] No.36864276{3}[source]
It's only a pro-privacy move if you completely trust Apple (the mandatory 3rd party approver) both now and in the future to be pro-privacy. The minute their growth slows and the shareholders demand changes, the pro-privacy can go out the window, and they've got the advertisers wet dream ready and waiting, reserved exclusively for them. Corporations are profit-seeking entities by design, and leadership who doesn't act in the best interest of the shareholders (i.e. profit seekers) will be removed and replaced by leadership who does.
8. gooob ◴[25 Jul 23 16:13 UTC] No.36864600[source]
oh yeah, i read up on it from the explainer right after commenting. should've updated that sorry
9. howinteresting ◴[25 Jul 23 16:33 UTC] No.36865020{4}[source]
It is bad because it is yet another way people exercising their freedom have a worse experience than people who accept the warm embrace of daddy Apple.

The fact that a device is locked down should confer zero benefits on the open web as a matter of uncompromising principle.