Apple already shipped attestation on the web, and we barely noticed

There are two reasons this is not comparable to the remote attestation proposal that Google is currently proposing:

1. The only things that WebPKI CAs are required to attest to is that domain validation was properly completed and that the private key is not compromised. The system is designed (in both intent and practice) for any website to be able to easily get a certificate, and even the most untrustworthy, undesirable websites can and do get certificates on the regular. In contrast, Google's remote attestation proposal is clearly intended to assess the trustworthiness/desirability of the client.

2. The TLS requirement imposes a burden on website operators but provides a clear benefit for end users, which is totally in line with the Internet's Priority of Constituencies[1]. In contrast, Google's attestation proposal places a burden on end uses for the benefit of website operators, which violates the Priority of Constituencies.

Additionally, I must note that Firefox also requires a TLS certificate for HTTP/3 (as they did for HTTP/2). Not sure why you'd omit Mozilla from your list of browser makers doing this, but it's a misrepresentation to imply that this is something only "mega-corp browsers" do, when there is actually broad agreement that this is a good thing.

[1] https://datatracker.ietf.org/doc/html/rfc8890

All of these proposals are in fact the same thing. They're designed to obfuscate, complexify, and over-engineer the Internet to fuck people over. I don't care if my Magic the Gathering fan site has an auto-rotated 3 month expiry TLS certificate to "protect" the users. Those of us who have been online before the 21st Century see this exactly for what it is. A cash grab and a increasing mechanisms to tighten the screws of monopolies like AWS, Google, Apple, and Microsoft, and to lock down our devices and the web into a walled garden that only the tech giants can control.

> I don't care if my Magic the Gathering fan site has an auto-rotated 3 month expiry TLS certificate to "protect" the users.

You don't based on your threat model. Other people have other threat models. I don't want potentially tampered/malicious content/JavaScript hitting my browser, I can also simply not visit your site. Such a simplification can not be made on the wide (and hostile) web. TLS is trivial enough to be the norm.

We can also draw parallels with food safety. Feel free to cook whatever you wish however you wish at your own home. If you want to offer it to people passing by on the street you have to follow food safety rules.

Because Mozilla didn't create QUIC or push the QUIC based HTTP/3 through the IETF like Google and Microsoft did. If anything I should've left out Apple, not added Mozilla. But yeah, Mozilla is using the same HTTP/3 libs as everyone else so it's browser is inherently broken too.

But this only becomes a serious problem when HTTP/1.1 support is removed. Mozilla will never remove HTTP/1.1 support from Firefox. Google/Microsoft/Apple are chomping at the bit to remove HTTP/1.1 from their products.

Mozilla was the first browser maker to announce an intent to deprecate non-secure HTTP[1]. Even if they keep HTTP/1.1 support, at some point they will require TLS for it, just as they already do for HTTP/2. This is not something new with HTTP/3 nor is it some big-corp conspiracy.

[1] https://blog.mozilla.org/security/2015/04/30/deprecating-non...

Well shit. I'm wrong and things at Mozilla are much worse than I imagined.

re: HTTP/2, yes, everyone is well aware it didn't allow HTTP connections from the start. But there was no risk of HTTP/1.1 going away at that time. And you can technically still use a non-CA self signed cert for the implementations of HTTP/2 in major browsers. But it is also a bad protocol like HTTP/3.

I have no idea what conspiracy theory stuff you're going on about. People just haven't thought through the consequences of these design decisions outside of their work headspace bubble. Much like with WEI.