←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 4 comments | 25 Jul 23 14:10 UTC | HN request time: 1.024s | source
Show context
lifeisstillgood ◴[25 Jul 23 14:29 UTC] No.36862777[source]
I kind of get both sides here. If we take the "see the best of others intentions" then a web that is populated by identified humans (and their authorised proxies!) is likely to be the "cleanest", most ideal web space we can see (a web full of sock puppets and link farms is not ideal).

The clearest end point for this is some government issued digital ID that just asserts who you are, acts as a login etc.

You can see this as a stepping stone to there. if you squint.

Is it the idealism of the 70s coke to life? No. Is it some sane compromise - I think so.

What if we cannot trust our government ? Sorry it is pretty sure that no internet is going to solve that. That's on the real world.

replies(10): >>36862946 #>>36863031 #>>36863074 #>>36863126 #>>36863250 #>>36863286 #>>36863456 #>>36863735 #>>36864436 #>>36871915 #
1. jchw ◴[25 Jul 23 14:59 UTC] No.36863286[source]
Nobody ever asks why this has all become "necessary" even though it is literally the poignant question. Why do we need such ridiculously strong attestation of identity? How did the Internet get along so far without it, if it's really needed?

Well, nobody is actually proposing this at the moment. Heck, neither Apple nor Google's scheme even gets close. All their schemes purport to do is ensure the "integrity" of the platform.

Integrity how, exactly?

> For example, this API will show that a user is operating a web client on a secure Android device.

So basically, it does not tell you that the user is a unique person, or give you any kind of usable identifier for a person. All it tells you, in case of this example and Apple's, is that the device is not rooted or jailbroken.

In practice, is this concept useful? Only as part of a larger cat and mouse game. Just like copyright protection schemes, remote attestation schemes are limited by what they're actually attesting. Very little can be done to stop cam rips in movie theaters, or any number of in-between steps that exploit the fact that a movie is just a series of pictures and frames of PCM samples at the end of the day. And likewise, devices may be expensive, but there's nothing stopping someone from acquiring many of them to do operations on. In fact, many people already own swaths of Android devices specifically for cheating the system. When they can be had for as cheap as $50 a pop in some cases, it's not really a meaningful barrier.

So what does this actually do? It just makes it more expensive and complex to run bot operations, and if you can raise the cost enough to sink the break-even point of doing so, then theoretically you've won! ... But it won't, because there's a lot to be gained by spamming and scamming people. All of these years of countermeasures and we're not even close to getting there. The amount of money that flows in the industry of cheating these systems is more than enough to just pay the cost.

Adding government IDs to the mix won't change anything. Almost every SPAM operation has a real person behind it, so getting a blind attestation that a person is indeed a citizen tells you almost nothing about them. I think just about the only way that could aid in any way is if it were set up in such a way that you did in fact receive a unique ID for each person, rather than just an attestation that you're dealing with a legitimate thing.

And if that's the end game of the Internet, then honestly, the whole experiment was not worth it.

replies(1): >>36864709 #
2. treis ◴[25 Jul 23 16:18 UTC] No.36864709[source]
>How did the Internet get along so far without it, if it's really needed?

By each individual site expending a great deal of effort to identify their users. Or by offloading it to someone else expending a great deal of effort like putting their site behind Cloudflare or restricting e-mails to legit providers.

replies(1): >>36865644 #
3. pessimizer ◴[25 Jul 23 17:08 UTC] No.36865644[source]
> By each individual site expending a great deal of effort to identify their users.

Very few sites are putting in any significant effort to identify their users. Those largely predatory sites shouldn't be setting policy for the entire web.

replies(1): >>36865788 #
4. treis ◴[25 Jul 23 17:17 UTC] No.36865788{3}[source]
There's an "or" there.