←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.207s | source
Show context
sdwvit ◴[25 Jul 23 15:17 UTC] No.36863568[source]
I have spent a lot of time working on integrating private access tokens into my project, and I believe I understand how it works. I do not agree with the article’s points on why this bad. PATs are meant to reduce browsing friction, not increase it. Now if you are trying to google something under a spammy vpn node, you get either a captcha or fully blocked. With PAT, your device can guarantee you are not a spammer, and system would let you through without captchas or timing you out. This is all it does. If your device is not capable of signing PAT, then it is supposed to just fallback to default behavior.
replies(2): >>36863991 #>>36864960 #
1. howinteresting ◴[25 Jul 23 16:31 UTC] No.36864960[source]
Even if we assume that captchas are the only thing this can be restricted to (which, if attestation is widely deployed, they won't be restricted to), why is it good to make people using locked-down Apple devices with logged in Apple IDs have fewer captchas? It's a protection racket.