Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)

596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.202s | source

Show context

captainmuon ◴[25 Jul 23 14:43 UTC] No.36863000[source]▶

Remember AllAdvantage? That was a service around the turn of the century that showed you ads on your desktop and paid you for it. But only if you were actively using the PC. People used mouse wigglers to fake it and there was a little arms race.

This tech would be their wet dream. You could tell if a request is from a real browser or from a script. You could disable attestation if an untrusted driver is used (to simulate inputs) or the web browser is automated otherwise. Really disturbing tech.

replies(1): >>36865389 #

kccqzy ◴[25 Jul 23 16:53 UTC] No.36865389[source]▶

>>36863000 #

> You could tell if a request is from a real browser or from a script.

Today websites already know if the request is from a real browser or not just by integrating with reCAPTCHA or hCAPTCHA. This is just taking a very popular category of security product and tightly integrating it with the browser itself.

Today, you can take a philosophical stance and categorically refuse to use any website that uses reCAPTCHA/hCAPTCHA. Tomorrow you can take a philosophical stance and refuse to use any website that uses PAT.

replies(2): >>36866795 #>>36867661 #

1. t0astbread ◴[25 Jul 23 18:10 UTC] No.36866795[source]▶

>>36865389 #

The big difference then vs. now is that with CAPTCHAs you can (generally) choose to complete them from a wider range of browsers and devices that have no corporate approval (unless it's that one Cloudflare CAPTCHA that gets stuck in an infinite loop). So even if it's painful, you can still access most websites. With attestation you don't have that choice.

↑