Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)

596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.21s | source

Show context

captainmuon ◴[25 Jul 23 14:43 UTC] No.36863000[source]▶

Remember AllAdvantage? That was a service around the turn of the century that showed you ads on your desktop and paid you for it. But only if you were actively using the PC. People used mouse wigglers to fake it and there was a little arms race.

This tech would be their wet dream. You could tell if a request is from a real browser or from a script. You could disable attestation if an untrusted driver is used (to simulate inputs) or the web browser is automated otherwise. Really disturbing tech.

replies(1): >>36865389 #

kccqzy ◴[25 Jul 23 16:53 UTC] No.36865389[source]▶

>>36863000 #

> You could tell if a request is from a real browser or from a script.

Today websites already know if the request is from a real browser or not just by integrating with reCAPTCHA or hCAPTCHA. This is just taking a very popular category of security product and tightly integrating it with the browser itself.

Today, you can take a philosophical stance and categorically refuse to use any website that uses reCAPTCHA/hCAPTCHA. Tomorrow you can take a philosophical stance and refuse to use any website that uses PAT.

replies(2): >>36866795 #>>36867661 #

1. S201 ◴[25 Jul 23 19:01 UTC] No.36867661[source]▶

>>36865389 #

You're missing a huge difference here: A captcha works on top of the existing web. I can use it on any platform to prove that I am a human. Whereas the proposal/implementation here effectively locks out any platform not explicitly allowed by the website operators. That is a huge blow to anything not from Google/Apple/Microsoft. Open source and any potential new entrants to the market would be dramatically limited if not killed entirely.

↑