Most active commenters
  • endisneigh(4)
  • JohnFen(3)

←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 24 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source | bottom
Show context
endisneigh ◴[26 Jul 23 17:54 UTC] No.36881965[source]
How exactly is WEI any worse than say a peep-hole on a door? At the end of the day bots are a huge problem and it's only getting worse. What's the alternative solution? You need to know who you're dealing with, both in life and clearly on the web.

I'm probably alone in this, but WEI is a good thing. Anyone who's run a site knows the headache around bots. Sites that don't care about bots can simply not use WEI. Of course, we know they will use it, because bots are a headache. Millions of engineer hours are wasted yearly on bot nonsense.

With the improvements in AI this was inevitable anyway. Anyone who thinks otherwise is delusional. Reap what you sow and what not.

edit: removing ssl comparison since it's not really my point to begin with

replies(16): >>36881994 #>>36882000 #>>36882015 #>>36882024 #>>36882088 #>>36882221 #>>36882265 #>>36882387 #>>36882539 #>>36882591 #>>36882677 #>>36883051 #>>36883062 #>>36883781 #>>36884189 #>>36884296 #
JohnFen ◴[26 Jul 23 17:55 UTC] No.36881994[source]
SSL doesn't demand that some third party approve your software and hardware in order for it to work for you.
replies(1): >>36882002 #
1. endisneigh ◴[26 Jul 23 17:56 UTC] No.36882002[source]
TPMs with attestation do exactly that. Are you opposed to that as well?
replies(7): >>36882017 #>>36882018 #>>36882043 #>>36882127 #>>36882424 #>>36882537 #>>36883819 #
2. lxgr ◴[26 Jul 23 17:57 UTC] No.36882017[source]
Seems like a strange way to make a point to start out with SSL and then shift the argument to TPM/attestation...
3. JohnFen ◴[26 Jul 23 17:57 UTC] No.36882018[source]
Yes, I have been opposed to TPM since the start.
replies(1): >>36882054 #
4. rezonant ◴[26 Jul 23 17:58 UTC] No.36882043[source]
That's exactly what WEI is supposed to do... And yes, websites should not be able to use the TPM for attesting the user's environment.
replies(1): >>36882060 #
5. endisneigh ◴[26 Jul 23 17:59 UTC] No.36882054[source]
What's your solution then to the problem TPMs solve?
replies(3): >>36882137 #>>36882150 #>>36882219 #
6. endisneigh ◴[26 Jul 23 17:59 UTC] No.36882060[source]
why not? how do you want to solve the problem of provenance? if you feel it's not a problem to begin with, then the sites in question can simply choose not to enable it. if they enable and believe it is a problem, then clearly there's a dissonance between the places you choose to visit and their goals, no?
replies(6): >>36882089 #>>36882106 #>>36882216 #>>36882388 #>>36882389 #>>36884653 #
7. lxgr ◴[26 Jul 23 18:01 UTC] No.36882089{3}[source]
WEI does not solve any "problem of provenance"; it's DRM for the web. It asserts things about the browser environment to the website operator, not the other way around.

Are you sure you actually understand these two technologies (WEI and TLS) sufficiently to make these claims?

replies(1): >>36882172 #
8. ◴[26 Jul 23 18:02 UTC] No.36882106{3}[source]
9. howinteresting ◴[26 Jul 23 18:03 UTC] No.36882127[source]
Yes, TPMs have no business being part of the open web. They enable CIOs to make bad decisions like preventing a bank's website from being loaded in non-TPM browsers.
10. JohnFen ◴[26 Jul 23 18:03 UTC] No.36882137{3}[source]
That depends on which problem you're talking about. But this is not the issue at hand.
11. mindslight ◴[26 Jul 23 18:04 UTC] No.36882150{3}[source]
What do you get from blasting this thread with a bunch of naive one liners that you could answer yourself if you studied the topic on your own for a little bit?

The answer to this one is that the fundamental problem that current TPMs aim to "solve" is that of allowing corporate control and inspection of end users' computers. To continue having a free society where individuals have some autonomy over the devices they purportedly own, this needs to be soundly rejected.

replies(1): >>36882836 #
12. ◴[26 Jul 23 18:05 UTC] No.36882172{4}[source]
13. rezonant ◴[26 Jul 23 18:08 UTC] No.36882216{3}[source]
> sites in question can simply choose not to enable it.

My problem isn't that I as a developer don't have an option to not implement attestation checks on my own web properties. I already know that (and definitely won't be implementing them).

My problem is that a huge number of websites will, ostensibly as an easier way to prevent malicious automation, spam etc, but in doing so will throw the baby out with the bathwater: That users will no longer have OS and browser choice because the web shackles them to approved, signed, and sealed hardware/software combinations primarily controlled by big tech.

14. rcxdude ◴[26 Jul 23 18:08 UTC] No.36882219{3}[source]
which problem? Some 'problems' TPMs solve should not be solved. Others are perfectly reasonable but a generally a lot less common.
15. rvba ◴[26 Jul 23 18:18 UTC] No.36882388{3}[source]
> then the sites in question can simply choose not to enable it

Google can reduce the page rank of websites that dont enable it (or just not give any page rank at all) and now everyone who wants to be found has to enable it

replies(2): >>36883281 #>>36885708 #
16. jerf ◴[26 Jul 23 18:18 UTC] No.36882389{3}[source]
The problem of provenance is significantly smaller than the problem of monopolistic companies given control over who is and is not an approved user of the web.

Provenance to the extent it is a problem is already handleable and largely handled. Note that "handled" here does not mean it is 100% gone, only that it is contained. Monopolistic control over the web is not containable.

17. guilhas ◴[26 Jul 23 18:21 UTC] No.36882424[source]
I support myself using a TPM to attest if my system has not been tampered

But I oppose others, Google/Microsoft/Facebook/..., attesting if my system is according their specifications

18. mardifoufs ◴[26 Jul 23 18:27 UTC] No.36882537[source]
Why are you proposing some sort of reverse slippery slope? So because "we" don't oppose a TPM, we shouldn't oppose any form of attestation?

If anything you are just proving the point of the most paranoid.

I don't even have a strong opinion on this but it's so weird to see this argument over and over. It's just calling for even an even more extreme reaction to any effort that goes in this direction, just in case it's used to justify a push for even worse stuff down the line.

19. pptr ◴[26 Jul 23 18:45 UTC] No.36882836{4}[source]
Good idea, we just throw out all the security mechanisms to avoid "corporate control" and even worse anti virus software "inspecting end users' computers". I'm sure people will be very happy about all the mal- and ransomware they receive. Imagine the utopia we would live in.
replies(1): >>36883002 #
20. mindslight ◴[26 Jul 23 18:55 UTC] No.36883002{5}[source]
You're using scare quotes, but I do specifically mean corporate control. Current TPMs were designed around giving centralized parties (eg corporations) privileged keys. TPMs could certainly be designed to not have any baked in privileged keys, instead putting the owner at the trust root. The current crop just wasn't.

Also that you're talking about anti virus shows that you're not really in touch with the gamut of computing. From my perspective, anti virus was something that was relevant two decades ago.

21. erosenbe0 ◴[26 Jul 23 19:11 UTC] No.36883281{4}[source]
That would clearly be an antitrust violation or deceptive business practice in one or more countries. Though by the time they get penalized for it, the damage would have been done.
22. Zak ◴[26 Jul 23 19:48 UTC] No.36883819[source]
I am. I've had apps try to use Google Safetynet to prevent me from running them on my phone (which is not running the manufacturer-provided Android build), and I am certainly opposed to that.

I wouldn't mind being able to use the TPM to tell me whether the hardware and software are what I expected them to be, but that's different.

23. howinteresting ◴[26 Jul 23 20:39 UTC] No.36884653{3}[source]
Under capitalism (or really any socio-economic system) we engage with services for reasons other than choice all the time. For example, if you're living in an area where just one or two banks exist, and both of them suddenly decide to force DRM because their cyber insurance company told them to, you can suddenly no longer access their sites on Linux. That's pretty fucked up.

The people who want to use DRM to solve their problems should just suck it up and find alternatives.

24. nfw2 ◴[26 Jul 23 21:58 UTC] No.36885708{4}[source]
Google can already do this if they want to. For example, they could increase the page rank of sites use Google Analytics (or any other Google client library). But this would be exceedingly stupid because it would compromise the quality of their search results, and remaining the leader in search should be their highest priority.