←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 9 comments | 26 Jul 23 11:30 UTC | HN request time: 0.33s | source | bottom
Show context
endisneigh ◴[26 Jul 23 17:54 UTC] No.36881965[source]
How exactly is WEI any worse than say a peep-hole on a door? At the end of the day bots are a huge problem and it's only getting worse. What's the alternative solution? You need to know who you're dealing with, both in life and clearly on the web.

I'm probably alone in this, but WEI is a good thing. Anyone who's run a site knows the headache around bots. Sites that don't care about bots can simply not use WEI. Of course, we know they will use it, because bots are a headache. Millions of engineer hours are wasted yearly on bot nonsense.

With the improvements in AI this was inevitable anyway. Anyone who thinks otherwise is delusional. Reap what you sow and what not.

edit: removing ssl comparison since it's not really my point to begin with

replies(16): >>36881994 #>>36882000 #>>36882015 #>>36882024 #>>36882088 #>>36882221 #>>36882265 #>>36882387 #>>36882539 #>>36882591 #>>36882677 #>>36883051 #>>36883062 #>>36883781 #>>36884189 #>>36884296 #
1. rezonant ◴[26 Jul 23 17:57 UTC] No.36882015[source]
TLS* does not allow websites to restrict users from using the tech stack (hardware, OS, browser) that they want to use. This does.
replies(1): >>36882026 #
2. endisneigh ◴[26 Jul 23 17:57 UTC] No.36882026[source]
Fundamentally both give a 3rd party the authority to verify the legitimacy of something, and similarly both can be avoided if you're willing to not participate.
replies(5): >>36882057 #>>36882069 #>>36882084 #>>36882131 #>>36882256 #
3. lxgr ◴[26 Jul 23 17:59 UTC] No.36882057[source]
I think you're mistaken about what TLS does. It doesn't give a third party any authority to verify anything. It provides integrity and confidentiality to both parties to an HTTP exchange, nothing more.

A TLS client does not contain any trusted private key. You can write one yourself by reading the RFCs. The same is not true for WEI.

replies(1): >>36882170 #
4. remexre ◴[26 Jul 23 18:00 UTC] No.36882069[source]
TLS doesn't verify that particular software or hardware is on the other side; one could design a custom CPU on an FPGA, write their own TLS stack for it, and be able to connect to any TLS-using site as usual without needing to get those things approved.
5. rezonant ◴[26 Jul 23 18:01 UTC] No.36882084[source]
One provides encryption over the wire (TLS), but in modern implementations (extended validation certs are more or less dead in the browser space) hardly provides the user any guarantee that the website is who they think it is.

The other provides the website the ability to ensure that the user's device is one of an approved set of devices, with an approved set of operating system builds, with an approved set of browsers.

These are fundamentally different, surely you can see that.

> similarly both can be avoided if you're willing to not participate.

Actually, no. Unless your definition of "avoided" is simply not using a website which requires attestation, which, over time, could become most of them

6. roblabla ◴[26 Jul 23 18:03 UTC] No.36882131[source]
Even taking your (really flawed) comparison, there's a huge difference. With TLS the servers (the ones being attested) can trivially avoid tls if they so want - web browsers still support http, after all.

In WEI, the users (the ones being attested) _cannot_ avoid WEI. If a website decides to not allow an unattested user, they can simply decide to refuse access.

7. roblabla ◴[26 Jul 23 18:05 UTC] No.36882170{3}[source]
TLS used to also guarantee that you were talking to the correct entity, that's what EV certificates are for. So there was a verification step that ensured that you were indeed the business/organization you were claiming to be.

The EV certs still exists, but the browsers don't really differenciate between DV and EV certs anymore.

replies(1): >>36882243 #
8. lxgr ◴[26 Jul 23 18:09 UTC] No.36882243{4}[source]
Ah, yes, in that sense I can see the parallel (in that being reachable in modern browsers is contingent on being able to obtain a TLS certificate). I remember similar concerns being raised about browsers discouraging HTTP.

But TLS certificates solve a much narrower problem than WEI ("are you communicating with the site you think you are") and are widely and cheaply available from multiple organizationally independent certificate authorities.

In particular, TLS certificates don't try to make an assertion about the website visited, i.e. "this site is operated by honest people, not scammers". WEI does, with the assertion being something like "this browser will not allow injecting scripts or blocking elements".

9. circuit10 ◴[26 Jul 23 18:10 UTC] No.36882256[source]
SSL helps the user, not the site