←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 10 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source | bottom
Show context
endisneigh ◴[26 Jul 23 17:54 UTC] No.36881965[source]
How exactly is WEI any worse than say a peep-hole on a door? At the end of the day bots are a huge problem and it's only getting worse. What's the alternative solution? You need to know who you're dealing with, both in life and clearly on the web.

I'm probably alone in this, but WEI is a good thing. Anyone who's run a site knows the headache around bots. Sites that don't care about bots can simply not use WEI. Of course, we know they will use it, because bots are a headache. Millions of engineer hours are wasted yearly on bot nonsense.

With the improvements in AI this was inevitable anyway. Anyone who thinks otherwise is delusional. Reap what you sow and what not.

edit: removing ssl comparison since it's not really my point to begin with

replies(16): >>36881994 #>>36882000 #>>36882015 #>>36882024 #>>36882088 #>>36882221 #>>36882265 #>>36882387 #>>36882539 #>>36882591 #>>36882677 #>>36883051 #>>36883062 #>>36883781 #>>36884189 #>>36884296 #
JohnFen ◴[26 Jul 23 17:55 UTC] No.36881994[source]
SSL doesn't demand that some third party approve your software and hardware in order for it to work for you.
replies(1): >>36882002 #
endisneigh ◴[26 Jul 23 17:56 UTC] No.36882002[source]
TPMs with attestation do exactly that. Are you opposed to that as well?
replies(7): >>36882017 #>>36882018 #>>36882043 #>>36882127 #>>36882424 #>>36882537 #>>36883819 #
rezonant ◴[26 Jul 23 17:58 UTC] No.36882043[source]
That's exactly what WEI is supposed to do... And yes, websites should not be able to use the TPM for attesting the user's environment.
replies(1): >>36882060 #
1. endisneigh ◴[26 Jul 23 17:59 UTC] No.36882060[source]
why not? how do you want to solve the problem of provenance? if you feel it's not a problem to begin with, then the sites in question can simply choose not to enable it. if they enable and believe it is a problem, then clearly there's a dissonance between the places you choose to visit and their goals, no?
replies(6): >>36882089 #>>36882106 #>>36882216 #>>36882388 #>>36882389 #>>36884653 #
2. lxgr ◴[26 Jul 23 18:01 UTC] No.36882089[source]
WEI does not solve any "problem of provenance"; it's DRM for the web. It asserts things about the browser environment to the website operator, not the other way around.

Are you sure you actually understand these two technologies (WEI and TLS) sufficiently to make these claims?

replies(1): >>36882172 #
3. ◴[26 Jul 23 18:02 UTC] No.36882106[source]
4. ◴[26 Jul 23 18:05 UTC] No.36882172[source]
5. rezonant ◴[26 Jul 23 18:08 UTC] No.36882216[source]
> sites in question can simply choose not to enable it.

My problem isn't that I as a developer don't have an option to not implement attestation checks on my own web properties. I already know that (and definitely won't be implementing them).

My problem is that a huge number of websites will, ostensibly as an easier way to prevent malicious automation, spam etc, but in doing so will throw the baby out with the bathwater: That users will no longer have OS and browser choice because the web shackles them to approved, signed, and sealed hardware/software combinations primarily controlled by big tech.

6. rvba ◴[26 Jul 23 18:18 UTC] No.36882388[source]
> then the sites in question can simply choose not to enable it

Google can reduce the page rank of websites that dont enable it (or just not give any page rank at all) and now everyone who wants to be found has to enable it

replies(2): >>36883281 #>>36885708 #
7. jerf ◴[26 Jul 23 18:18 UTC] No.36882389[source]
The problem of provenance is significantly smaller than the problem of monopolistic companies given control over who is and is not an approved user of the web.

Provenance to the extent it is a problem is already handleable and largely handled. Note that "handled" here does not mean it is 100% gone, only that it is contained. Monopolistic control over the web is not containable.

8. erosenbe0 ◴[26 Jul 23 19:11 UTC] No.36883281[source]
That would clearly be an antitrust violation or deceptive business practice in one or more countries. Though by the time they get penalized for it, the damage would have been done.
9. howinteresting ◴[26 Jul 23 20:39 UTC] No.36884653[source]
Under capitalism (or really any socio-economic system) we engage with services for reasons other than choice all the time. For example, if you're living in an area where just one or two banks exist, and both of them suddenly decide to force DRM because their cyber insurance company told them to, you can suddenly no longer access their sites on Linux. That's pretty fucked up.

The people who want to use DRM to solve their problems should just suck it up and find alternatives.

10. nfw2 ◴[26 Jul 23 21:58 UTC] No.36885708[source]
Google can already do this if they want to. For example, they could increase the page rank of sites use Google Analytics (or any other Google client library). But this would be exceedingly stupid because it would compromise the quality of their search results, and remaining the leader in search should be their highest priority.