←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 10 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source | bottom
Show context
endisneigh ◴[26 Jul 23 17:54 UTC] No.36881965[source]
How exactly is WEI any worse than say a peep-hole on a door? At the end of the day bots are a huge problem and it's only getting worse. What's the alternative solution? You need to know who you're dealing with, both in life and clearly on the web.

I'm probably alone in this, but WEI is a good thing. Anyone who's run a site knows the headache around bots. Sites that don't care about bots can simply not use WEI. Of course, we know they will use it, because bots are a headache. Millions of engineer hours are wasted yearly on bot nonsense.

With the improvements in AI this was inevitable anyway. Anyone who thinks otherwise is delusional. Reap what you sow and what not.

edit: removing ssl comparison since it's not really my point to begin with

replies(16): >>36881994 #>>36882000 #>>36882015 #>>36882024 #>>36882088 #>>36882221 #>>36882265 #>>36882387 #>>36882539 #>>36882591 #>>36882677 #>>36883051 #>>36883062 #>>36883781 #>>36884189 #>>36884296 #
1. NoMoreNicksLeft ◴[26 Jul 23 18:01 UTC] No.36882088[source]
Anyone using a browser without this feature will end up becoming second class citizens who must jump through (extreme) hoops to use the web...

Or they're just walled off from most of the web entirely.

I use a variety of personally developed web scraper scripts. For instance, I have digital copies of every paystub. These will almost all become worthless. My retirement plan at a previous employer would not let me download monthly statements unless I did it manually... it was able to detect the Mechanize library, and responded with some creepy-assed warning against robots.

No one would go to the trouble to do that manually every month, and no one was allowed robots apparently. But at least they needed to install some specialty software somewhere to disallow it. This shit will just make it even easier for the assholes.

I also worry about tools I sometimes use for things like Selenium.

This isn't SSL.

replies(2): >>36882262 #>>36882336 #
2. endisneigh ◴[26 Jul 23 18:11 UTC] No.36882262[source]
This is not true. Sites will not be obligated to implement WEI. At the end of the day bots are a real issue, with no real solution other than attestation. AI is accelerating this issue. This (WEI or something else) is inevitable.
replies(3): >>36882410 #>>36883039 #>>36884870 #
3. hnav ◴[26 Jul 23 18:15 UTC] No.36882336[source]
To be fair it's only a matter of time until CV and NNs replace Webdriver/Selenium as the goto for scraping. First using accessibility APIs and later on imagine something you plug into USB C that emulates DisplayPort and HID devices.
replies(2): >>36882631 #>>36887004 #
4. NoMoreNicksLeft ◴[26 Jul 23 18:20 UTC] No.36882410[source]
> This is not true. Sites will not be obligated to implement WEI.

There are a number of sites I frequent but don't log in to or register for an account.

Every single one of them has an absurd number of captchas, or I see the cloudflare protection thing come up for first for 3 seconds.

So while hypothetically it may be true that they don't have to do it, they will. It's not even clear to me that Firefox could implement it too... so do I have to switch back to Chrome (or [barf] Safari?)? Dunno. I can't predict the future, but you'd have to be in some sort of denial to not see where this is going.

> At the end of the day bots are a real issue

Bots are fucking awesome. We should all have bots, out there doing the boring stuff, bringing back the goodies to us. If someone tells you that bots are bad, they're lying to you because they're afraid that you might find out how much you'd want one.

5. baby_souffle ◴[26 Jul 23 18:32 UTC] No.36882631[source]
> To be fair it's only a matter of time until CV and NNs replace Webdriver/Selenium as the goto for scraping. First using accessibility APIs and later on imagine something you plug into USB C that emulates DisplayPort and HID devices.

*exactly*. The analog loophole is where this cat/mouse game must end. Since we already know how it'll play out, can't we invest our time into more useful endeavors?

replies(1): >>36883215 #
6. lxgr ◴[26 Jul 23 18:57 UTC] No.36883039[source]
Maybe so, but if so, let's please make it something else.

I'm fine with attestation when it comes to high-risk tasks such as confirming financial transactions or signing legal documents, or anonymous "proof-of-humanity" solutions such as Apple's Private Access Tokens (as long as there's a CAPTCHA-based or similar alternative!) for free trials or account creations (beats using SMS/phone number authentication, at least), but applying Trusted Computing to the entire browser just goes much too far.

replies(1): >>36885799 #
7. hnav ◴[26 Jul 23 19:07 UTC] No.36883215{3}[source]
But then google will integrate HDCP into this mess, forcing us to have a camera pointed at a monitor :P
8. pwnna ◴[26 Jul 23 20:53 UTC] No.36884870[source]
McDonalds app requires safetynet (effectively the same as this proposal) passing to access their app. Is that really required?

If you put a capability in, people will use (and abuse) it.

9. nfw2 ◴[26 Jul 23 22:04 UTC] No.36885799{3}[source]
With the rate AI is accelerating, it's possible that nothing akin to a CAPTCHA may be viable soon. That sort of verification is already approaching the threshold of what's reasonable to ask humans to solve.
10. alex7734 ◴[27 Jul 23 00:13 UTC] No.36887004[source]
At which point you use CAPTCHA.

The goal of WEI is not to get rid of bots, that's just a bonus, it is to remove user control and customization over his own experience.