←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 10 comments | 26 Jul 23 11:30 UTC | HN request time: 0.001s | source | bottom
Show context
haburka ◴[26 Jul 23 18:04 UTC] No.36882152[source]
Very controversial take but I think this benefits the vast majority of users by allowing them to bypass captchas. I’m assuming that people would use this API to avoid showing real users captchas, not completely prevent them from browsing the web.

Unfortunately people who have rooted phones, who use nonstandard browsers are not more than 1% of users. It’s important that they exist, but the web is a massive platform. We can not let a tyranny of 1% of users steer the ship. The vast majority of users would benefit from this, if it really works.

However i could see that this tool would be abused by certain websites and prevent users from logging in if on a non standard browser, especially banks. Unfortunate but overall beneficial to the masses.

Edit: Apparently 5% of the time it intentionally omits the result so it can’t be used to block clients. Very reasonable solution.

replies(9): >>36882205 #>>36882206 #>>36882230 #>>36882275 #>>36882280 #>>36882408 #>>36882411 #>>36882428 #>>36882700 #
1. adamrezich ◴[26 Jul 23 18:07 UTC] No.36882206[source]
how often do normal users see CAPTCHAs these days? I seldom see one anymore.
replies(4): >>36882290 #>>36882299 #>>36882915 #>>36885097 #
2. dotancohen ◴[26 Jul 23 18:13 UTC] No.36882290[source]
I see them all the time. Firefox on Ubuntu.
replies(1): >>36882321 #
3. hellojesus ◴[26 Jul 23 18:13 UTC] No.36882299[source]
I get them often, especially with more privacy features turned on. But usually a VPN is enough to trigger it when visiting Google domains.
replies(1): >>36882397 #
4. adamrezich ◴[26 Jul 23 18:14 UTC] No.36882321[source]
but where? which websites? I haven't seen a CAPTCHA on the reg since I stopped posting to 4chan some years back.
replies(2): >>36882476 #>>36882980 #
5. Given_47 ◴[26 Jul 23 18:18 UTC] No.36882397[source]
There’s a select few mullvad addresses that don’t trigger it but the majority I use I’ll get hit with them.

I honestly find it more concerning when I’m expecting one and I don’t get served a ridiculous puzzle to solve.

6. hnav ◴[26 Jul 23 18:23 UTC] No.36882476{3}[source]
Most websites have them, just browse in incognito and either override your user-agent to something funky or connect through a known VPN.
replies(1): >>36883318 #
7. Ylpertnodi ◴[26 Jul 23 18:50 UTC] No.36882915[source]
Quite a few: brave browser + mullvad vpn. I enjoy doing captchas wrong, manly because i can't believe how US fire hydrants, busses, and crosswalks have become so important to me.
8. i_love_cookies ◴[26 Jul 23 18:54 UTC] No.36882980{3}[source]
almost anything using cloudflare
9. pests ◴[26 Jul 23 19:13 UTC] No.36883318{4}[source]
Ah, just do something completely nonstandard (sans incognito) and the website will stop working.
10. drbawb ◴[26 Jul 23 21:11 UTC] No.36885097[source]
I built a new PC for a friend, and getting the AM5 platform stable was ridiculously challenging, so there were several reinstallations of Windows involved. He didn't use a password manager, so there were a lot of logging in, password resets etc. involved. For virtually every service he had to login to he was asked to complete a CAPTCHA. For Steam in particular: he had to do the first login on the website, because the CAPTCHA inside the application appeared to be bugged and was more like psychological warfare than human-verification. The frustration was palpable.

Also turn on a VPN some time (a signal to Google et al. that you're trying to bypass content region-restrictions, or funnel mobile traffic through an ad-blocker) and you are basically guaranteed to see nothing but CAPTCHAs from the predominantly CloudFlare owned and operated Internet.

So yes, it's a big problem, but only if your web environment (tracking metadata) are not sufficiently "trusted" :D