←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 8 comments | 26 Jul 23 11:30 UTC | HN request time: 0.001s | source | bottom
Show context
wbobeirne ◴[26 Jul 23 17:56 UTC] No.36881997[source]

    > Can we just refuse to implement it?
    > Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.
This is true of any contentious browser feature. Choosing not to implement it means your users will sometimes be presented with a worse UX if a website's developers decide to require that feature.

But as a software creator, it's up to you to determine what is best for your customers. If your only hope of not going along with this is having the EU come in and slapping Google's wrist, I'm concerned that you aren't willing to take a hard stance on your own.

replies(16): >>36882111 #>>36882159 #>>36882251 #>>36882319 #>>36882333 #>>36882392 #>>36883076 #>>36884242 #>>36886398 #>>36886528 #>>36886698 #>>36887109 #>>36888102 #>>36888252 #>>36889157 #>>36890182 #
1. rezonant ◴[26 Jul 23 18:14 UTC] No.36882319[source]
> Choosing not to implement it means your users will sometimes be presented with a worse UX if a website's developers decide to require that feature.

I think this makes a category error. Most browser features/APIs are indeed treated as progressive enhancements by web developers, at least until an overwhelming number of the users have access to that feature. And even then, even if the developer makes assumptions that the feature/API is present, often the result is a degraded experience rather than an all-out broken experience.

The same is not true of web attestation. If a website requires it and a browser refuses to implement it, in at least some cases (probably a concerningly high number of cases though) the result will be that the user is entirely locked out of using that website.

It's also worth noting that _even if_ Vivaldi implements WEI, there's a solid chance that the attestation authority (Google, Microsoft, Apple) or possibly the website itself[1] will not accept it as a valid environment at all! After all, what makes Vivaldi not a "malicious or automated environment" in their eyes? What if Vivaldi allows full ad blocking extensions? User automation/scripting? Or any example of too much freedom to the user. Will the attestation authority decide that it is not worthy of being an acceptable environment?

[1] if this ends up spiralling out of control by allowing the full attestation chain to be inspected by the website

replies(2): >>36882374 #>>36882682 #
2. iforgotpassword ◴[26 Jul 23 18:17 UTC] No.36882374[source]
It still feels like they rather bend over and take it than risking losing market share.
replies(1): >>36882448 #
3. mrguyorama ◴[26 Jul 23 18:22 UTC] No.36882448[source]
Vivaldi's entire reason for being is "I literally cannot bring myself to just use firefox instead so I'll bend over backwards to try and remove objectionable things from chromium and still end up supporting chrome as the web default"
4. wbobeirne ◴[26 Jul 23 18:35 UTC] No.36882682[source]
> The same is not true of web attestation. If a website requires it...

I don't think I've made a category error, that again is true of all browser features. If your browser does not support JavaScript or WebSockets or WebGL, many sites would lock you out of them entirely as well. It's a choice of the website creator what to assume and what to require, and how to degrade the experience or offer alternatives when a feature is missing.

The way I imagine it, WEI will start with skipping CAPTCHA. Then it will be about serving ads (users without WEI would generate no or very limited ad revenue.) Then it's up to the owner of a site whether or not they want to allow non-WEI traffic at all. Some will choose to block users without WEI, and hopefully the number of browsers that have chosen not to implement it, and the number of users on those browsers is high enough that that option will not be appealing.

I hope that Vivaldi remains one of the browsers that doesn't implement it, whether or not the EU rules against it.

replies(1): >>36883130 #
5. nobody9999 ◴[26 Jul 23 19:02 UTC] No.36883130[source]
>The way I imagine it, WEI will start with skipping CAPTCHA. Then it will be about serving ads (users without WEI would generate no or very limited ad revenue.) Then it's up to the owner of a site whether or not they want to allow non-WEI traffic at all. Some will choose to block users without WEI, and hopefully the number of browsers that have chosen not to implement it, and the number of users on those browsers is high enough that that option will not be appealing.

There are a number of issues with your imagined scenario. I'll address two of them. Firstly, as nvy points out[0]:

    If this gains traction, Google will simply deny adsense payments for 
   impressions from an "untrusted" page, and thus all the large players that 
   show ads for revenue will immediately implement WEI without giving a single 
   flying shit about the users, as they always have and always will.
This is the primary reason Google wants WEI -- to make it harder for users of ad/tracking blockers to access sites they sell ads on.

The second issue is who is providing this "attestation" and what their criteria might be for "trustworthy" browsers. This will break down to a handful (Google, Microsoft, Apple and maybe Cloudflare and/or one or two others) of trusted "attestors" who will decide which browser/plugins/OS combinations are "trustworthy."

Since these folks all have a stake in walled gardens^W hellscapes, who's to say that Apple won't "attest" that any browser other than Safari on iOS or MacOS isn't trustworthy? Or Google may decide that any browser with uBlockOrigin, uMatrix or NoScript isn't trustworthy -- thus permanently deprecating ad/tracking blockers.

Since the spec doesn't specify the criteria for a "trusted" client, nor does it allow for the web site to determine for itself what constitutes the same, it's almost certain that such "trusted attestors" will penalize those who don't dance to their tune.

There are a host of other issues with WEI, especially privacy and property rights related, but those two (IMHO) are most relevant to your imaginings.

[0] https://news.ycombinator.com/item?id=36882333

replies(2): >>36883534 #>>36884880 #
6. wbobeirne ◴[26 Jul 23 19:28 UTC] No.36883534{3}[source]
I'm not sure any of that refutes the scenario I laid out. Google denying adsense payments is exactly what I said would happen. It would then be up to the site as to whether or not they would continue to allow traffic from users who they aren't getting ad revenue from. I've been at companies who have had this exact debate about how to handle users with ad blockers.

I completely agree about the spec's vagueness about what makes a client trusted, and that attesters can choose arbitrary criteria, and will likely favor things that make the walls on their gardens higher.

I hope you're not misunderstanding my position, I think WEI is bad for users and I'm hoping that alternative browser vendors like Vivaldi take a stand to not implement it.

replies(1): >>36884041 #
7. rezonant ◴[26 Jul 23 20:00 UTC] No.36884041{4}[source]
You're not wrong about any of this, but I have very little faith that alternative browsers not implementing this will have any sway in avoiding the lockout outcome :-(
8. nine_k ◴[26 Jul 23 20:54 UTC] No.36884880{3}[source]
BTW this logic immediately disqualifies any open-source browsers, because they can be modified.

The source can still be available for reference, but your build needs to be blessed somehow to be considered trustworthy.