Most active commenters
  • lern_too_spel(8)
  • ori_b(3)

←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 48 comments | 26 Jul 23 11:30 UTC | HN request time: 0.003s | source | bottom
1. rcxdude ◴[26 Jul 23 18:15 UTC] No.36882331[source]
This is especially rich coming from google's, who's 'safetynet' for android results in a significant reduction in security (contrary to its stated purpose): it locks out 3rd-party up-to-date and secure ROMs while allowing horrificly insecure manufacturer-provided ROMs to still pass, because to disable those would cause a massive user outcry. So it functions as a vendor lock-in but no meaningful increase in security for the average user, while preventing more advanced users from improving their security without needing to buy more hardware. This needs to be called out more to push back against the claim that this kind of attestation somehow has a legitimate benefit for the users.
replies(6): >>36882444 #>>36883913 #>>36884154 #>>36885533 #>>36885781 #>>36890534 #
2. rezonant ◴[26 Jul 23 18:22 UTC] No.36882444[source]
Fantastic point.
3. StingyJelly ◴[26 Jul 23 19:52 UTC] No.36883913[source]
Exactly! Ironically it's a possible reduction in security on custom roms as well if one chooses to bypass it, which is trivial, but requires rooting the device.
4. lern_too_spel ◴[26 Jul 23 20:07 UTC] No.36884154[source]
You're using it wrong. SafetyNet is able to assert that the build the device asserts is what it claims. After you know that, it's up to you to decide whether you trust communications from that build or not. If it's a known-insecure build, you can say that you don't. SafetyNet cannot assert that a third party ROM is what it claims to be, so you have to decide whether you trust communications from that device or not based on not knowing at all what build is on the device.
replies(5): >>36884229 #>>36884517 #>>36884788 #>>36885296 #>>36886555 #
5. wmf ◴[26 Jul 23 20:12 UTC] No.36884229[source]
Does anyone use SafetyNet "right"? I assume not due to the user outcry issue.
replies(1): >>36884350 #
6. lern_too_spel ◴[26 Jul 23 20:19 UTC] No.36884350{3}[source]
Most (all?) corporate endpoint security systems use it right in my experience. Even when using it right, you would have to block third party builds and cause outcry. You would additionally block some builds that SafetyNet (or Play Integrity) attests.
replies(2): >>36885261 #>>36890240 #
7. realusername ◴[26 Jul 23 20:30 UTC] No.36884517[source]
Then you are back to square one pretty much since the safetynet result doesn't tell you anything about the security of the device.
8. ori_b ◴[26 Jul 23 20:49 UTC] No.36884788[source]
In other words, it's virtually impossible to use right without also being the entity that hands out phones to users.
replies(1): >>36885527 #
9. franga2000 ◴[26 Jul 23 21:24 UTC] No.36885261{4}[source]
> Even when using it right, you would have to block third party builds

Unless you have an obvious and accessible way of getting secure third party builds whitelisted, this is still a very anti-user approach, which is not justifiable unless the user of the device isn't its owner (like with company-owned work phones).

replies(1): >>36885561 #
10. ◴[26 Jul 23 21:26 UTC] No.36885296[source]
11. lern_too_spel ◴[26 Jul 23 21:44 UTC] No.36885527{3}[source]
Potentially, a manufacturer could make a multibuild phone where the user could switch between an attested build and a non-attested build and have access to services whose security requires attestation with just a reboot. Otherwise, you would use different devices for different purposes, as I do today. It's unfortunate, but if you really need something that isn't supported by the existing Android APIs, that's the only way.
replies(1): >>36886596 #
12. dcposch ◴[26 Jul 23 21:44 UTC] No.36885533[source]
And speaking of user-hostile, locked-down phones...

a galactic irony that Ben Wiser, the Googler who posted this proposal, has a blog where his most recent post is a rant about how he's being unfairly restricted and can't freely run the software he wants on his own device.

https://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-...

https://github.com/RupertBenWiser/Web-Environment-Integrity

replies(3): >>36886223 #>>36886979 #>>36887042 #
13. lern_too_spel ◴[26 Jul 23 21:47 UTC] No.36885561{5}[source]
That's up to the service to decide on the appropriate level of security risk in whether they allow unknown builds. They already don't allow custom builds on any other mobile OS, so this is really the best you can get as a user. What is your proposed solution?
replies(2): >>36886886 #>>36888921 #
14. 1vuio0pswjnm7 ◴[26 Jul 23 22:03 UTC] No.36885781[source]
"The term cognitive distortions has often been used as a general umbrella term to refer to pseudo-justifications and rationalizations for their deviant behavior, and pro-criminal or offense-supporting attitudes (Maruna & Copes, 2004; Maruna & Mann, 2006; Ciardha & Gannon, 2011)." Helmond et al., Criminal Justice and Behavior, 2015, Vol. 42, No. 3, March 2015, 245-262

It seems that almost any software/website can be framed as having a legitimate benefit for users, e.g., increased convenience and/or security.^1 The more pertinent inquiry is what benefit(s) does it have for its author(s). What does it do (as opposed to "what is it"). Let the user draw their own conclusions from the facts.

1. Arguably it could be a distortion to claim these are not mutually exclusive.

We can use web clients that do not leak excessive data that might be collected and used for advertising and tracking by so-called "tech" companies. Google would prefer that we not use such clients. But why not. A so-called "tech" company might frame all non-approved web clients as "bots" and all web usage without disclosing excessive data about the computer user's setup^2 as relating to "fraud". It might frame all web usage as commercial in nature and thus all websites as receptacles for advertising. This "all or nothing" thinking is a classic cognitive distortion.

2. This was the norm in the eary days of the web.

15. NetOpWibby ◴[26 Jul 23 22:48 UTC] No.36886223[source]
Haha, that’s incredible.
16. lxgr ◴[26 Jul 23 23:22 UTC] No.36886555[source]
> so you have to decide whether you trust communications from that device

"You" in this scenario being, most likely, an engineer at a large, regulated, risk-averse corporation that might have to justify this choice during an audit.

What would your decision be?

17. ori_b ◴[26 Jul 23 23:28 UTC] No.36886596{4}[source]
Or, just don't do remote attestation. The cure is worse than the disease.
replies(2): >>36887093 #>>36887140 #
18. justinclift ◴[26 Jul 23 23:58 UTC] No.36886886{6}[source]
> They already don't allow custom builds on any other mobile OS ...

Keep in mind that Pinephones and similar are a thing. Lots of people are hoping they don't fizzle out and die off like previous "open" phone projects. :)

replies(1): >>36887021 #
19. userbinator ◴[27 Jul 23 00:10 UTC] No.36886979[source]
It's not clear when his most recent post is; the server says "Last-Modified: Wed, 26 Jul 2023 06:00:31 GMT" but I believe I saw references to this post before that in the current discussion.

(What's with the trend of completely omitting any dates on a blog?)

replies(4): >>36887610 #>>36888344 #>>36889099 #>>36892378 #
20. lern_too_spel ◴[27 Jul 23 00:15 UTC] No.36887021{7}[source]
And Pinephones and similar don't have apps for these services that require attestation and never will. If some allow web access without build attestation, that works on custom Android builds as well.
21. lern_too_spel ◴[27 Jul 23 00:16 UTC] No.36887042[source]
Not the same thing. Attestation doesn't mean you can't run software you want on your own phone, which Android allows despite having build attestation APIs.
replies(5): >>36887059 #>>36887886 #>>36889003 #>>36890855 #>>36894697 #
22. simbolit ◴[27 Jul 23 00:18 UTC] No.36887059{3}[source]
Not the same thing. Still close enough to trigger irony detectors.
23. simbolit ◴[27 Jul 23 00:21 UTC] No.36887093{5}[source]
That is viable in 2023.

Think about "don't use a smartphone" in 2013. That was viable back then.

It isn't anymore. What you can do is live smartphone-lite, using it only as a secondary device (as grandparent suggested). The same will be true in a couple years (if the big G is successful). Until, then, yea, don't use it, actively campaign against it.

replies(1): >>36894776 #
24. lern_too_spel ◴[27 Jul 23 00:26 UTC] No.36887140{5}[source]
Good luck convincing corp security to allow you to use your device on your corporate network without remote attestation.
replies(1): >>36887915 #
25. Groxx ◴[27 Jul 23 01:17 UTC] No.36887610{3}[source]
the RSS feed says 2022-03-04 fwiw:

    <item>
      <title>I just spent £700 to have my own app on my iPhone</title>
      <link>
        https://benwiser.com/blog/I-just-spent-£700-to-have-my-own-app-on-my-iPhone.html
      </link>
      <pubDate>2022-03-04T11:30:34.067Z</pubDate>
    </item>
replies(1): >>36896573 #
26. userbinator ◴[27 Jul 23 01:55 UTC] No.36887886{3}[source]
It means you can, but may then be ostracised from services for having an "unsupported" environment, which is in many ways even worse because it's leveraging peer pressure.
27. ori_b ◴[27 Jul 23 01:58 UTC] No.36887915{6}[source]
I don't use personal devices on corporate networks. If they want a phone with remote attestation, they can pay for it to sit in a drawer.

Though, at this point I am the founder of my own company. Any software we use will not require attestation. I would be willing to switch vendors over that.

As for web attestation: the software I use regularly needs to run on OpenBSD. It's that simple.

28. Andrex ◴[27 Jul 23 02:57 UTC] No.36888344{3}[source]
> (What's with the trend of completely omitting any dates on a blog?)

I hate it so, so much. But it's been a thing for at least 5 or so years.

replies(1): >>36890376 #
29. Dylan16807 ◴[27 Jul 23 04:28 UTC] No.36888921{6}[source]
> What is your proposed solution?

Ban attestation methods that owners can't control.

replies(2): >>36892142 #>>36972537 #
30. tehbeard ◴[27 Jul 23 04:42 UTC] No.36889003{3}[source]
> Attestation doesn't mean you can't run software you want on your own phone,

I couldn't run my bank's app on an up to date and security patched lineageOS ROM Thanks to safetynet, even trying the hack around approaches.

They'd happily accept the out of date, CVE riddled official ROM however as it had the "popes blessing" from Google.

31. lvncelot ◴[27 Jul 23 04:58 UTC] No.36889099{3}[source]
I hate that trend as well, especially if the post is meant to be instructional. Bonus points if they don't include version numbers as well.

I think it's so that your blog does not run into the risk of looking inactive when you might stop posting for a while.

32. realusername ◴[27 Jul 23 07:42 UTC] No.36890240{4}[source]
> Most (all?) corporate endpoint security systems use it right in my experience.

I've never seen a usage of Safetynet which I would consider right, pretty much everybody thinks it creates some kind of "security" whereas it doesn't.

One very rare useful usage for it could be removing bots for game leaderboards but certainly not banking apps.

33. ranting-moth ◴[27 Jul 23 07:58 UTC] No.36890376{4}[source]
In uni the mantra from the professors was "put a date and version on everything you write for others".

Students still forgot in the first year but got heavily marked down for it. It quickly got etched into your brain to date and version just about anything you did.

Today when I see an undated blog entry it seriously affects my perception of the writers integrity.

replies(1): >>36892265 #
34. ThePowerOfFuet ◴[27 Jul 23 08:21 UTC] No.36890534[source]
This is especially rich coming from google's, who's 'safetynet' for android results in a significant reduction in security (contrary to its stated purpose): it locks out 3rd-party up-to-date and secure ROMs while allowing horrificly insecure manufacturer-provided ROMs to still pass, because to disable those would cause a massive user outcry.

That's not the case with GrapheneOS:

https://grapheneos.org/articles/attestation-compatibility-gu...

SafetyNet is deprecated anyway:

https://developer.android.com/training/safetynet/deprecation...

replies(1): >>36894078 #
35. rcxdude ◴[27 Jul 23 09:03 UTC] No.36890855{3}[source]
It means there's enough software I can't run that its a problem for me. Banking apps, for example.
36. hoffs ◴[27 Jul 23 11:55 UTC] No.36892142{7}[source]
What does that even mean? It sounds like your proposal makes attestation pointless since owner can attest in whatever way they want.
replies(1): >>36899235 #
37. ethbr0 ◴[27 Jul 23 12:09 UTC] No.36892265{5}[source]
> Today when I see an undated blog entry it seriously affects my perception of the writers integrity.

Yes, but you see it. The canonical reasoning I've heard for missing dates is that it avoids SEO penalties for old content.

replies(2): >>36892405 #>>36900639 #
38. agentgumshoe ◴[27 Jul 23 12:23 UTC] No.36892378{3}[source]
I can't stand it. Slightly more than I can't stand old articles that show in recent searches because "last updated July 26th."
replies(1): >>36900167 #
39. agentgumshoe ◴[27 Jul 23 12:26 UTC] No.36892405{6}[source]
Hooray for SEO once again enriching our experience!

I await the realisation of the Hitchhiker's guide's remedy for the Marketing department...

40. nneonneo ◴[27 Jul 23 14:26 UTC] No.36894078[source]
I think you’ve misunderstood both posts.

SafetyNet is deprecated, but it’s just been rolled into Play Integrity which does all the same things. All the same concerns still apply to Play Integrity.

GrapheneOS is asking developers not to use SafetyNet/Play Integrity (because they presumably block GrapheneOS), but instead to use the native hardware attestation API so they can specifically allow GrapheneOS keys. If a developer doesn’t allow their keys, they’ll be blocked.

41. thefurdrake ◴[27 Jul 23 15:04 UTC] No.36894697{3}[source]
It is my understanding that attestation could be used to control which software is running on the client's computer prior to granting access to a web service, yes?

Otherwise, what would the point be of using to, say, protect DRM content on a webpage if I can just attach a debugger to the process in question?

Is this not how WEI works?

42. thefurdrake ◴[27 Jul 23 15:09 UTC] No.36894776{6}[source]
If this happens the way google wants, I'll have to have a separate physical box set up specifically to access google's shiternet for things like banking and shopping. I'd be glad to stick to websites that have no need or interest for WEI otherwise.

The internet was already going increasingly-downhill anyway.

thisisfine.png

43. jwilk ◴[27 Jul 23 17:00 UTC] No.36896573{4}[source]
That's when it was submitted to HN:

https://news.ycombinator.com/item?id=30553448 (5 comments)

44. Dylan16807 ◴[27 Jul 23 19:55 UTC] No.36899235{8}[source]
It only makes it pointless for DRM purposes.

If a company wants control over devices they own, that's still fine.

45. deaddodo ◴[27 Jul 23 21:07 UTC] No.36900167{4}[source]
Inversely, I hate trying to search for old articles and being unable to find them because something about the websites metadata says a blog from 2004 is from 2018. It makes Google's time window search (and general, research for contemporary views) almost impossible.
46. philipov ◴[27 Jul 23 21:51 UTC] No.36900639{6}[source]
Can SEO algos read it if you put the date in an image?
replies(1): >>36902599 #
47. ethbr0 ◴[28 Jul 23 02:37 UTC] No.36902599{7}[source]
I'm sure they could, but it's probably not efficient at web scale, so I'd hazard "No."
48. lern_too_spel ◴[02 Aug 23 15:49 UTC] No.36972537{7}[source]
So regulation. I can get into that. Until such regulation exists, phone manufacturers have no incentive to maintain different SKUs.