←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 4 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source
Show context
endisneigh ◴[26 Jul 23 17:54 UTC] No.36881965[source]
How exactly is WEI any worse than say a peep-hole on a door? At the end of the day bots are a huge problem and it's only getting worse. What's the alternative solution? You need to know who you're dealing with, both in life and clearly on the web.

I'm probably alone in this, but WEI is a good thing. Anyone who's run a site knows the headache around bots. Sites that don't care about bots can simply not use WEI. Of course, we know they will use it, because bots are a headache. Millions of engineer hours are wasted yearly on bot nonsense.

With the improvements in AI this was inevitable anyway. Anyone who thinks otherwise is delusional. Reap what you sow and what not.

edit: removing ssl comparison since it's not really my point to begin with

replies(16): >>36881994 #>>36882000 #>>36882015 #>>36882024 #>>36882088 #>>36882221 #>>36882265 #>>36882387 #>>36882539 #>>36882591 #>>36882677 #>>36883051 #>>36883062 #>>36883781 #>>36884189 #>>36884296 #
1. seanalltogether ◴[26 Jul 23 18:35 UTC] No.36882677[source]
I think your comparison to SSL is actually important, because encryption is a discrete problem with a discrete solution. But this WEI proposal is designed to detect botting, which is a cat and mouse problem without a clear end game.
replies(1): >>36882854 #
2. yonatan8070 ◴[26 Jul 23 18:46 UTC] No.36882854[source]
Exactly, if people want to create bots, at the end of the days we'll end up with VMs running AutoHotkey and Chrome, or physical machines with fake mice and keyboards, or actual computer setups with robot arms moving the mouse around, there's no stopping bots
replies(1): >>36882997 #
3. lxgr ◴[26 Jul 23 18:54 UTC] No.36882997[source]
Well, not if you ultimately tie something like WEI to hardware attestation. Then fraudsters would have to buy additional devices, which is not a complete deterrent [1], but would change the economics significantly.

But many here are (in my view rightly) arguing that this would be too high a price to pay for bot/spam protection, since it would almost inevitably cement the browser, OS, and device monoculture even further.

[1] https://www.cultofmac.com/311171/crazy-iphone-rig-shows-chin...

replies(1): >>36884305 #
4. Urd- ◴[26 Jul 23 20:16 UTC] No.36884305{3}[source]
>Then fraudsters would have to buy additional devices

Which a lot of them already do: https://www.youtube.com/watch?v=hsCJU9djdIc

Or just use a botnet to steal use of someone else's hardware, which is also very common for malicious bots.