Most active commenters

    ←back to thread

    Unpacking Google’s Web Environment Integrity specification

    (vivaldi.com)
    756 points dagurp | 20 comments | 26 Jul 23 11:30 UTC | HN request time: 0.509s | source | bottom
    Show context
    rcxdude ◴[26 Jul 23 18:15 UTC] No.36882331[source]
    This is especially rich coming from google's, who's 'safetynet' for android results in a significant reduction in security (contrary to its stated purpose): it locks out 3rd-party up-to-date and secure ROMs while allowing horrificly insecure manufacturer-provided ROMs to still pass, because to disable those would cause a massive user outcry. So it functions as a vendor lock-in but no meaningful increase in security for the average user, while preventing more advanced users from improving their security without needing to buy more hardware. This needs to be called out more to push back against the claim that this kind of attestation somehow has a legitimate benefit for the users.
    replies(6): >>36882444 #>>36883913 #>>36884154 #>>36885533 #>>36885781 #>>36890534 #
    1. dcposch ◴[26 Jul 23 21:44 UTC] No.36885533[source]
    And speaking of user-hostile, locked-down phones...

    a galactic irony that Ben Wiser, the Googler who posted this proposal, has a blog where his most recent post is a rant about how he's being unfairly restricted and can't freely run the software he wants on his own device.

    https://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-...

    https://github.com/RupertBenWiser/Web-Environment-Integrity

    replies(3): >>36886223 #>>36886979 #>>36887042 #
    2. NetOpWibby ◴[26 Jul 23 22:48 UTC] No.36886223[source]
    Haha, that’s incredible.
    3. userbinator ◴[27 Jul 23 00:10 UTC] No.36886979[source]
    It's not clear when his most recent post is; the server says "Last-Modified: Wed, 26 Jul 2023 06:00:31 GMT" but I believe I saw references to this post before that in the current discussion.

    (What's with the trend of completely omitting any dates on a blog?)

    replies(4): >>36887610 #>>36888344 #>>36889099 #>>36892378 #
    4. lern_too_spel ◴[27 Jul 23 00:16 UTC] No.36887042[source]
    Not the same thing. Attestation doesn't mean you can't run software you want on your own phone, which Android allows despite having build attestation APIs.
    replies(5): >>36887059 #>>36887886 #>>36889003 #>>36890855 #>>36894697 #
    5. simbolit ◴[27 Jul 23 00:18 UTC] No.36887059[source]
    Not the same thing. Still close enough to trigger irony detectors.
    6. Groxx ◴[27 Jul 23 01:17 UTC] No.36887610[source]
    the RSS feed says 2022-03-04 fwiw:

        <item>
      <title>I just spent £700 to have my own app on my iPhone</title>
      <link>
        https://benwiser.com/blog/I-just-spent-£700-to-have-my-own-app-on-my-iPhone.html
      </link>
      <pubDate>2022-03-04T11:30:34.067Z</pubDate>
    </item>
    replies(1): >>36896573 #
    7. userbinator ◴[27 Jul 23 01:55 UTC] No.36887886[source]
    It means you can, but may then be ostracised from services for having an "unsupported" environment, which is in many ways even worse because it's leveraging peer pressure.
    8. Andrex ◴[27 Jul 23 02:57 UTC] No.36888344[source]
    > (What's with the trend of completely omitting any dates on a blog?)

    I hate it so, so much. But it's been a thing for at least 5 or so years.

    replies(1): >>36890376 #
    9. tehbeard ◴[27 Jul 23 04:42 UTC] No.36889003[source]
    > Attestation doesn't mean you can't run software you want on your own phone,

    I couldn't run my bank's app on an up to date and security patched lineageOS ROM Thanks to safetynet, even trying the hack around approaches.

    They'd happily accept the out of date, CVE riddled official ROM however as it had the "popes blessing" from Google.

    10. lvncelot ◴[27 Jul 23 04:58 UTC] No.36889099[source]
    I hate that trend as well, especially if the post is meant to be instructional. Bonus points if they don't include version numbers as well.

    I think it's so that your blog does not run into the risk of looking inactive when you might stop posting for a while.

    11. ranting-moth ◴[27 Jul 23 07:58 UTC] No.36890376{3}[source]
    In uni the mantra from the professors was "put a date and version on everything you write for others".

    Students still forgot in the first year but got heavily marked down for it. It quickly got etched into your brain to date and version just about anything you did.

    Today when I see an undated blog entry it seriously affects my perception of the writers integrity.

    replies(1): >>36892265 #
    12. rcxdude ◴[27 Jul 23 09:03 UTC] No.36890855[source]
    It means there's enough software I can't run that its a problem for me. Banking apps, for example.
    13. ethbr0 ◴[27 Jul 23 12:09 UTC] No.36892265{4}[source]
    > Today when I see an undated blog entry it seriously affects my perception of the writers integrity.

    Yes, but you see it. The canonical reasoning I've heard for missing dates is that it avoids SEO penalties for old content.

    replies(2): >>36892405 #>>36900639 #
    14. agentgumshoe ◴[27 Jul 23 12:23 UTC] No.36892378[source]
    I can't stand it. Slightly more than I can't stand old articles that show in recent searches because "last updated July 26th."
    replies(1): >>36900167 #
    15. agentgumshoe ◴[27 Jul 23 12:26 UTC] No.36892405{5}[source]
    Hooray for SEO once again enriching our experience!

    I await the realisation of the Hitchhiker's guide's remedy for the Marketing department...

    16. thefurdrake ◴[27 Jul 23 15:04 UTC] No.36894697[source]
    It is my understanding that attestation could be used to control which software is running on the client's computer prior to granting access to a web service, yes?

    Otherwise, what would the point be of using to, say, protect DRM content on a webpage if I can just attach a debugger to the process in question?

    Is this not how WEI works?

    17. jwilk ◴[27 Jul 23 17:00 UTC] No.36896573{3}[source]
    That's when it was submitted to HN:

    https://news.ycombinator.com/item?id=30553448 (5 comments)

    18. deaddodo ◴[27 Jul 23 21:07 UTC] No.36900167{3}[source]
    Inversely, I hate trying to search for old articles and being unable to find them because something about the websites metadata says a blog from 2004 is from 2018. It makes Google's time window search (and general, research for contemporary views) almost impossible.
    19. philipov ◴[27 Jul 23 21:51 UTC] No.36900639{5}[source]
    Can SEO algos read it if you put the date in an image?
    replies(1): >>36902599 #
    20. ethbr0 ◴[28 Jul 23 02:37 UTC] No.36902599{6}[source]
    I'm sure they could, but it's probably not efficient at web scale, so I'd hazard "No."