←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 1 comments | 26 Jul 23 11:30 UTC | HN request time: 0.211s | source
Show context
endisneigh ◴[26 Jul 23 17:54 UTC] No.36881965[source]
How exactly is WEI any worse than say a peep-hole on a door? At the end of the day bots are a huge problem and it's only getting worse. What's the alternative solution? You need to know who you're dealing with, both in life and clearly on the web.

I'm probably alone in this, but WEI is a good thing. Anyone who's run a site knows the headache around bots. Sites that don't care about bots can simply not use WEI. Of course, we know they will use it, because bots are a headache. Millions of engineer hours are wasted yearly on bot nonsense.

With the improvements in AI this was inevitable anyway. Anyone who thinks otherwise is delusional. Reap what you sow and what not.

edit: removing ssl comparison since it's not really my point to begin with

replies(16): >>36881994 #>>36882000 #>>36882015 #>>36882024 #>>36882088 #>>36882221 #>>36882265 #>>36882387 #>>36882539 #>>36882591 #>>36882677 #>>36883051 #>>36883062 #>>36883781 #>>36884189 #>>36884296 #
NoMoreNicksLeft ◴[26 Jul 23 18:01 UTC] No.36882088[source]
Anyone using a browser without this feature will end up becoming second class citizens who must jump through (extreme) hoops to use the web...

Or they're just walled off from most of the web entirely.

I use a variety of personally developed web scraper scripts. For instance, I have digital copies of every paystub. These will almost all become worthless. My retirement plan at a previous employer would not let me download monthly statements unless I did it manually... it was able to detect the Mechanize library, and responded with some creepy-assed warning against robots.

No one would go to the trouble to do that manually every month, and no one was allowed robots apparently. But at least they needed to install some specialty software somewhere to disallow it. This shit will just make it even easier for the assholes.

I also worry about tools I sometimes use for things like Selenium.

This isn't SSL.

replies(2): >>36882262 #>>36882336 #
endisneigh ◴[26 Jul 23 18:11 UTC] No.36882262[source]
This is not true. Sites will not be obligated to implement WEI. At the end of the day bots are a real issue, with no real solution other than attestation. AI is accelerating this issue. This (WEI or something else) is inevitable.
replies(3): >>36882410 #>>36883039 #>>36884870 #
lxgr ◴[26 Jul 23 18:57 UTC] No.36883039[source]
Maybe so, but if so, let's please make it something else.

I'm fine with attestation when it comes to high-risk tasks such as confirming financial transactions or signing legal documents, or anonymous "proof-of-humanity" solutions such as Apple's Private Access Tokens (as long as there's a CAPTCHA-based or similar alternative!) for free trials or account creations (beats using SMS/phone number authentication, at least), but applying Trusted Computing to the entire browser just goes much too far.

replies(1): >>36885799 #
1. nfw2 ◴[26 Jul 23 22:04 UTC] No.36885799[source]
With the rate AI is accelerating, it's possible that nothing akin to a CAPTCHA may be viable soon. That sort of verification is already approaching the threshold of what's reasonable to ask humans to solve.