←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 1 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source
Show context
gorgoiler ◴[26 Jul 23 22:39 UTC] No.36886149[source]
I agree that extending trusted platform trust all the way up into web APIs is gross — it would be fine if the TPA club was wide open to anyone building their own OS, but that clearly will never happen and only the corporate-aligned cabal will ever be trusted, and all the free/open OSs will never be allowed to join.

But… is there scope for the attestor in WEI to be a third party site that does a super fancy “click on all the stop lights / stairs / boats” captcha, and then repurposes that captcha result for every other site? That doesn’t sound like an awful service to add to the web. It would mean each individual site no longer had to do their own captcha.

(Probably impossible without third party cookies. But then that kind of implies that if WEI does make it possible then it could be shown to provide a tracking service equivalent to third party cookies? Again, gross.)

replies(1): >>36886572 #
1. foota ◴[26 Jul 23 23:25 UTC] No.36886572[source]
I agree, I think a third party attribution service makes a lot of sense, similar to how https has trusted CAs there could be different trusted attributors that can verify that a user has some account with some kind of verification, and these pluggable attributors could then be trusted by sites. You'd still need to integrate with a trusted authenticator, which some people might find objectionable, but it's probably better than the current proposal in that regard.

This of course only covers half of the use cases discussed (the half about preventing bots, not to say anything about the more DRM-ey aspects).