this post was submitted on 10 Aug 2023
999 points (99.1% liked)

Firefox

18050 readers
45 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] droans 1 points 1 year ago

This standard doesn't affect ad blockers.

###Goals

  • Allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device.
  • Offer an adversarially robust and long-term sustainable anti-abuse solution.
  • Don't enable new cross-site user tracking capabilities through attestation.
  • Continue to allow web browsers to browse the Web without attestation.

###Non-goals

  • Enable reliable client-side validation of verdicts: Signatures must be validated server-side, as client javascript may be modified to alter the validation result.
  • Enforce or interfere with browser functionality, including plugins and extensions.
  • Access to this functionality from non-Secure Contexts.

The workflow does not involve checking or blocking extensions. It operates closer to SSL certs. The webpage asks the browser to prove its identity. The browser generates a token. A trusted third party (attester) signs the token. It sends that back to the webpage. The webpage decides if the token is legitimate and if they trust the third party.

The ability to use extensions which alter the contents of the webpage is still allowed if the browser allows it. This standard just verifies the identity of the browser.

It still will cause issues for the Internet, though. Small browsers would likely be unable to afford paying for the attesters. Fingerprinting would be much easier and WEI doesn't have a method to prevent high entropy. Attesters would be able to track each user and the sites they are visiting.