this post was submitted on 13 Aug 2023
1974 points (97.8% liked)
Memes
45546 readers
996 users here now
Rules:
- Be civil and nice.
- Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You've already got some answers, but the recent drama is specifically about a Chromium-centered API, called Web Environment Integrity.
It has been found on a Google engineer's Github account, and iirc it's being tested on Chrome.
It's basically web DRM.
The idea is that the API allows websites to require browsers to guarantee they are unmodified through a "third-party" attester, like Google SafetyNet (or whatever the fuck it got rebranded as) does.
Imagine if you were trying to access a mobile-only website on your PC, by changing your HTTP user agent string;
the website would refuse to serve you the page, and tell you "I don't trust you, are you really a Google Pixel?".
A real Pixel's browser would ask Google Play to vouch for it, and the website would trust Google Play (due to cryptographic shenanigans and whatnot); your browser, however, would not have an attester that:
That doesn't sound too bad.
But, what if the attester can check your browser's extensions, and tell the website that you're running an adblocker (which is WEI's explicit goal)?
What if it also checks your system's running processes or applications?
What if you ran a debloater script for Windows, and the attester decided that a lack of ads in the start menu was sus?
What if it detected VPN usage? I know some governments that wouldn't like that, I bet they would like it if VPN users would be denied access to half the web...
If the comment about VPNs is true, I will lose touch of half of my friends and families that live in Iran. This is truly evil..
It's "true" in the sense that it could happen in theory, Google is (allegedly?) planning to use WEI for forcing people to see ads rather than China-firewalling the web; also, WEI was still under development last time I checked.
Whether the attesters that end up being universally trusted will poke around to check for VPNs is up for speculation, for now.
Even then, this is just an API for websites. If you use other means of communication, you'll be fine.