this post was submitted on 29 Jul 2023
382 points (97.8% liked)

Technology

60085 readers
2695 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

I'm happy to see this being noticed more and more. Google wants to destroy the open web, so it's a lot at stake.

Google basically says "Trust us". What a joke.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 85 points 1 year ago (3 children)

WEI can potentially be used to impose restrictions on unlawful activities on the internet, such as downloading YouTube videos and other content, ad blocking, web scraping, etc.

Not one of those things is illegal.

Some are against a site’s TOS and some are outright fine.

[–] [email protected] 26 points 1 year ago

This is the most disturbing "boring dystopia" thing yet.

load more comments (2 replies)
[–] [email protected] 74 points 1 year ago (21 children)

If you are not using Firefox now is a good time to start.

[–] [email protected] 26 points 1 year ago (2 children)

Just switched yesterday, was way easier than I thought it would be. I'm converted on all my devices, all my stuff has been synced from Chrome in a few clicks. Just do it people.

[–] [email protected] 14 points 1 year ago

If you haven't already, check out Firefox Sync.

You can sync your stuff across Firefox instances (PC, mobile, different PC profiles etc.) You can choose to sync logins, open tabs, bookmarks, add-ons etc.

Each place you use Firefox can choose to sync different stuff, so for example you can sync logins everywhere but only sync open tabs on the PC.

In case you replace the phone or your PC HDD crashes etc. all you have to do is login back to Firefox Sync and you get all that stuff back.

[–] [email protected] 11 points 1 year ago

I love Firefox so much. Specially the built in sync. I can browse something on my phone and open it on my computer later and continue where I left off.

load more comments (19 replies)
[–] [email protected] 44 points 1 year ago (1 children)

They claim it's to prevent bots, but we all know it'll soon become standard in every WAF out there (Cloudflare, Akamai, etc) to just blanket block browsers failing attestation.

All you need to know what will happen is to root an Android phone. You'd expect Netflix and bank apps and other highly sensitive apps to stop working. Okay, I can accept that, it kind of make sense. But the more you use the phone the more you realize a ton of apps also refuse to work. Zoom complains and marks your session as insecure, the Speedtest app refuses to test your speed, even the fucking weather app won't give you weather anymore. Jira/Confluence/Outlook/Teams also complain about it. It's ridiculous.

Even if it'd trust Google to not misuse the feature and genuinely use it to reduce ad fraud, the problem is the rest of the developers and companies. Those, they absolutely cannot be trusted to not abuse the feature to block everyone. Security "consultants" will start mandating its use to pass security audits, government websites will absolute use it, and before you know it, half the web refuses to work unless you use Chrome, Edge or Safari.

[–] [email protected] 22 points 1 year ago (3 children)

Yup I noticed this also. I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background which means Google finds out about literally everything we do on our phones. They already own the entire operating system but we can't even run apps without them being in the middle.

This is all similar to using Microsoft Windows or Mac OS so I guess people are so used to this behavior that it's somehow ok.

But I'm a long term Linux user and I'm used to the OS not calling home and not reporting what apps I use. And this is how it should be. I'm so over big tech it's not even funny anymore.

[–] [email protected] 10 points 1 year ago (2 children)

I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background

This has nothing to do with being rooted but with Google encouraging people to build apps using its proprietary libraries to make Google Android more valuable than Android Open Source Project. There may be a connection to the EU's attempts to stop Google from forcibly bundling several of its other apps with the Play Store.

For most use cases, good alternatives are available and it's just a matter of developers being lazy, but I'm not sure there's another good option for chat apps to get timely notifications without high battery consumption. MicroG provides an open source alternative to Google's libraries and works for most apps, including chat notifications.

load more comments (2 replies)
load more comments (2 replies)
[–] [email protected] 43 points 1 year ago (4 children)

It's time to use web integrity against them, by blocking access to your site if they "pass" integrity checks, and telling them to use a freedom respecting browser instead.

[–] [email protected] 13 points 1 year ago (1 children)

This is actually already implemented, see here.

load more comments (1 replies)
[–] [email protected] 12 points 1 year ago (2 children)

Absolutely. And build web sites where all browsers and operating systems are welcome.

load more comments (2 replies)
load more comments (2 replies)
[–] [email protected] 38 points 1 year ago (8 children)

There's an ongoing protest against this on GitHub, symbolically modifying the code that would implement this in Chromium. See this lemmy post and this GitHub commit. Feel free to "Review changes" --> "Approve". Around 300 people have joined so far.

load more comments (8 replies)
[–] [email protected] 30 points 1 year ago (1 children)

I'm glad the reaction all around seems to be "That's sus as fuck"

load more comments (1 replies)
[–] [email protected] 24 points 1 year ago (1 children)

There is no defense of the move. It's bad for the internet. Pure and simple!

[–] [email protected] 14 points 1 year ago (2 children)

"But it'll make us lots of money..."

load more comments (2 replies)
[–] [email protected] 22 points 1 year ago* (last edited 1 year ago) (3 children)
[–] [email protected] 13 points 1 year ago* (last edited 1 year ago)

Dear madam/sir

I dont trust googel. take me seriously.

yours, Willer

load more comments (2 replies)
[–] [email protected] 22 points 1 year ago (2 children)

Just like Trickle Down, “Don’t be evil” has aged well and deserves to be repackaged. /s

load more comments (2 replies)
[–] [email protected] 18 points 1 year ago (1 children)

It offers web publishers a way to integrate their websites or apps with a code that checks with a trusted party (such as Google)

Imma stop you right there...

load more comments (1 replies)
[–] [email protected] 16 points 1 year ago

*waiting patiently for EU to catch on to this.

Google may not like the outcome…

[–] [email protected] 16 points 1 year ago (2 children)

The fraud-fighting project has fired up quite a controversy

fraud-fighting? Even Google's initial pitch was explicitly describing it as a way to sell more ads.

load more comments (2 replies)
[–] [email protected] 15 points 1 year ago (1 children)

So, how the hell is this supposed to prevent bots? Unless Google are planning to completely lock the browser down to prevent user scripting and all extensions then surely you can still automate the browser?

[–] [email protected] 31 points 1 year ago (5 children)

Unless Google are planning to completely lock the browser down to prevent user scripting and all extensions

Ding ding ding!

load more comments (5 replies)
[–] [email protected] 15 points 1 year ago

Fuck Google 2023

[–] [email protected] 13 points 1 year ago (6 children)

explain like i'm a developer why wei is bad? ad blocking can already be detected

[–] [email protected] 47 points 1 year ago

Only browsers blessed by a single company can view the entire web. Not exactly a feature of the free and open web.

[–] [email protected] 32 points 1 year ago

What people are rightfully scared of is that:

  • Big websites will only accept attestations from big companies like Google, Apple, and Microsoft
  • Google, Apple, and Microsoft will refuse to attest your browser if you have an adblocker installed, or if you are using a browser or operating system they don't approve, or if you made modifications to your browser or your operating system etc.

While adblocking can be detected, you can block anti-adblock scripts, it's sort of a weapons race. Depending on how deep an attestation goes, it might be extremely difficult to fight. Attestations might also be used to block more than just adblockers, for example using Firefox, or rooting/jailbreaking your phone, or installing an alternative OS might make your phone ineligible for attestations and thus locked out of a lot of the internet.

[–] [email protected] 18 points 1 year ago

This is much much more than just ad blocking. The mechanism is so generic that it can be used to lock out users for whatever reason. If the "arrester" doesn't provide the requested proof then you're just shit outa luck. We should not hand such a power to anyone, let alone big for-profit companies.

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (1 children)

Their proposal is that, when you visit a website using WEI, it doesn't let you see it right away. Instead, it first asks a third party if you're "legit", as opposed to maybe a bot or something.

The problem is, it would be really tricky to tell if you're "legit", because people get very, very tricky and clever with their bots (not to mention things like content farms, which aren't even bots, they're real humans, just doing the same job as a bot would). So, in order to try to do their jobs at all, these kind of third parties would have to try to find out a whole bunch of stuff about you.

Now, websites already try to do that, but for now the arms race is actually on our side; the end user has more or less full control over what code a website can run on their browser (which is how extensions like u-block and privacy badger work).

But if the end user could just block data collection, the third-party is back to square one. How can they possibly verify ("attest") that you aren't sus, if you're preventing all attempts at collecting data about yourself, or your device / operating system / browser / etc?

The answer is, they can't. So, to do a proper attestation, they have to have a whole bunch of information about you. And if they can't, they logically have no way of knowing if you're a bot. And if that's the case, when the third-party reports that back to the website you're trying to visit, they'll assume you're a bot, and block you. Obviously.

That's pretty much my understanding of the situation. In order to actually implement this proposal, it would require unprecedented invasive measures for data collection; and for people who try to block it, they might just end up being classified as "bots" and basically frozen out of major parts of the internet. Especially because, when you consider how people can essentially just use whatever hardware and software they want, it would be in these big companies' interests to restrict consumer choice to only the hardware and software they deem acceptable. Basically, it's a conflict of interest, especially because the one trying to push this on everyone is Google themselves.

Now, Google obviously denies all that. They assure us it won't be used for invasive data collection, that people will be able to opt out without losing access to websites, that there won't be any discrimination against anyone's personal choice of browser/OS/device/etc.

But it's bullshit. They're lying. It's that shrimple.

load more comments (1 replies)
[–] [email protected] 13 points 1 year ago (3 children)

As other have pointed out, it goes way beyond ad-blocking. It's a complete reversal of the trust model, and is basically DRM for your OS:
Right now, websites assume rightfully that clients can't be trusted. Any security measure happens on the server side, with the rationale that the user has control over the client and you as a dev control the server. If your security is worth two cents, you secure server side. This change propose to extend vendor power, by defining a set of rule about what they deem acceptable as a client app, and enforcing it through a token system. It gives way too much power to the vendor, who gets to dictate what you can do on your machine.
We actually have a live experience of how that could go down with safetynet on android. Instead of doubling down on the biggest security issue there (OEM that refuses to support their software for more than 1 or 2 year after release which, quite frankly, should be universally considered as unacceptable), google decided that OEMs should be allowed way more trust than the user. Therefore modifying your own OS in any way, even if it's ripe with security flaws to begin with and you're just trying to fix that, breaks safetynet. If you break safetynet, "critical apps" like banking apps stop working altogether.
The worst part is that there are ways to circonvent safetynet breakage, because in the end, if DRM taught us anything, it is that if you control the client and know your way around, with enough work you can do pretty much anything you want with it. So bad actors are certainly not kept at bay, you just unjustly annoy people with legitmate usecases or even just experimenting with their hardware because in the end, you consider that your user are at best dumb security flaws, at worst huge cash machine, often both at the same time.

load more comments (3 replies)
[–] [email protected] 10 points 1 year ago

Basically the website will just not render if the browser does not have a proper credential, or if the ad's are blocked. He'll they could also block Linux OS clients from accessing these same websites.

[–] [email protected] 10 points 1 year ago (1 children)

It won't block browsers that spoof their identity? Yeah, sure.

[–] [email protected] 12 points 1 year ago (4 children)
load more comments (4 replies)
[–] [email protected] 9 points 1 year ago

Google: Do ~~no~~ ALL evil.

load more comments
view more: next ›