Your Computer Should Say What You Tell It To Say
www.eff.org
WEI? I’m a frayed knotTwo pieces of string walk into a bar.The first piece of string asks for a drink.The bartender says, “Get lost. We don’t serve pieces of string.”The second string ties a knot in his middle and messes up his ends. Then he orders a drink. The bartender says, “Hey, you aren’t a...

Summary

  • Google’s proposal, Web Environment Integrity (WEI), aims to send tamper-proof information about a user’s operating system and software to websites.
  • The information sent would help reduce ad fraud and enhance security, but it also raises concerns about user autonomy and control over devices.
  • The authors argue that implementing WEI could lead to websites blocking access for users not on approved systems and browsers.
  • They express worries about companies gaining more control over users’ devices and the potential for abuse.
  • The authors emphasize that users should have the final say over what information their devices share.
  • Remote attestation tools, like WEI, might have their place in specific contexts but should not be implemented on the open web due to potential negative consequences.
  • The authors advocate for preserving user autonomy and the openness of the web, emphasizing that users should be the ultimate decision-makers about their devices.

Joke:

Two pieces of string walk into a bar. The first piece of string asks for a drink. The bartender says, “Get lost. We don’t serve pieces of string.”

The second string ties a knot in his middle and messes up his ends. Then he orders a drink.

The bartender says, “Hey, you aren’t a piece of string, are you?” The piece of string says, “Not me! I’m a frayed knot.”

      • 𝘋𝘪𝘳𝘬@lemmy.mlEnglish
        149·
        11 months ago

        I am not entirely sure about this.

        I was always someone who used “an alternative”. Back in the days I was an avid Netscape user, then I used the Mozilla suite, then Firefox when it still was named Phoenix, then Firefox actually named Firefox (😄) … but it went downhill. The fast and sleek browser got slower and more outdated over time.

        There were times when even Internet Explorer was more modern! Firefox had UI, core, and all tabs running in one single process, which meant, one website alone being able to not only crash the tab, but also all other tabs and the UI and the core - while IE started to implement having different processes for individual tabs.

        At one point I switched to Chromium and eventually to Vivaldi because Chromium - in comparison to Vivaldi - is basically unconfigurable. Vivaldi also has a very good mobile version and I have full synchronization between a minimum of 5 devices (yes, I mean it! I really depend on synchronization, I have my Arch PC, an Ubuntu Laptop, an Arch laptop, my Android phone, and a Windows laptop - all of them are regularly used). This is something I need and is a deal-breaker.

        Also extensions. There are two extensions I don’t want to leave behind. Both use MV3, one can be triggered for the current tab, one is automatically activated on one specific site.

        Maybe I should check out Firefox again, depending on what Vivaldi does regarding WEI.

        • Pelicanen@sopuli.xyzEnglish
          31·
          11 months ago

          Firefox now has Firefox Sync which allows seamless switching between devices and the performance of Firefox is generally on par with Chrome, sometimes faster. It also has a pretty dang big library of extensions.

        • whynotzoidberg@lemmy.worldEnglish
          11·
          11 months ago

          I was there for the single process Firefox when everyone else went multiprocess. It was then that I also switched away from FF, too.

          I’m back on it now though (for past 9 months or so, since I heard about Google’s intention with Chrome.)

          Firefox and Safari are my daily drivers, and it’s pretty chill. Edge is my backup if I must.

        • Thorned_Rose@kbin.social
          111·
          11 months ago

          And uBlock Origin. There’s some other decent privacy addons too like Privacy Badger, Decentraleyes and Chameleon.

          • thehatfox@kbin.social
            5·
            11 months ago

            With Google search results increasingly swamped with SEO-laden drivel, I’ve found the gap between Google and alternatives like Qwant and DDG has shrunk a lot recently. The little guys have improved a bit, but Google has also got worse.

            • beta_tester@lemmy.mlEnglish
              2·
              11 months ago

              Google became shit. I haven’t used it much in years. Sometimes it’s more useful though. Brave search is my go to. Simply because it has a brighter future than ddg and qwant. Qwant is mismanaged imo. Marketing is crap, products not working correctly, target group is wrong etc… brave serves nice summaries for stuff you look up.

          • Pelicanen@sopuli.xyzEnglish
            3·
            11 months ago

            Most other search engines use Bing or Google, Qwant is one of the few that implement their own entirely. While I agree that it’s not as good as the other two, it also has a minuscule amount of market share and in turn fewer resources.

      • 𝘋𝘪𝘳𝘬@lemmy.mlEnglish
        11·
        11 months ago

        I’m a happy Vivaldi user (features and configurability to me are more important!) but I’m sure this will be implemented in the Chromium open source platform and not exclusively in Chrome (like some other features).

    • BestBouclettes@jlai.luEnglish
      152·
      11 months ago

      The problem is that Google has such a monopoly over web browsers that Firefox will most probably have to follow and implement this shit as well.
      Smells like “this website is only compatible with Internet Explorer 7 or higher” kind of stuff, those were bad back then, it will be a lot worse now.

      • 𝘋𝘪𝘳𝘬@lemmy.mlEnglish
        102·
        11 months ago

        > it will be a lot worse now

        On the other hand: A website implementing such a functionality does not want me as a user. That’s fine. I’ll find the information elsewhere or give them useless date from within a VM. Starting and stopping minimalist single-purpose VMs isn’t hard nowadays.

        • BestBouclettes@jlai.luEnglish
          12·
          11 months ago

          It’s easy for us as we are tech literate, but I mostly think of the average person that “doesn’t care about privacy and personal data”. We’re also not Google’s main demographic. When most websites use this kind of shit, it will be extremely hard for everyone to get away from it.

          • 𝘋𝘪𝘳𝘬@lemmy.mlEnglish
            34·
            11 months ago

            > but I mostly think of the average person that “doesn’t care about privacy and personal data”

            I stopped thinking of them. But yes, those people will have their data stolen by Google, as usual. But those people also don’t care one single bit about that.

            • BestBouclettes@jlai.luEnglish
              71·
              11 months ago

              To be fair, those people are my girlfriend, her parents, mine, my friends and such. When you see the damage a company like Facebook has done to the world, I would definitely try not to continue giving them any more power to fuck shit up. Giving a DRM like tool to Google could be absolutely devastating for the free web and the open internet.

        • odium@programming.devEnglish
          1·
          11 months ago

          According to this comment, the changes Google is making will tell websites if you’re in a vm or not.

          Comment text if there are linking problems:

          The idea is that it would be similar to hardware attestation in Android. In fact, that’s where Google got the idea from.

          Basically, this is the way it works:

          • You download a web browser or another program (possibly even one baked into the OS, e.g. working alongside/relying on the TPM stuff from the BIOS). This is the “attester”. Attesters have a private key that they sign things with. This private key is baked into the binary of the attester (so you can’t patch the binary).

          • A web page sends some data to the attester. Every request the web page sends will vary slightly, so an attestation can only be used for one request - you cannot intercept a “good” attestation and reuse it elsewhere. The ways attesters can respond may vary so you can’t just extract the encryption key and sign your own stuff - it wouldn’t work when you get a different request.

          • The attester takes that data and verifies that the device is running stuff that corresponds to the specs published by the attester - “this browser, this OS, not a VM, not Wine, is not running this program, no ad blocker, subject to these rate limits,” etc.

          • If it meets the requirements, the attester uses their private key to sign. (Remember that you can’t patch out the requirements check without changing the private key and thus invalidating everything.)

          • The signed data is sent back to the web page, alongside as much information as the attester wants to provide. This information will match the signature, and can be verified using a public key.

          • The web page looks at the data and decides whether to trust the verdict or not. If something looks sketchy, the web page has the right to refuse to send any further data.

          They also say they want to err towards having fewer checks, rather than many (“low entropy”). There are concerns about this being used for fingerprinting/tracking, and high entropy would allow for that. (Note that this does explicitly contradict the point the authors made earlier, that “Including more information in the verdict will cover a wider range of use cases without locking out older devices.”)

          That said - we all know where this will go. If Edge is made an attester, it will not be low entropy. Low entropy makes it harder to track, which benefits Google as they have their own ways of tracking users due to a near-monopoly over the web. Google doesn’t want to give rivals a good way to compete with user tracking, which is why they’re pushing “low-entropy” under the guise of privacy. Microsoft is incentivized to go high-entropy as it gives a better fingerprint. If the attestation server is built into Windows, we have the same thing.

      • Qvest@lemmy.worldEnglish
        1·
        11 months ago

        Won’t a User Agent Switcher be enough? Firefox has an extension like this and they even recommend it

  • jerry@lemmy.worldEnglish
    1382·
    11 months ago

    Firefox has been better for 5 years or so. Please use it. It’s good for the open web, it’s good for privacy, it’s good for blocking ads, just use it, please.

    • daed@sh.itjust.worksEnglish
      72·
      11 months ago

      I had to switch when they got rid of the bottom address bar on mobile, some years ago. All the other benefits are sprinkles on the cake for me.

      • mosiacmango@lemm.eeEnglish
        9·
        11 months ago

        You can put the address bar wherever you like on mobile.

        Settings–>customize–>toolbar

        • daed@sh.itjust.worksEnglish
          1·
          11 months ago

          At first you could still change it in the config, then they made it persistent on Chrome back then which was really annoying.

        • daed@sh.itjust.worksEnglish
          4·
          11 months ago

          That time I switched from Chrome to Firefox. Naturally not only on mobile, but Desktop and Laptop too.

    • Karlos_Cantana@sopuli.xyzEnglish
      1·
      11 months ago

      I had to stop using Firefox because it’s too ram intensive on all my devices. I get low system memory errors on my Windows machines after it’s been open for a while. My Android devices just lock up when I try to use it. I haven’t tried it on my Linux machines because I just assume it will have the same affect. I don’t understand how people are successfully using it on anything except maybe Apple. I don’t have any Apple devices to try it on.

    • Elephant0991@lemmy.bleh.auOPEnglish
      869·
      11 months ago

      Hmm… WEI seems to serve to reduce ad frauds, not as a direct attack on blocking ads, except maybe for those ad blockers that attempt to maximize expenses for the advertisers.

      • miss_brainfart@lemmy.mlEnglish
        67·
        11 months ago

        Stopping ad blocking is very much in their interest, and this system can very quickly be used to do just that.

        This is Google we’re talking about, their days of not being evil are long gone.

  • fresh@sh.itjust.worksEnglish
    612·
    11 months ago

    At this point, I only keep Chrome around for the odd website that only works on Chrome. It’s astonishing how quickly Google is burning through good will lately.

    • M-Reimer@lemmy.worldEnglish
      43·
      11 months ago

      Google sees that their business is at risk.

      Primarily Google is an advertisement company. And so their top priority is to profile you to serve you targeted ads. Every single product of Google has this number one priority.

      • JackGreenEarth@lemm.eeEnglish
        141·
        11 months ago

        Why not show you ads on any of their own websites then, like google docs, forms, slides, etc. I get that they show you ads kn YouTube, but that doesn’t have Google in the name. Do they want users to not associate ‘Google’ websites as being overrun with ads, while trying to that to as many other websites and apps as possible?

        • theragu40@midwest.socialEnglish
          3·
          11 months ago

          That, and those platforms are also at the core of their business offering. You’d think it shouldn’t be that hard for them to just offer a business version of those apps that is ad free. But in my experience administering a g-suite org for a couple years, they are absolutely lazy enough to just shovel users on the literal exact same thing they give to the general public.

    • kautau@lemmy.worldEnglish
      111·
      11 months ago

      The worrying thing is how many websites may accept this standard. We can choose to use other browsers, sure. But the vast majority of users are uninformed chrome users. They won’t see a change in their day to day web usage. But Firefox, and other Chromium-based browsers like brave and Vivaldi are choosing to not adopt it. It’s only a matter of time before ad blocking doesn’t work on those browsers because major publishers implement this to ensure their content is properly paywalled.

    • Stay Frosty@lemmy.worldEnglish
      8·
      11 months ago

      Most of the times, the websites check the “user agent string” of the browser. If you can change the user agent to chrome while using those websites, you can eliminate the need of keeping chrome around.

  • aranym@lemmy.nameEnglish
    42·
    11 months ago

    I’ve been warning people that Google making up their own web standards will end in disaster, for years.

    • hark@lemmy.worldEnglish
      31·
      11 months ago

      No single entity should be allowed to dictate standards. I’m sure multiple businesses would be interested in going along with this standard, though, so we need something of an internet bill of rights to protect against this sort of thing.

  • SyJ@lemmy.mlEnglish
    411·
    11 months ago

    Your computer should say what you tell it to say - so if I want to spoof my browser and OS I can do that right? Right?

    • hoshikarakitaridia@sh.itjust.worksEnglish
      18·
      11 months ago

      The magic words are “user-agent header in http protocol”

      Also the goal is not for everyone to spoof everyone else, but the goal is to not trust any information you are given by a browser. A good developer would always find ways to bypass any limits with that so it would be useless anyway.

      • EnglishMobster@kbin.social
        5·
        11 months ago

        That’s because they check your user agent.

        This API aims to break those kinds of extensions, making it impossible to spoof a user agent or certain kind of machine.

    • PlexSheep@feddit.deEnglish
      1·
      11 months ago

      If this comes live it won’t be so easy. Many operating systems will probably not allow to turn this garbage off or spoof it. Especially android.

  • Anemervi@lemmy.worldEnglish
    39·
    11 months ago

    Write to your country’s anti-trust body if you feel Google is unilaterally going after the open web with WEI (content below taken from HN thread https://news.ycombinator.com/item?id=36880390).

    US:

    https://www.ftc.gov/enforcement/report-antitrust-violation
[email protected]

    EU:

    https://competition-policy.ec.europa.eu/antitrust/contact_en
[email protected]

    UK:

    https://www.gov.uk/guidance/tell-the-cma-about-a-competition…
[email protected]

    India:

    https://www.cci.gov.in/antitrust/
https://www.cci.gov.in/filing/atd

    Example email:

    Google has proposed a new Web Environment Integrity standard, outlined here: https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md

This standard would allow Google applications to block users who are not using Google products like Chrome or Android, and encourages other web developers to do the same, with the goal of eliminating ad blockers and competing web browsers.

Google has already begun implementing this in their browser here: https://github.com/chromium/chromium/commit/6f47a22906b2899412e79a2727355efa9cc8f5bd

Basic facts:

    Google is a developer of popular websites such as google.com and youtube.com (currently the two most popular websites in the world according to SimilarWeb)
    Google is the developer of the most popular browser in the world, Chrome, with around 65% of market share. Most other popular browsers are based on Chromium, also developed primarily by Google.
    Google is the developer of the most popular mobile operating system in the world, Android, with around 70% of market share.

Currently, Google’s websites can be viewed on any web-standards-compliant browser on a device made by any manufacturer. This WEI proposal would allow Google websites to reject users that are not running a Google-approved browser on a Google-approved device. For example, Google could require that Youtube or Google Search can only be viewed using an official Android app or the Chrome browser, thereby noncompetitively locking consumers into using Google products while providing no benefit to those consumers.

Google is also primarily an ad company, with the majority of its revenue coming from ads. Google’s business model is challenged by browsers that do not show ads the way Google intends. This proposal would encourage any web developer using Google’s ad services to reject users that are not running a verified Google-approved version of Chrome, to ensure ads are viewed the way the advertiser wishes. This is not a hypothetical hidden agenda, it is explicitly stated in the proposal:

“Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they’re human, sometimes through tasks like challenges or logins.”

The proposed solution here is to allow web developers to reject any user that cannot prove they have viewed Google-served ads with their own human eyes.

It is essential to combat this proposal now, while it is still in an early stage. Once this is rolled out into Chrome and deployed around the world, it will be extremely difficult to rollback. It may be impossible to prevent this proposal if Google is allowed to continue owning the entire stack of website, browser, operating system, and hardware.

Thank you for your consideration of this important issue.
    • Dizzy Devil Ducky@lemm.eeEnglish
      3·
      11 months ago

      Writing to the US anti-trust body about googl€ is a useless act since they will disregard you. googl€ already had their hand shoved so far up their ass monetarily in the form of lobbying that you’d need every single person on Earth to contact them at this point for your message to even be given anything more than an afterthought.

  • Jamie@jamie.moeEnglish
    251·
    11 months ago

    Well, according to the proposal, it doesn’t send it to websites. It sends all your data to an attestation server, AKA Google probably, and the attestation server sends stuff to the website.

    • graycube@kbin.social
      1·
      11 months ago

      Can you rewrite attestation server traffic with a proxy server? What if you had a proxy server that had hundreds of clients and scrambled the requests?

    • Ddhuud@lemmy.worldEnglish
      21·
      11 months ago

      Brave is even worse than chrome. They would sell your mother if they could get away with it.

      • sheogorath@lemmy.worldEnglish
        17·
        11 months ago

        I still don’t understand how Brave became the face of the privacy focused browser. Doing some cryptocurrency related shit is the biggest red flag that an entity should not be trusted now.

        • hark@lemmy.worldEnglish
          32·
          11 months ago

          It’s a shining example of advertising controlling the narrative.

  • db0@lemmy.dbzer0.comEnglish
    12·
    11 months ago

    Can someone tell me how it can be “tamper proof”? Any encryption key inside chrome can be extracted and used to sign anything the user might want to send back.

    • EnglishMobster@kbin.social
      28·
      11 months ago

      The idea is that it would be similar to hardware attestation in Android. In fact, that’s where Google got the idea from.

      Basically, this is the way it works:

      • You download a web browser or another program (possibly even one baked into the OS, e.g. working alongside/relying on the TPM stuff from the BIOS). This is the “attester”. Attesters have a private key that they sign things with. This private key is baked into the binary of the attester (so you can’t patch the binary).

      • A web page sends some data to the attester. Every request the web page sends will vary slightly, so an attestation can only be used for one request - you cannot intercept a “good” attestation and reuse it elsewhere. The ways attesters can respond may vary so you can’t just extract the encryption key and sign your own stuff - it wouldn’t work when you get a different request.

      • The attester takes that data and verifies that the device is running stuff that corresponds to the specs published by the attester - “this browser, this OS, not a VM, not Wine, is not running this program, no ad blocker, subject to these rate limits,” etc.

      • If it meets the requirements, the attester uses their private key to sign. (Remember that you can’t patch out the requirements check without changing the private key and thus invalidating everything.)

      • The signed data is sent back to the web page, alongside as much information as the attester wants to provide. This information will match the signature, and can be verified using a public key.

      • The web page looks at the data and decides whether to trust the verdict or not. If something looks sketchy, the web page has the right to refuse to send any further data.

      They also say they want to err towards having fewer checks, rather than many (“low entropy”). There are concerns about this being used for fingerprinting/tracking, and high entropy would allow for that. (Note that this does explicitly contradict the point the authors made earlier, that “Including more information in the verdict will cover a wider range of use cases without locking out older devices.”)

      That said - we all know where this will go. If Edge is made an attester, it will not be low entropy. Low entropy makes it harder to track, which benefits Google as they have their own ways of tracking users due to a near-monopoly over the web. Google doesn’t want to give rivals a good way to compete with user tracking, which is why they’re pushing “low-entropy” under the guise of privacy. Microsoft is incentivized to go high-entropy as it gives a better fingerprint. If the attestation server is built into Windows, we have the same thing.

    • chameleon@kbin.social
      2·
      11 months ago

      The attester here is really mostly Google’s Android/Play Services/(ChromeOS) team, not Google’s Chrome team. Chrome is really just responsible for passing it along and potentially adding some more information like what kind of extensions are in use, but the real validator is above Chrome entirely.

      There will not really be a worthwhile key inside Chrome (there might be one that does nothing by itself); it’ll be backed by the existing per-device-unique key living inside your phone’s secure enclave. Extracting one key would just cause Google to ban it. That attestation covers the software in the secure enclave, your device’s running OS, bootloader unlock state and a couple of other things along those lines; the OS, guaranteed to be unmodified by the hardware attestation layer, then adds extra stuff on top like the .apk hash of the browser. The browser, guaranteed to be unmodified by the OS layer, can add things like extension info if it wants to.

      SafetyNet/Play Integrity have both software and hardware modes, but all Android+Google Services phones released in the previous 6? or so years have been required to have hardware backed attestation support, which has no known bypass. The existing “Universal SafetyNet Fix” pretends to be a phone without hardware support which Google begrudgingly accepts… for now. But the day where Google will just screw over older phones is getting increasingly closer, and they already have the power to force hardware backed attestation for device-specific features like NFC payments and DRM support.

      On Apple devices, Apple has parallels via their secure enclaves in the form of App Attest/DeviceCheck. On Windows desktops, there could be a shoddy implementation with TPMs (fortunately they’re not quite powerful enough to do this kind of attestation in a tamper-proof way; Microsoft’s Pluton chips might have some secret sauce we haven’t yet seen, though). On Linux desktops… nope, ain’t no support for this coming anytime ever.

      • db0@lemmy.dbzer0.comEnglish
        1·
        11 months ago

        Ok I assumed you were thinking of something like TPM on the desktop as I couldn’t imagine any other way around it. For android the hardware backed attestation support is like tpm as well, no? Surely there’s a bypass for it if one wants to but there hasn’t been a reason to do it yet.

        Edit :reading up on it, a lot relies on the encryption keys baked into the hardware and being impossible to read, right? If that remains to be the case, then ye I can imagine that would be an issue. Security will once again becomes the Trojan horse for exploitation

  • Arghblarg@lemmy.caEnglish
    132·
    11 months ago

    I just was updating my browser setup on my Linux laptop today, and wanted to install an extension I used to like using a few years ago … ‘TrackMeNot’. I couldn’t find it on the Chrome Store at all. I had a feeling why… yup!

    https://www.trackmenot.io/googleban#:~:text=Google falsely labels TrackMeNot as malware%2C bans it,of being removed from the Chrome Web Store.

    Of course they would gin up a reason to suppress a plugin that lets users obscure their search engine activity. Slimy Bastards. At least the extension is still available, and still works, if one locally installs the unpacked version: https://github.com/vtoubiana/TrackMeNot-Chrome

    We should indeed all move to Firefox (despite their own stupid issues – someone please start a new browser engine, even if it’s a Herculean task these days!)