Unpacking Google’s Web Environment Integrity specification

This is especially rich coming from google's, who's 'safetynet' for android results in a significant reduction in security (contrary to its stated purpose): it locks out 3rd-party up-to-date and secure ROMs while allowing horrificly insecure manufacturer-provided ROMs to still pass, because to disable those would cause a massive user outcry. So it functions as a vendor lock-in but no meaningful increase in security for the average user, while preventing more advanced users from improving their security without needing to buy more hardware. This needs to be called out more to push back against the claim that this kind of attestation somehow has a legitimate benefit for the users.

<p><pre><code> &gt; Can we just refuse to implement it? &gt; Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves. </code></pre> This is true of any contentious browser feature. Choosing not to implement it means your users will sometimes be presented with a worse UX if a website&#x27;s developers decide to require that feature.<p>But as a software creator, it&#x27;s up to you to determine what is best for your customers. If your only hope of not going along with this is having the EU come in and slapping Google&#x27;s wrist, I&#x27;m concerned that you aren&#x27;t willing to take a hard stance on your own.

I think these are the related threads to date—have I missed any?<p><i>Google is already pushing WEI into Chromium</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36876301">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36876301</a> - July 2023 (705 comments)<p><i>Google engineers want to make ad-blocking (near) impossible</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36875226">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36875226</a> - July 2023 (439 comments)<p><i>Google vs. the Open Web</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36875164">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36875164</a> - July 2023 (161 comments)<p><i>Apple already shipped attestation on the web, and we barely noticed</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36862494">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36862494</a> - July 2023 (413 comments)<p><i>Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36854114">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36854114</a> - July 2023 (447 comments)<p><i>Web Environment Integrity API Proposal</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36817305">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36817305</a> - July 2023 (437 comments)<p><i>Web Environment Integrity Explainer</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36785516">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36785516</a> - July 2023 (44 comments)<p><i>Google Chrome Proposal – Web Environment Integrity</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36778999">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36778999</a> - July 2023 (93 comments)<p><i>Web Environment Integrity – Google locking down on browsers</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35864471">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35864471</a> - May 2023 (1 comment)

&gt; Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers.<p>If we are serious about protesting this, let’s do as follows: We implement code in our websites that checks whether the user agent implements this API. If the check passes, we tell the user that their browser is not welcome and why that is.<p>#BoycottGoogle #BoycottChrome #BoycottBullshit

As usual, a thousand word essay on Google&#x27;s WEI without ever mentioning that Apple sailed that ship silently a while ago, therefore not attracting any attention or backlash.<p><a href="https:&#x2F;&#x2F;httptoolkit.com&#x2F;blog&#x2F;apple-private-access-tokens-attestation&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;httptoolkit.com&#x2F;blog&#x2F;apple-private-access-tokens-att...</a><p><a href="https:&#x2F;&#x2F;toot.cafe&#x2F;@pimterry&#x2F;110775130465014555" rel="nofollow noreferrer">https:&#x2F;&#x2F;toot.cafe&#x2F;@pimterry&#x2F;110775130465014555</a><p>The sorry state of tech news &#x2F; blogs. Regurgitating the same drama without ever looking at the greater picture.

&gt; It is also interesting to note that the first use case listed is about ensuring that interactions with ads are genuine.<p>That&#x27;s just the beginning. Attestation will eventually allow advertisers to demand that user is present and looking at the screen like in Black Mirror episode Fifteen Million Merits.

We now need two things. First, an antitrust breakup of Google, separating search and ads. Second, a tax on ads.<p>It must be made against the economic interests of search engines to show too many ads.

&quot;This website is not compatible with your device&quot;<p>I can see this show up on Youtube (why not - under Google&#x27;s control, and they want you to watch the ads on their official browser) and on banking apps. Initially. In the longer run, it either withers and dies, or it leads to antitrust action. I really can&#x27;t see another way.

How exactly is WEI any worse than say a peep-hole on a door? At the end of the day bots are a huge problem and it&#x27;s only getting worse. What&#x27;s the alternative solution? You need to know who you&#x27;re dealing with, both in life and clearly on the web.<p>I&#x27;m probably alone in this, but WEI is a good thing. Anyone who&#x27;s run a site knows the headache around bots. Sites that don&#x27;t care about bots can simply not use WEI. Of course, we know they will use it, because bots are a headache. Millions of engineer hours are wasted yearly on bot nonsense.<p>With the improvements in AI this was inevitable anyway. Anyone who thinks otherwise is delusional. Reap what you sow and what not.<p>edit: removing ssl comparison since it&#x27;s not really my point to begin with

There&#x27;s a lot of moral outrage regarding this proposal, rightfully so. In fact, it should be further intensified. But apart from that, I don&#x27;t think this proposal will work in any case.<p>When implemented without holdouts (closed loop), you do have a tight DRM web, which will attract legislators. Or so we hope.<p>When implemented with holdouts, it&#x27;s barely useful to websites since they still need the backup mechanisms to detect fraud that they have anyway. If they need to keep it around, might as well use that as singular solution which has the added &quot;benefit&quot; of collecting way more personal data.

I wonder if this will prod the Ladybird development team to make binaries available for non-savvy end users. Having an additional open-source browser would help.<p>I also wonder how Orion is handling this.

Note that this doesn&#x27;t even prevent people from using tools like AutoHotKey or their moral equivalents to make malicious requests from browsers.<p>It only makes it impossible for legitimate users to run their own code -- people who want to run OpenBSD, or fork Chrome to make sure that ManifestV3 doesn&#x27;t permanently hobble adblockers, or maintain their own alternative browser UI.

Third part attestation is a show stopper for openness. I&#x27;m not a fan, and this does not solve any problems I face with the software make or that my users have accessing it.

Cory Doctorow on this issue (kind of):<p><a href="https:&#x2F;&#x2F;pluralistic.net&#x2F;2023&#x2F;07&#x2F;24&#x2F;rent-to-pwn&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;pluralistic.net&#x2F;2023&#x2F;07&#x2F;24&#x2F;rent-to-pwn&#x2F;</a>

This would complete the transformation of the user-agent into the vendor-agent.

Why does everything need to be secure now?<p>I can understand shopping. And reporters of hot news. But why everything?<p>Why does my http site, which has nothing important on it at all, get flagged by chrome as &quot;insecure&quot;?<p>This strikes me as a bunch of bs.

I agree that extending trusted platform trust all the way up into web APIs is gross — it would be fine if the TPA club was wide open to anyone building their own OS, but that clearly will never happen and only the corporate-aligned cabal will ever be trusted, and all the free&#x2F;open OSs will never be allowed to join.<p>But… is there scope for the attestor in WEI to be a third party site that does a super fancy “click on all the stop lights &#x2F; stairs &#x2F; boats” captcha, and then repurposes that captcha result for every other site? That doesn’t sound like an awful service to add to the web. It would mean each individual site no longer had to do their own captcha.<p>(Probably impossible without third party cookies. But then that kind of implies that if WEI does make it possible then it could be shown to provide a tracking service equivalent to third party cookies? Again, gross.)

What&#x27;s the potential for this to enable mandatory remote attestation that your personal machine is running For-Your-Own-Good™ spying software in order to use any significant services (banking, etc)?

This kinda seems like a fantastic way to implement micro payments. The site owner sets up a attestor that knows they’ve paid.<p>I hate Wei in general, but it really could open up control over bots and paid access.

Would this end up breaking curl, or any other tool that accesses https?

How about adding a fair rule to standard, that attester cannot attest their own products? I wonder how long would it take for Microsoft or Apple to attest google.com as trustworthy website?

Could this be the end of my Youtube addiction arc?

The Internet in general, programmers especially, and the Web community especially especially owe Google a massive debt of gratitude for all they’ve done over the years.<p>But this one’s simple: “literally go fuck yourself with this. we will fight you tooth and fucking nail every fucking angstrom on this one. it’s a bridge too far.”.

I wanted to write some proper feedback on the GitHub repo, but they&#x27;ve closed issues and PRs. Until they open it back up again, here are my thoughts on the spec:<p>- Mozilla is already publicly and officially opposed (<a href="https:&#x2F;&#x2F;github.com&#x2F;mozilla&#x2F;standards-positions&#x2F;issues&#x2F;852#issuecomment-1648820747">https:&#x2F;&#x2F;github.com&#x2F;mozilla&#x2F;standards-positions&#x2F;issues&#x2F;852#is...</a>), on principle (&quot;Any browser, server, or publisher that implements common standards is automatically part of the Web&quot;) as well as on technical concerns around the safeguards and downsides of the proposal.<p>- WebKit is not committed to a position, but has mentioned several concerns (<a href="https:&#x2F;&#x2F;github.com&#x2F;WebKit&#x2F;standards-positions&#x2F;issues&#x2F;234">https:&#x2F;&#x2F;github.com&#x2F;WebKit&#x2F;standards-positions&#x2F;issues&#x2F;234</a>):<p>&quot;We have Private Access Tokens (aka Privacy Pass) for some of the claimed use cases of this spec. We think it&#x27;s a more privacy-respecting solution. The Explainer isn&#x27;t very clear on why specifically Web Environment Integrity is better. It mentions a feedback mechanism, but not the specific mechanism. It also exposes more info to the page. The Explainer claims this spec is necessary because Privacy Access Tokens don&#x27;t support feedback from websites on false positives &#x2F; false negatives, however, neither the spec nor the explainer include a feedback mechanism. Without more specifics, we would not be enthusiastic about duplicating an existing standards-track solution for the same use cases.&quot;<p>- Vivaldi is clearly opposed, per this blog post.<p>- Holdback as a mechanism is a weak defense against abuse. Some potential stakeholders are already suggesting to scrap holdback to support their use-cases (<a href="https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;issues&#x2F;5">https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;...</a>), leading to the possibility that it may not even be part of the final standard. Holdback is not technically enforced: a user agent can choose <i>not</i> to hold back, and if they are sufficiently popular they may induce web site operators to rely on their signal (at least for that browser) which would have the exact &quot;DRM&quot; effect that the proposal claims to avoid. The exact implementation of holdback matters a lot: if it&#x27;s e.g. per-request, a site can simply ask repeatedly; if it&#x27;s per-session or per-user, a malicious agent can pretend to be heldback the entire time.<p>- Since holdback is being touted as essentially the only defense against &quot;DRMing&quot; the web, it&#x27;s a real mistake to have it be so poorly specified. The way it&#x27;s currently specified makes it sound more like an afterthought than a serious attempt to mitigate harm.<p>- Compared to Private Access Tokens, WEI leaks far more information. WEI allows attesters to provide arbitrary metadata in their (signed) attestation verdict, whereas PAT tokens are fully opaque and blindly signed. Furthermore, PAT tokens can be in principle obtained through alternate attestation mechanisms (e.g. captcha, authentication, ...) without leaking the details of how that attestation is performed. WEI does not provide for this, and instead is designed around explicitly validating the &quot;web environment&quot;.

Corporations (apple &#x2F; Google &#x2F; Microsoft &#x2F; Nintendo? Sony). They all want a rental model along with a console model. iOS is already just this … a device in which you rent software as a service on a personal device that you restricted from modifying.<p>The consolifocation of personal computing has been moving this way for sometime. It’s essentially late stage capitalism gate keeping.<p>As a child of the 80’s is hard to watch things keep moving in this direction :&#x2F;

it still boggles my mind that Apple-&gt;Safari, which is in the only choice on iOS - the dominant mobile OS in the US, already implemented and shipped a very similar feature but the reaction to Google&#x27;s <i>proposal</i> is 10X worse. I have not seen a single #BoycottApple post here in this thread but more importantly, the sky did not fall after apple introduced this.

It didn&#x27;t scare me at all. As Google moves away from the open web, the open web also moves away from them.

I&#x27;m curious to hear from someone familiar with web development: How much do websites invest in accessibility and related features that cater to a small audience? Can we draw any conclusions from this to how websites will deal with accessibility to non attested users?

As noted in the article, Google comes up with a scheme like this every couple months. They also can’t seem to identify good sites anymore, based on their search results.<p>So… fuck it. Let them DRM their part of the internet. It is mostly shit nowadays anyway. They can index Reddit, X, and a bunch of sites that are GPT SEO trash.<p>We’re never getting 201X internet back anyway, so let Google and friends do their thing and everybody who doesn’t want anything to do with it can go back to the 200X internet. It was kind of disorganized but it it better than fighting them on DRM over an over again.

What unclear to me is how the actual verification by this attester would happen. Somehow the attester, which is also a remote service, verifies your device? Are there any details on how that would happen specifically?

I wonder if any web servers or web apps have started to block Chrome users yet.

So this will affect Vivaldi, Brave and Edge too, even if Brave has an integrated adblocker and Vivaldi does too, but less effective?<p>And Firefox will get blocked by even more sites if they don&#x27;t implement this shit too?

to call the write-up underwhelming is to be the most generous one can be. the minimum requirement that qualifies one to add &#x27;unpacking&#x27; to title wasn&#x27;t met. this all reads as a poorly argued opinion of something google is apparently trying to force down our throats. the specification isn&#x27;t discussed (they&#x27;re generous to point you to it though), a cursory mention of the supposed pros are mentioned but an even lazier attempt is made at describing the cons. really disappointing read!

read something recently that makes me think google is doing this to develop tools that allow browsers to detect replayed tokens on platforms like macOS and iOS.<p><a href="https:&#x2F;&#x2F;medium.com&#x2F;@danielraffel&#x2F;compromised-apple-id-exposes-a-potential-vulnerability-in-googles-advanced-protection-program-5e9ce3f51e6e" rel="nofollow noreferrer">https:&#x2F;&#x2F;medium.com&#x2F;@danielraffel&#x2F;compromised-apple-id-expose...</a>

The only way to oppose this is via regulators and antitrust legislation. You will not beat the Googlers in the marketplace or with some clever technical argument.

I’m disappointed by this response. I have to know, will they implement it or not? Because I will not use a browser that implements this thing.

It&#x27;s the insane power that companies like Google, Microsoft, and Apple hold over the tech world. It&#x27;s like they can just dictate everything to suit their own interests, and it&#x27;s the users who end up losing out.<p>Remember when Apple killed Flash? I heard it was because they wanted people to use their app store more instead of us playing games in the browser, so they could make more money. And Microsoft installing IE and setting it as the default browser? And now, Google is making changes to how we browse the web and adding things like Manifest v3, to boost their ad business.<p>The most irritating part is it is always gets packaged as being for our safety. The sad thing is I&#x27;ve often seen people even drink this user safety kool-aid, especially with Apple (like restricting browser choices on mobile - not sure if it&#x27;s changed now).<p>I really think there should be some laws in place to prevent this kind of behavior. It&#x27;s not fair to us, the users and we can&#x27;t just rely on the EU to do it all the time.

Would it be possible for someone using a zero day vulnerability to develop a botnet that will infect enough computers on the web, and their payload would be some way to modify browsers in a way to render them untrusted to WEI, and effectivelly render anybody infected out of the web? Would it be a new way to DDOS users out of the &quot;trusted&quot; web?

There is zero point debating this in technical detail because the proposal itself is evil. Don&#x27;t get distracted by tone policing and how they scream you must be civil and whatnot.<p>Our best hope is kicking up a huge fuss so legislators and media will notice, so Google will be under pressure. It won&#x27;t make them cancel the feature but don&#x27;t forget to remember that they aren&#x27;t above anti-trust law. There is a significant chance that some competition authority <i>will</i> step in if the issue doesn&#x27;t die down. Our job is to make sure it won&#x27;t be forgotten really quickly.

this abuse of tech, potentially goes beyond antitrust, and damages global economic wellbeing, as well as impoverishing information systems on global scale, generating isolation, ignorance, division, and radicalization.<p>How to Email to the President and Members of Congress<p><a href="https:&#x2F;&#x2F;www.whitehouse.gov&#x2F;contact&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.whitehouse.gov&#x2F;contact&#x2F;</a><p><a href="https:&#x2F;&#x2F;www.facebook.com&#x2F;joebiden&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.facebook.com&#x2F;joebiden&#x2F;</a><p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;JoeBiden" rel="nofollow noreferrer">https:&#x2F;&#x2F;twitter.com&#x2F;JoeBiden</a><p>Write a Letter<p>The online form is the fastest way to send a message, but if you prefer to write or type a letter, keep the following in mind:<p><pre><code> Use 8 1&#x2F;2 by 11-inch paper Either type your message or handwrite it as neatly as possible Include your return address on both the letter and the envelope Mail the letter to The White House, 1600 Pennsylvania Avenue NW, Washington, DC 20500 Include the appropriate postage (stamp) </code></pre> If you have any additional questions about how to email Joe Biden or Kamala Harris, please post a comment below. If you are still trying to email Donald Trump or Mike Pence, please post a comment below. Contact the White House By Phone<p>Even though you can’t email the President, you can call the White House. However, to be clear, you will likely only speak with a staff member. To call, use the following phone numbers:<p><pre><code> For general comments, call 202-456-1111 To reach the switchboard, call 202-456-1414 For TTY&#x2F;TTD, use Comments: 202-456-6213 or the Visitor’s Office: 202-456-2121 </code></pre> It is highly unlikely that you will get to speak with any sitting POTUS directly on the phone. How to Send an E-mail Your House Representative<p>To find your representative, search the House of Representatives database by zip code. As an alternative, visit the Representative’s personal website. Most government websites have email and mailing addresses listed on the Contacts page.<p>Many websites also offer a contact form, but we recommend using this only as a last resort. Many online contact forms go to the website maintenance team and often don’t reach the representative or their staff. If you want a response, send a direct email or a letter. How to Send an E-mail to Your Senator<p>To find your state Senator(s), select your Senator from the state-by-state list on the United States Senate’s Web site. Note the list is in alphabetical order and provides the following information for each senator:<p><pre><code> Senator’s full name Political party affiliation and state they represent Mailing address Phone number Link to an email contact form, usually on the Senator’s website. </code></pre> Also, you can call the United States Capitol switchboard at (202) 224-3121. A switchboard operator will connect you directly with the state Senator’s office you request.<p>Questions and Comments<p>If you have any questions about how to email the President, Joe Biden, U.S. representatives, members of Congress, or other government officials, please leave a message below. Please don’t post a comment on the form below and think it will be forwarded to the White House, Congress, the Biden administration, President Joe Biden, or Kamala Harris.<p>lifted from, <a href="https:&#x2F;&#x2F;www.einvestigator.com&#x2F;government-email-addresses&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.einvestigator.com&#x2F;government-email-addresses&#x2F;</a>

Why use quotes for &quot;dangerous&quot; when the first sentence is literally: &quot;Why Vivaldi browser thinks Google’s new proposal, the Web-Environment-Integrity spec, is a major threat to the open web and should be pushed back.&quot;

Very controversial take but I think this benefits the vast majority of users by allowing them to bypass captchas. I’m assuming that people would use this API to avoid showing real users captchas, not completely prevent them from browsing the web.<p>Unfortunately people who have rooted phones, who use nonstandard browsers are not more than 1% of users. It’s important that they exist, but the web is a massive platform. We can not let a tyranny of 1% of users steer the ship. The vast majority of users would benefit from this, if it really works.<p>However i could see that this tool would be abused by certain websites and prevent users from logging in if on a non standard browser, especially banks. Unfortunate but overall beneficial to the masses.<p>Edit: Apparently 5% of the time it intentionally omits the result so it can’t be used to block clients. Very reasonable solution.