Web Environment Integrity API Proposal

This is pretty much the inevitable end-game of the web, in no small part funded by ad-based business models (as the analog gap pretty much destroys most attempts to use this stuff to do copy protection) and enabled by developers who have insisted we shove as much difficult-to-implement functionality (by which I am talking about CSS complex stuff, not powerful-but-easy-to-code APIs for OS-level access) into the browser as possible.<p>The result: there is now effectively one dominating web browser run by an ad company who nigh unto controls the spec for the web itself and who is finally putting its foot down to decide that we are all going to be forced to either used fully-locked down devices or to prove that we are using some locked-down component of our otherwise unlocked device to see anyone&#x27;s content, and they get to frame it as fighting for the user in the spec draft as users have a &quot;need&quot; to prove their authenticity to websites to get their free stuff.<p>(BTW, Brave is in the same boat: they are <i>also</i> an ad company--despite building ad blocking stuff themselves--and their product managers routinely discuss and even quote Brendan Eich talking about this same kind of &quot;run the browser inside of trusted computing&quot; as their long-term solution for preventing people blocking <i>their</i> ads. The vicious irony: the very tech they want to use to protect them is what will be used to protect the status quo from them! The entire premise of monetizing with ads is eventually either self-defeating or the problem itself.)

What&#x27;s strange to me is that the main author of the spec -- Ben Wiser -- seems to be against closed, wall-garden paradigms as he has written in a blog post &quot;I just spent £700 to have my own app on my iPhone&quot; [1]. In the post, he laments the state of the App Store monopoly on iOS and ponders returning to Android for the app installation freedom.<p>How can he reconciliate these views with this spec, which he is the main author of? Surely Ben sees the parallels?<p>He writes: &quot;Apple’s strategy with this is obvious, and it clearly works, but it still greatly upsets me that I couldn’t just build an app with my linux laptop. If I want the app to persist for longer than a month, and to make it easy for friends to install, I had to pay $99 for a developer account. Come on Apple, I know you want people to use the app story but this is just a little cruel. I basically have to pay $99 a year now just to keep using my little app.&quot;<p>It&#x27;s honestly comical and a little sad.<p>[1]: <a href="http:&#x2F;&#x2F;benwiser.com&#x2F;blog&#x2F;I-just-spent-%C2%A3700-to-have-my-own-app-on-my-iPhone.html" rel="nofollow noreferrer">http:&#x2F;&#x2F;benwiser.com&#x2F;blog&#x2F;I-just-spent-%C2%A3700-to-have-my-o...</a>

The underhanded way this is being proposed is really something else. It&#x27;s hosted on a non-google github to provide distance, it&#x27;s worded in a way that makes it seem like this is something that benefits users, when it&#x27;s the absolute opposite of that. It subverts the whole concept of a <i>user</i> agent. This is a huge threat to our industry and we cannot allow this to happen.

Add &quot;integrity&quot; to the list of adjectives used for obfuscating the rise of authoritarian dystopia...<p>It all started with &quot;trusted computing&quot;, where &quot;trusted&quot; means &quot;not under the owner&#x27;s control&quot;. Then they tried to spin it as a &quot;security&quot; thing with TPMs, and created the impression that those speaking out against them were either malicious actors or insane conspiracy theorists.<p>Now it is actually happening. They want to control exactly what hardware and software you use, and they&#x27;re doing it by ostracisation, which makes this even more sinister: you&#x27;re still technically allowed to use software and hardware of your choosing, but you&#x27;ll be blocked from participating.<p>I still remember when Intel was forced to revert adding a unique serial number to its processors because of widespread outrage, so it is possible for the public to make a difference; they just need to be educated about the coming dystopia and agitated enough to care and act upon it.<p>Perhaps we can start by spreading instructions on how to disable TPMs and &quot;secure&quot; boot along with all the advantages that come with doing so (custom drivers, running whatever OS you want, hardware you actually own, etc.) Of course the corporate-owned &quot;security&quot; lobby is going to start screaming that it&#x27;s &quot;insecure&quot;, but we need to make it clear that this is not the &quot;security&quot; we want because it is inherently hostile to freedom.<p>&quot;Those who give up freedom for security deserve neither.&quot;<p><a href="https:&#x2F;&#x2F;www.gnu.org&#x2F;philosophy&#x2F;right-to-read.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.gnu.org&#x2F;philosophy&#x2F;right-to-read.html</a>

Whether you like it or not (and I certainly don&#x27;t), you&#x27;ve gotta sort of admire the sheer vision of a fifteen-year project to build a browser so good it comes to monopolize the industry, all because you&#x27;ve had the foresight to realize that monopoly will be crucial to securing your position as the adtech hegemon. An underrated masterpiece of evil genius.

The literal attempt to censor web usage of Linux and BSD desktops, other FOSS clients, custom Android ROMs, etc with an open reasoning &quot;to sell you ads&quot;.<p>They don&#x27;t even try to masquerade it.

This seems like a step closer to killing the open web.<p>&quot;Sorry, you can only access this website using this specific device with a browser compiled by Big Tech, it&#x27;s for your own good.&quot;<p>Not surprising that this is all coming from Google, the world&#x27;s biggest adtech company.

It&#x27;s time to break Google up. They&#x27;re the AT&amp;T and Standard Oil of our generation. Make Ads, YouTube, Search, Cloud, Chrome, etc. all independent companies. Demand that antitrust regulators do their damn jobs for a change.

Previously:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36800789">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36800789</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36785516">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36785516</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36800744">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36800744</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36808231">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36808231</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36791711">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36791711</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36789691">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36789691</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36816208">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36816208</a><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35862886">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=35862886</a><p>By the HN guidelines this is a repost, but it would be a mistake IMO to delete it. This would mark the end of the open web, but for whatever reason this issue has never really bubbled to the surface here before. It feels like something is different this time.

The chess pieces for the end-to-end unblockable ad machine are in place.<p>You&#x27;ll have the cynically named &quot;Privacy sandbox&quot; that builds tracking directly into the browser. You curtail ad blockers by capping browser extensions. And then you allow access only to &quot;attested&quot; clients. Inescapable tracking and unblockable ads. And you&#x27;ll get to see ever more of them over time.<p>If this isn&#x27;t evil enough in itself, the way Google presents these initiatives in grossly misleading ways makes my blood boil.<p>Fuck &quot;Be as evil as possible&quot; Google. Absolutely pathetic company. I&#x27;m so done with them.

I see one more dangerous development imposed by this move: limiting access to web content for rival search engines. I&#x27;m sure that Google Robot will pass all &quot;high security standards&quot; and web integrity checks, while others won&#x27;t be able to do so.

I think &quot;don&#x27;t use Chrome&quot; is really not the best way to fight this - instead, make it known. Get out to as many people as possible that this thing exists, spread awareness, explain the consequences, make a stink.<p>Google is absolutely in a position to implement this and I figure a good number of sites would immediately join. However, the image of &quot;tech&quot; is tarnished enough already and the general population is more aware of the importance of having control about their online experience.<p>So I&#x27;m kinda optimistic that more public awareness of this might lead to a larger backlash and might make Google think twice in continuing this, lest risking a PR disaster.

This is the most disgusting thing I have ever read. My blood is boiling to the point where I genuinely don&#x27;t see a bright future.<p>Ben Wiser (Google), Borbala Benko (Google), Philipp Pfeiffenberger (Google), and Sergey Kataev (Google) have got to be the most repugnant people on the planet for pretending this is anything but a scheme to destroy all privacy and freedom on the web all so fucking Google can sell more ads.

I am not a hopeful romantic, but the EU has been investing on vendor neutral web-browsers like Nyxt [0] and the UR Browser [1] through the Horizon Europe program. I doubt that legislators (at least in the EU) will view this as a positive development, assuming EU legislators know what they are doing. On the other hand, lobbying by big tech is still very much a threat.<p>[0] <a href="https:&#x2F;&#x2F;nyxt.atlas.engineer&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;nyxt.atlas.engineer&#x2F;</a><p>[1] <a href="https:&#x2F;&#x2F;www.ur-browser.com&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.ur-browser.com&#x2F;</a>

This proposal is attempted theft. The web does not belong to Google, it belongs to everybody. <i>Who are they</i> to suggest that users with “non-attestable” (read: not controlled by Google) user agents or operating systems should be excluded or punished?<p>If Google wants a war, let’s give them one. Tell everyone who will listen. Give Google hell.

Oh by &quot;Web Environment&quot; you mean &quot;my machine&quot; lol!<p>I already got caught by this kind of thing - a <a href="https:&#x2F;&#x2F;github.com&#x2F;nativefier&#x2F;nativefier">https:&#x2F;&#x2F;github.com&#x2F;nativefier&#x2F;nativefier</a> app wrapping Youtube Music doesn&#x27;t work, because Google detects somehow that you are not using a trusted browser and refuses to serve.<p>This is sort of moving in the &quot;zero trust&quot; (as in let&#x27;s use ML etc. to detect if we trust something. username&#x2F;password is not enough), which I fear because it will break a bunch of stuff for genuine users and make things less reliable.

The first line<p>&gt; Users often depend on websites trusting the client environment they run in.<p>is already a lie. Users don&#x27;t depend on websites trusting the client environment. Users <i>expect</i> the client to limit the way in which they have to trust websites.<p>Sure website owners would love to be able to trust user input, but that has little to do with the interest of the users.<p>If something starts with that kind of framing already you certainly know that this is not going to benefit the user.

Proposals like this demonstrate the utter failure of our ethics education in computer science.<p>In a field facing increasingly harder ethical questions every day, it’s important to start empowering our engineers to say “no” to ethically bankrupt things like this.

I hate to say it, but if you used Chrome to read this, then you&#x27;re part of the problem.<p>Awful stuff like this wouldn&#x27;t stand a chance if Google didn&#x27;t have such a monopoly position.<p>For the sake of the open internet, please switch to a different browser. IMO, Firefox is best, but even something chromium based is probably fine. Just not Google Chrome.

I am not optimistic that the de-facto end of general computation can be prevented, or that there will even be noteworthy opposition.<p>There are so many powerful interests that stand to gain from preventing e.g. ad-blocking and content capture. Thanks to Windows 11 requiring TPM, it is just a matter of time until hardware support for remote attestation is ubiquitous even on desktop computers.<p>Meanwhile, our (including myself) attention is (perhaps justifiably to some extent) on the latest news about $EXISTENTIAL_THREAT and how $THE_OTHER_SIDE did $EVIL_THING fed to us by the algorithm. Organizations that used to effectively fight threats to freedom like this (FSF, pirate parties, CCC, EFF, etc) have lost a lot of their support&#x2F;influence and clarity of purpose over the last decade.

It seems like a pretty clever way to propose extremely powerful DRM functionality, phrased as if it’s about trust and security.

There is one thing I&#x27;m not quite clear on here:<p><pre><code> &gt;The attestation is a low entropy description of the device the web page is running on. &gt;The attester will then sign a token containing the attestation and content binding (referred to as the payload) with a private key. &gt;The attester then returns the token and signature to the web page. &gt;The attester’s public key is available to everyone to request. </code></pre> I&#x27;m assuming &quot;attester&quot; here means &quot;hardware authenticator.&quot; How is the attestation low entropy if it&#x27;s presumably signed by a key that is unique &amp; resident to my device? There is nothing higher entropy than a signature w&#x2F; &quot;my&quot; private key. That is literally saying &quot;I [the single universal holder of the corresponding private key] signed this attestation.&quot; These days that key is realistically burned into my device at manufacturing time, and generally even <i>if</i> I can enroll keys on &quot;my&quot; device (big if), there is a very limited number of keyslots on hardware authenticators. Certainly not enough slots to present a random throwaway identity to each webpage.<p>I don&#x27;t understand how you can have public&#x2F;private key crypto as the basis for attestation and also have privacy? The two seem mutually exclusive. Is the private key supposed to be shared among a large cohort? (Which seems rather unwise, as it would make the blast radius of a compromised key disastrously huge.)

&gt; Attesters will be required to offer their service under the same conditions to any browser who wishes to use it and meets certain baseline requirements. This leads to any browser running on the given OS platform having the same access to the technology, but we still have the risks that 1) some websites might exclude some operating systems, and 2) if the platform identity of the application that requested the attestation is included, some websites might exclude some browsers.<p>I feel this is the bit that&#x27;s going to be hand waved away for the sake of convenience.

This isn&#x27;t extreme enough. If they&#x27;re going to put out a very controversial proposal like this, they may as well go all in. The push back against this is going to fizzle out, and it will be shoved through regardless of anyones opinions.<p>Governments will love this due to protection and security it provides among other things. I wish I could say I was surprised, but Google has continued to fail to deliver even when they try for a power-grab play like this.<p>Feature requests: - Add a distributed bad-actors list similar to DNS. - Start the process of introducing this functionality at the hardware level. - Require photo personal identification to prove humanity.

This is one of those times I hoped politicians were more competent in a technical field like computer science.<p>I’d have a field day grilling the CEOs of Big Tech companies over stuff like this that only serves to kneecap their current and future competitors.

Called it, unfortunately: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30104740">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30104740</a><p>The only way around the dystopia this will lead to is to constantly and relentlessly shame and harass all those involved in helping create it. The scolding in the issue tracker of that wretched &quot;project&quot; shall flow like a river, until the spirits of those pursuing it breaks and it is disbanded.<p>And once the corporate hydra has regrown its head, repeat. Hopefully, enough practise makes those fighting the dystopia effective enough to one day topple over sponsoring and enabling organisations as a whole, instead of only their little initiatives leading down that path.<p>Not a pretty thing, but necessary.

Just a reminder that AdTech is not paying for our access to content, or supporting publishers -- it&#x27;s keeping them hostage.

I commented similarly elsewhere (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36815276">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36815276</a>) but shoutout to all the people during the Web Video DRM debate who said that DRM wasn&#x27;t going to be proposed for HTML or Javascript.

I will not use any browser that incorporates this. If some sites fail if it is not present then I will find work arounds to using those sites.

How can the “attesters” verify the integrity of the user agent? Sure the attestation is signed, but why can’t we mess with the data sent to the attester and just nullify the entire point of the proposal? The “browser acceptance criteria” in the spec, that would presumably contain this info, is just “TODO”. Thanks Google for conveniently omitting that key detail.<p>Also interesting that its implied in the explainer that attesters are just HTTP endpoint dealing with “billion-qps” traffic. Again, point above, but also how can we trust any attester to not use the (completely unobfuscated) information the user agent is sending them?<p>I guarantee that big websites will host their own attesters, only allow use of their attester, and require attestation for every request, allowing them to fingerprint every single user.

The issues tab is a fun read - never seen a response like this on a web spec.

First I wanted to say client trust is one of the two things I‘d really like to see improved from a security standpoint but I think it‘s the wrong way around. Browsers should establish if they feel they operate in a trustworthy enough environment and decide to not work at all if they don‘t. Having the website initiate this check is a bit strange to me. (The other thing being more MitM and DNS Hijacking protection)

It&#x27;s an Orwellian name, but makes a certain amount of sense. That&#x27;s the most effective kind of Orwellian name.<p>Even still, I think that it is wrong to give something a convenient name that espouses some virtue. They should have chosen something like Web Environment Verification API.<p>I think it&#x27;s spyware, and I don&#x27;t like it. It reminds me of the Stripe API, where you have to run some JavaScript on your site that snoops on your interactions and reports stuff to Stripe that it uses to detect fraud. <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22937303">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=22937303</a>

Google is really trying to distance themselves from their &quot;don&#x27;t be evil&quot; days I see.

The idea behind this proposal is what I feared the moment remote attestation(-ability) started to gain traction on clients.<p>Google will arguably kill legacy SafetyNet (which is circumventable, as it&#x27;s not rooted in hardware) soon. Microsoft pushes extremly hard for remote attestation-ability by requiring TPMs. Very soon only an insignificant number of client devices will not be able to perform remote attestation by the major vendors based on hardware trust modules.<p>Hard to stay optimistic for the open web. :&#x2F;

Soon there will be a Plaza Web, for which you&#x27;ll need an approved device for, like a Chromecast with Google TV, and the Old Web of communities, enthusiasts, and the like.

Related(?) to this recent blog by Google [1], discussed here [2] at the time as<p>&quot;Google to explore alternatives to robots.txt&quot;.<p>[1] <a href="https:&#x2F;&#x2F;blog.google&#x2F;technology&#x2F;ai&#x2F;ai-web-publisher-controls-sign-up&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;blog.google&#x2F;technology&#x2F;ai&#x2F;ai-web-publisher-controls-...</a><p>[2] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36641607">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36641607</a>

I can&#x27;t help but see this as evil.<p>Giving more control to corporations and less control to individuals.

This isn&#x27;t just Google. The whole hardware industry is moving towards the Digital Lockdown. This idea has been around, at least, since the early 2000s, but the people who were talking about it, of course, got shouted down as conspiracy theorists.<p>And as far too often, the &quot;conspiracy theorists&quot; were right, but nobody cares about ever thinking about that, because nobody seems to be actually able to think about things anymore, unless the thoughts are breast-fed.<p>We&#x27;re heading towards a reality, where copypasting from a website is going to cost you money if the license requires you to do so. Looking at it, considering the status quo of technology, almost everything required for a &quot;trusted&quot; environment is already present in consumer-hardware.<p>We have hypervisors, virtualization, containerization. Encryption&#x2F;Decryption of data in RAM&#x2F;CPU in real-time is coming eventually. Blockchain technology makes verification of digital ownership secure and easy. AI will make it stupidly easy for corporations to make sure that everyone complies and I will be <i>everywhere within the next few years.</i><p>A glimpse of this reality can be seen in NovaQuark&#x27;s &quot;Dual Universe&quot;, where everything is behind DRM. A &quot;metaverse&quot; company for a reason, I guess.

Please drink a verification can to continue.

This seems like a very believable parody. Particularly given the &#x27;spec.bs&#x27; filename which looks like it&#x27;s just markdown.

The empire strikes again being driven by the insatiable greed. Just wait till its minions will fill up this thread with classical astroturfing and comments in vain of &quot;We were waiting for this feature since forever!&quot; and &quot;It&#x27;s for better security&quot;. I can also easily see how they massively downvote everyone who disagrees with the righteous direction of The Corporation. This is so Orwellian 1984.

Are they trying really hard to shoot themselves in the foot?<p>Google needs to stop this bullshit start innovating again. First AMP, now this? Leave the web alone!<p>Where&#x27;s the Google that makes great web applications with simple, great UX, like Maps, Gmail, Drive and Search (which has severely degraded)?<p>Or great tools like Go, Lighthouse and Devtools?<p>Disappointing!<p>It&#x27;s like they&#x27;re trying really hard to be the villain.

I will be self-destructively opposing this until I&#x27;m dead. I have nothing else to add.

HTTP&#x2F;3, HTTP&#x2F;2, many useless JS API are pushed by Google.<p>Is there any real alternative to the multimedia Web? Or do We need to make one now?<p>What we need:<p>- hypertext, links - raster and vector images - videos - responsive layout system of said hypertext (cassowary) - programs that can control the page content fully

Will people stop using Chrome now?

At DOSYAGO, we&#x27;re definitely concerned about this. We see concerns of Alphabet’s Web Environment Integrity API Proposal, we see a potential threat to the very democracy of the web. The danger isn&#x27;t merely about preserving the ad business model, but the potential for market monopolization by Google Chrome. Yet, the beauty of open source presents us with hope and solutions.<p>As creators of a competing open-source browser, we&#x27;re stirred by this. We&#x27;re concerned about the future integrity of browsing - whether run remotely, headlessly, or semi-automated, we see all these threatened by such attestations. But we believe in the power of the collective, and the spirit of innovation that thrives in the open-source community.<p>The conundrum is real for Alphabet, but leveraging control over such a global, ubiquitous means of access cannot be the answer. However, we don&#x27;t advocate a future where Google cannot derive value from its creations. The economic balance may be hard to find, but technically, solutions will emerge. We&#x27;re committed to standing up for the future of the web, because we believe in its open, democratic potential.<p>Now, more than ever, we need you to join us in safeguarding the web&#x27;s future. Come, contribute, and be part of the change. Visit <a href="https:&#x2F;&#x2F;github.com&#x2F;dosyago&#x2F;BrowserBoxPro">https:&#x2F;&#x2F;github.com&#x2F;dosyago&#x2F;BrowserBoxPro</a> today. Stand up for an open, fair, and free web.

&gt; ... This creates a need for human users to prove to websites that they&#x27;re human, sometimes through tasks like challenges or logins.<p>No I do not? This sounds incredibly condescending as a user – I don&#x27;t need to prove anything.<p>Their example of Play Integrity API is alarming because that essentially means either use this OS and this browser which has been verified only by us or we will not allow you to use the internet (SafetyNet vibes)

Seems like a path to fingerprinting users for tracking purposes and a potential vector for data leaks

Proposal author here<p>I’m hoping to get back to everyone as soon as possible. I hope you can all appreciate that I’m a human being and this has been a lot!<p>In the mean time, I wanted to repost my last comment on the GitHub issue thread [1]:<p>Hey all, we plan to respond to your feedback but I want to be thorough which will take time and it’s the end of a Friday for me. We wanted to give a quick TL;DR:<p>- This is an early proposal that is subject to change based on feedback.<p>- The primary goal is to combat user tracking by giving websites a way to maintain anti-abuse protections for their sites without resorting to invasive fingerprinting.<p>- It’s also an explicit goal to ensure that user agents can browse the web without this proposal [2]<p>- The proposal doesn’t involve detecting or blocking extensions, so ad-blockers and accessibility tools are out of scope.<p>- This is not DRM - WEI does not lock down content<p>- I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;issues&#x2F;28#issuecomment-1646083436">https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;...</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;blob&#x2F;main&#x2F;explainer.md#goals">https:&#x2F;&#x2F;github.com&#x2F;RupertBenWiser&#x2F;Web-Environment-Integrity&#x2F;...</a>

This is a level or two below where my knowledge of the browser trails off, so I&#x27;ll ask generally: how would this interact with things like the WebKit Content Blocker API?

I&#x27;m highly annoyed by this prospect (I do love tinkering with the websites and cannot imagine using web without UserCSS, UserJS and ad block...)

What a weird dystopian world we find ourselves in. And, sadly, the despair in the comments reflecting utter defeat is very troubling. Times like this make me really miss the 90s, when the tech culture embraced open source and always found a way to outsmart the &quot;googles&quot; of that day. It is certainly a different time these days, however the game being played has always been the same. I wish people would completely re-envision the internet. Because, in reality, google has only captured one protocol. The web is much bigger than you all think. If you build it they will come sounds like a good philosophical statement to end this with.

Okay, the proposal is what it is but it doesn’t explain how the attestation is generated. So this would look into the underlying OS and decide if my computer is a real computer? And when it has doubts it displays some pictures and asks me which ones show bicycles?

We need to start a community of people who interact with plain text files over encrypted protocols for business and pleasure.<p>The more bandwidth and OS features we use the more dependent we become on the cloud&#x2F;ISP vendors and device&#x2F;OS makers.

So basically it works like this?<p>google watches everything I do because chrome, and has a good idea if I&#x27;m a bot or not.<p>through clever cryptography google tells each website I visit its assessment of me?<p>Does it also give them the same Id for me each time I visit? (But unique to them)

This already exists on Android in the form of &quot;SafetyNet&quot;, which apps can use to detect if they are running on a device that isn&#x27;t &quot;secure&quot;, like a device with a custom ROM or a rooted device

Can someone explain to me what&#x27;s so fundamentally bad with this proposal?<p>My understanding is that websites can essentially confirm whether the user is likely to be a human because he&#x2F;she accesses the website from a certified device.<p>Won&#x27;t this mean there is less need for Captchas, logins and pay walls? The doc also mentions that this will remove the need for some use-cases of fingerprinting.<p>I imagine from a user perspective this will be an improvement.<p>Disclaimer: Googler, but not working on Chrome

Is this Web4?<p>Time to free the web again. An we thought Web3 is nonsense :(

Related<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36785516">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=36785516</a>

<a href="https:&#x2F;&#x2F;gabrielsieben.tech&#x2F;2022&#x2F;07&#x2F;29&#x2F;remote-assertion-is-coming-back-how-much-freedom-will-it-take&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;gabrielsieben.tech&#x2F;2022&#x2F;07&#x2F;29&#x2F;remote-assertion-is-co...</a>

&#x2F;tinhat on<p>Cynical outlook because I guess its where my mind wanders I guess...<p>In the last year Puppeteer became a lot harder to detect, which creates a problem.<p>THIS would provide a solution, no?<p>Probably a coincidence, but a fortuitous one if creating demand for THIS feature was your goal.<p>&#x2F;tinhat off

I could imagine governments getting behind this, there are a few proposed laws that require age verification, like the online safety bill in the UK. You could easily see them adding age verification on top of this proposal.

Would moving control of web standards under governmental control help? The FTC and similar government orgs can take ownership and enforce standards, labeling browsers commercial utility.

Louis strikes back! <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=0i0Ho-x7s_U">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=0i0Ho-x7s_U</a>

If a lot of popular JS library&#x27;s break on purpose if the browser passes the check, then any browser that passes the check is unusable.

If a lot of JS library&#x27;s international break them selvs if the browser passes the check then it may kill Web Enviroment Integrity.

If this isn&#x27;t added to the web you will see things like banking websites go away and require a mobile app. Features like this keep the web relevant.

So basically it&#x27;s a democratization of DRM. Now everyone can easily use it. I think it&#x27;s a good step forward.

Developer Signals: Extremely Negative

I&#x27;m glad to be a paying Protonmail and Kagi user right now.

Does that relate to web scraping? Will it be possibile at all?

Oof, GitHub issues are not accepting new responses

Bring back AOL!

tl;dr: DRM for websites

Fork chromium and have it return true. Problem, websites?