Email or username:

Password:

Forgot your password?
73 comments
Helle (@ CCC Camp 📞 4355)

@rcombs Oh fucking hell. I mean not entirely unexpected, but uh, no Google, you cannot.

kouhai, resolver of merges

@rcombs from my earlier post:

>

the problems this tries to solve is hard! unfortunately, some things simply should not be built, regardless of how much easier it makes things for Google

and consider this: Google maintains one of the world’s biggest web scrapers. because Google is dominant in search, people will allowlist the Google scraper attestation (if it exists) no matter what. guess what individual users won’t be able to do?

Ridley @ WATCH LYCORECO

@kouhai individual users, and also new competing search engines!

LisPi

@rcombs @kouhai In a world with functional #antitrust and anti-competitive practices regulation, making this would be corporate suicide.

octesian

@kouhai @rcombs Also only "well-behaved" web scrapers respect a block list. It's easy for one to program a scraper that does not.

domi
@rcombs reading the part abt webviews and the checks being more relaxed there makes me think that in 5 years time we (the scrapers) will just have an old android phone proxying the webview attestation api calls back to the spider
Merospit

@rcombs They are so idealistic and naive at the same time. If a website has the ability to cryptographically verify clients the some will inevitably be biased towards different browsers just like the bad old days if IE only websites.

کواکوما

@merospit @rcombs
> just like the bad old days if IE only websites.
Unlike in the olden days, though, nowadays people seem to like and celebrate monocultures, at least when it comes to computing :hehehe:

Jessica's new Main

@merospit@infosec.exchange @rcombs@social.treehouse.systems could also use it to block chromium-based browsers.
it goes both ways
​:blobcat_laughing:​

m
@merospit @rcombs "idealistic and naive"

they work for google

i can't imagine any scenario where they're not acting in bad faith with this
LisPi

@esther @rcombs I like this particular comment on it: github.com/RupertBenWiser/Web-

> their measures are insufficient and always will be, because the underlying idea is flawed

Emily S

@rcombs ah, companies always thinking they should be able to decide what code runs on my computer. They get really cranky when we return the favour, using words like remote code execution, hacking, and felony.

theo

@Emily_S @rcombs it’s so bizarre, imagine a paper company trying to control the things people are allowed to write on the paper

m
@Emily_S @rcombs "felony" is the magic word the United Slave States of Amerikkka intones to capture more free-as-in-enslaved labour
hirnsalat

@rcombs i hate how the introduction tries to frame this as something users want/need. no wonder everything starts with "users want websites to know ...". google wants to know that, and is basically trying to tell ppl they want it too. nothing new, but worth calling out.

Skrrp :bisexual_flag:

@hirnsalat @rcombs I love the way that they talk about whether or not to serve an ad - sure, you don't want to serve one to a crawler bot.

I'll bet my arse thought that this thing is tuned to recognise ad blockers and script blockers as non-human and to block you from the content.

Andrew Scott

@hirnsalat @rcombs
It makes me absolutely fucking insane that DRM is always deceptively sold as beneficial for the public. *Just once* I would for like a company to be honest about their intent.

LisPi

@ascott @hirnsalat @rcombs "We want to assert complete market capture & dominance and the lack of antitrust means you can get fucked."

iced quinn
@lispi314 @ascott @hirnsalat @rcombs i gave up on that fight a long time ago. the public will never be against being controlled until it personally fucks them. and by then they are too individuated to matter.
Professor Emeritus Blake Y Rat

@rcombs Websites have had DRM for decades. That's how Netflix determines whether you're allowed to see 4k video or not.

ಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)

@blakeyrat @rcombs Sure? But we sure as hell shouldn't allow it to get even worse than it already is.

Professor Emeritus Blake Y Rat

@chiraag @rcombs I skimmed the proposal and I'm not sure why I'm supposed to feel it's so horrible.

Andrew Scott

@blakeyrat @chiraag @rcombs
In plain English, it reallocates control from the many (i.e. users) to the few (Google) which is a direct threat to the open web. You're correct that it isn't DRM in the same way as widevine, it's more like the Play Store - if your device/client doesn't play by Google's rules it's not going to work right.

Professor Emeritus Blake Y Rat

@ascott @chiraag @rcombs What thing I currently control would I no longer control if this were implemented?

Professor Emeritus Blake Y Rat

@ascott @chiraag @rcombs Like... I'm not trying to be condescending, but that was monumentally vague. I'm an extremely practically-minded person.

Andrew Scott

@blakeyrat @chiraag @rcombs
You would cede control of your browser and the hardware that runs it. Under this scheme clients would be verified similar to how smartphones are - apps (or websites, in this case) will just refuse to work without device certification by Google. It's why banking apps, Netflix, Snapchat, and others often can't be used with 3rd party android ROMs. Google is talking about extending the authority they exert over android users to the internet more broadly.

Andrew Scott

@blakeyrat @chiraag @rcombs
And I agree it's vague, but there's no specific implementation I can point to at this time and say "look at this, this is the code they want to force us to run on our own damn machines." We can make comparisons to traditional DRM or frameworks like the Play Store which interfere with our hardware, but I can only speak to the contents of that repo which are also highly speculative about how such a scheme would be achieved.

Professor Emeritus Blake Y Rat

@ascott @chiraag @rcombs If computer security folks are really concerned about this thing, a good first step would be to figure out how the fuck to explain it to people using brief, concrete examples that don't rely on guesswork or conspiracy theories. I'll hold off on panicking over it now. I just wanted to point out it's dumb to say "Google is adding DRM to the web!" when it's had DRM for decades, that was the main thing I had to say, haha.

Andrew Scott

@blakeyrat @chiraag @rcombs
That's fair, I had typed my other reply about the reference spec before I saw this. I think it would be more accurate to say that this would massively extend existing bullshit, it's not necessarily new bullshit. And I wouldn't advise panic at this point, but I'm sure it's obvious that I'm not in favor either.

Andrew Scott

@blakeyrat @chiraag @rcombs
There is a prototype implementation for chromium (rupertbenwiser.github.io/Web-E), but it is largely incomplete with a lot of info marked as TODO. However it does at least confirm much of what I've said - client side code communicates with a centralized attester that verifies the validity of the client. If the attester (Google) doesn't like the client or it's settings you must change them, thus Google now decides what you can and cannot do with your hardware.

@blakeyrat @chiraag @rcombs
There is a prototype implementation for chromium (rupertbenwiser.github.io/Web-E), but it is largely incomplete with a lot of info marked as TODO. However it does at least confirm much of what I've said - client side code communicates with a centralized attester that verifies the validity of the client. If the attester (Google) doesn't like the client or it's settings you must change them, thus Google now decides what you can and cannot do...

LisPi

@ascott @blakeyrat @chiraag @rcombs It's instead a way more direct anti-competitive setup and I expect it to result in litigation for exactly those reasons.

That doesn't prevent it from causing damages in the meantime.

DELETED

@blakeyrat @rcombs Yes, but that applies to only media elements. This applies to entire websites, and, if I read the explainer correctly, also requires a rootkit on your device so the attester can be sure it's running what it says it is. (The example rootkit being Google Play Services on Android.)

Professor Emeritus Blake Y Rat

@carcosa @rcombs I'm sorry, a TPM chip is a "rootkit" now? Are you serious?

infinite love ⴳ

@rcombs it's more like Google Play SafetyNet for websites. we already have DRM on the web, sadly

Rich Felker

@rcombs I'm glad the authors kindly put their names on it so they can be shitlisted from the industry.

bob

@rcombs isn't widevine already DRM for websites? this seems more like a roundabout way to track people's device id's

🍄🌈🎮💻🚲🥓🎃💀🏴🛻🇺🇸

@rcombs I love how number one on their list of "scenarios where users depend on client trust" is "advertisers can only afford to pay for humans to see the ads".

Also love how the whole scheme is predicated on having a single "attester" that gatekeeps which *operating systems* are valid.

It's AppStores for Websites. This idea needs to be killed with fire, and everyone involved should be shamed.

#webDev #web #webEnvironmentIntegrity

LisPi

@schizanon @rcombs I'm half thinking it should be banned right now, and half thinking it should be used to dissolve the first implementer's corporate charter on the spot on antitrust grounds (I'm not sure if corporations get "being made examples of" as warnings).

jzfski 💭

@rcombs first bullet point and they already jump on the advertising topic - wow what a shocker - so they definitely must think about open web in the first place!

edd

@rcombs So it's CAs but in reverse (users certify thru the attester and the server has a list of approved attesters), and also if you mod/patch your browser it can just lie to the attester and it's all meaningless?

This seems like someone's pitch to get a promo that solves nothing and actively makes things more complex and worse.

esty
@edd @rcombs
> This seems like someone's pitch to get a promo that solves nothing and actively makes things more complex and worse.

its funny because i remember reading on the birdsite about how this is a huge problem within Google's corporate culture - they push hard for new launches and flashy upgrades and don't reward actual regular maintenance of shit

explains so much why google is such a mess and kill off so many of their own products, whoever made it already got their promo and fucked off, with no long term plan to make anything sustainable
@edd @rcombs
> This seems like someone's pitch to get a promo that solves nothing and actively makes things more complex and worse.

its funny because i remember reading on the birdsite about how this is a huge problem within Google's corporate culture - they push hard for new launches and flashy upgrades and don't reward actual regular maintenance of shit
SofaKingHigh

@rcombs well can’t wait for mirrors to useful sites to get big again, outside of that I’m just gonna stop using any site that enables this

Sean Murthy

@rcombs This goal gives me hope:

● Continue to allow web browsers to browse the Web without attestation.

But then this example use case gives me pause:

● Detect compromised devices where user data would be at risk

github.com/RupertBenWiser/Web-

David Buchanan
@rcombs fuck fuck fuck fuck. I knew this was coming.
Mark Koek

@rcombs “Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it. This trust is the backbone of the open internet (…).”
Are they being serious? Surely not.

linear cannon

@rcombs@social.treehouse.systems nope nope nope nope, fuck that

i will abandon the web before i allow such a thing to run on any device of mine

Pierre Bourdon

@rcombs FWIW, I've worked with those people (Borbala was my tech lead, then manager for ~2.5 years), and I genuinely believe they're trying to do the right thing here.

The bot problem on the internet is not well understood by the average user/developer, mostly because that's an area where "obscurity" is still part of the best strategies the defenders have, and also because the bad actors focus their efforts on just a few targets (Google, Meta, Twitter, etc.).

Pierre Bourdon

@rcombs the proposal does talk about the DRM aspects of this, and tries to propose solutions that mitigate that issue. I don't know whether they're appropriate solutions or not, whether they go far enough or not, etc. I think that would be a healthy debate.

Saying "user agents shouldn't do that" is basically saying it's fine for millions of users every month to get their bank accounts stolen, their personal information sold on black markets, etc. -- unless you have a magic solution.

Ridley @ WATCH LYCORECO

@delroth you're equating bots with, what, bruteforce attempts on user passwords? which is an extremely mitigable problem that's entirely solved by passkey usage

Pierre Bourdon

@rcombs in general: there are 10-100s active full-time criminal groups targeting Google users at all times. Some are interested in stealing SSNs and passport photos from gmail. Some are interested in stolen credit cards (via reselling tradeable in-game items in Play Store games, for example). Some deploy cryptolockers on Google Drive.

Often they either have credentials, phish them, or have session tokens stolen by malware on device. Passkey/2FA helps, but doesn't prevent the latter.

Pierre Bourdon

@rcombs Google isn't just fighting that on one front, they've been strongly pushing for 2FA for years. They were the first to deploy Security Keys for a reason.

There's been many efforts to try and bind session tokens to devices too. Example: Channel ID. Unfortunately not successful.

The "defense front" you're seeing is trying to detect suspicious actions coming from non legitimate devices. If someone gmail-searches "SSN" and you can detect it's not a real browser, you can issue a challenge.

Pierre Bourdon

@rcombs this isn't really the appropriate format to try and summarize 3 years of learning about this in the field, working with probably some of the foremost experts in the field. I also likely will get into NDA things pretty quickly with more details.

Those experts are people I recognize in the list of authors of the proposal. They're people that have spent their whole career working on protecting users from data theft / impersonation. I personally trust that they have done their homework.

Pierre Bourdon

@rcombs another angle: do you think those people don't know how bad such a proposal looks, especially coming from Google? Look at the list of non-goals, the number of counter-measures they propose to avoid this being too abusable, etc. They clearly understand your viewpoint as well, to some extent.

And yet they still thought it would be a good move to publish this proposal. Do you think they would have done so if "this ain't gonna solve that case" (or rather: "help", you can't "solve" abuse)?

Glitch
@delroth @rcombs tbh I think the problem with this is that the road to hell starts with good intentions.

No matter how good Google will try to be about this, bad actors on both ends will find ways to loophole and abuse it. The bots will just extract the data they need to from a chrome binary/fake their JS engine to mimic a real browser anyways. Ad networks will use these techniques to further fingerprint and identify browser users.

That's without getting into the perverse incentive problem where Google is also the world's biggest (and if you believe the EUs antitrust, only meaningful) ad network, so any solution they'll come up with will not be as perfect as it should be, *specifically* so they can make a loophole for profiling users.
@delroth @rcombs tbh I think the problem with this is that the road to hell starts with good intentions.

No matter how good Google will try to be about this, bad actors on both ends will find ways to loophole and abuse it. The bots will just extract the data they need to from a chrome binary/fake their JS engine to mimic a real browser anyways. Ad networks will use these techniques to further fingerprint...
Rich Felker

@delroth @rcombs Spending your whole career looking at things from that angle turns you into a BOFH monster who thinks "cop in your pocket" is a legitimate concept.

Ariadne Conill 🐰

@delroth @rcombs the problem comes with how the technology will be extended in the future, e.g. "proofs of ad view" required to visit a website.

Pierre Bourdon

@ariadne @rcombs I think that's always a reasonable worry (though tbf I do personally think providers should have a choice of how they charge for their content). But note that the proposal in question explicitly states as a non-goal "Enforce or interfere with browser functionality, including plugins and extensions."

Ariadne Conill 🐰

@delroth @rcombs in general, i agree, but adblock is essential for security at this point, given all of the malvertising incidents. only reason i use it tbh

DELETED

@delroth @ariadne @rcombs That may be a "non-goal" as far as the spec is concerned, but after reading the explainer it's clear to me that none of the other goals of the spec can be achieved without also making that possible. And on the commercial internet, the incentives for both attesters and site operators point towards doing that.

Pierre Bourdon

@carcosa if that's the case (I haven't done a full technical analysis of what they propose): I think that's a fair criticism, and I don't think a spec proposal should be accepted when it's not self-consistent.

I think that's significantly more nuanced and actionable commentary than "DRM bad", and I presume that this is part of what the spec review process would go into (W3C/Whatwg/... have privacy experts reviewing these things, and they seem to already have been engaged).

DELETED

@delroth Yeah. Specifically, look at the discussions of the holdback mechanism, which is the one part that is supposed to prevent website operators from discriminating against unattestable browsers. Stakeholders in the security business are arguing that it's not acceptable to have holdbacks at all; I'm arguing that if implemented, holdbacks will erode over time until attestation can be used to discriminate on the basis of browser/plugins/etc.

m
@delroth @ariadne @rcombs one person's "explicit non-goal" is another's "slightly off-label use" is another much younger person's "time-honoured established industry standard"
Rich Felker

@delroth @rcombs If they believe they're doing something ethical, they're utterly stupid.

Pierre Bourdon

@dalias @rcombs spoken from your strong expertise and knowledge about protecting internet service users from malicious activity!

Rich Felker

@delroth @rcombs My biggest qualification here is not having my judgement clouded by "I know and respect those guys and they would never do anything unethical". Same brainworms that always let abusers get away with doing bad things.

m
@delroth @rcombs honestly, seriously, the single best solution is to get rid of the big targets
Chuck Munson

@rcombs I'm assuming that anything coming from the Google dev universe is designed to make a walled garden that benefits Google. I glanced and skimmed this page. Doesn't make a whole lot of sense, nor do see a use case for the WWW.

Go Up