Post AXtHOIbjVOLF8jefZI by feld@bikeshed.party
(DIR) More posts by feld@bikeshed.party
(DIR) Post #AXsm6I6jWpH1nW5XCS by gsderp@packmates.org
2023-07-19T14:03:47Z
2 likes, 11 repeats
This is a credible proposal for DRM for websites in general. It would enable unbeatable adblock-blocking. It would prevent user customization for not just convenience but also accessibility.I do not say this lightly: Enabling the forfeiture of control over the browsing experience is a fundamentally evil idea that must be rejected now, as it has been in the past, and we must remain vigilant against its reemergence in the future.https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md
(DIR) Post #AXt8qQxT9Ve3YlA9Ro by Zergling_man@birds.garden
2023-07-20T14:30:19.218416Z
0 likes, 0 repeats
@gsderp Haha lynx go brrrr
(DIR) Post #AXtFVimoN8S6RzFSL2 by Natanox@chaos.social
2023-07-20T11:38:55Z
2 likes, 1 repeats
@gsderp What I read from this:> Authority over "good" browsers. Compiled it yourself with a fix? You're screwed.> Kick out "modified" devices, granting Google, Apple and Microsoft a de-facto monopoly on computers and smartphones> Adblockers shall die> They want more (reliable) ad revenue> Prevent fingerprint anonymization> Bind every user to a specific traceable public key. Yet another surveillance factorSure they use fancy excuses but in the end it's always the same bullshit with them.
(DIR) Post #AXtHOIbjVOLF8jefZI by feld@bikeshed.party
2023-07-20T16:05:46.057344Z
0 likes, 0 repeats
I haven't looked to deeply yet, but are you certain that this would break user customization?
(DIR) Post #AXtJQWHRqCBi26LyTI by gsderp@packmates.org
2023-07-20T16:23:17Z
0 likes, 0 repeats
@digifox As a framework it doesn’t and can’t do anything to mitigate against sites deciding to trust only attesters that require immoral (anti-user freedom) criteria as part of their “baseline”.The “holdback” mitigation is incapable of delivering the stated goals of making sure this isn’t usable for discrimination. The framework is prima facie immoral if the holdback percentage isn’t high enough to to make this useless for every case except measuring ad fraud. However, If holdback isn’t stable, even if the holdback percentage is high, sites can still discriminate against users that never pass it. If the set of held-back destinations is stable the set of held-back destinations becomes a useful and durable fingerprint. Furthermore there’s the relatively intractable problem of destinations colluding to share trust signals and enabling discrimination based on that.There is no open web if an attestation framework gains critical mass, so such a framework must not be allowed to exist.
(DIR) Post #AXtJQXLNt2vlKbCdFI by feld@bikeshed.party
2023-07-20T16:28:32.058678Z
0 likes, 0 repeats
I'm not currently finding this to be a plausible outcome, especially as Google knows how many people on the web have extensions etc etc.But it's good that people are being made aware of what's being proposed so we can stay vigilant. Thank you for that.
(DIR) Post #AXtxuy1tEP3owu9Ka0 by didek@101010.pl
2023-07-21T00:02:28Z
0 likes, 0 repeats
@feld @gsderp The plugin capability is build-in. You wouldn't be able to change anything beyond what the browser let you.
(DIR) Post #AXv9FzPUaPtrxyNNTs by ginsterbusch@kosmos.social
2023-07-21T11:27:53Z
0 likes, 0 repeats
@feld @gsderp Certainly websites are already breaking my custom accessibility scripts. With an "enforce"d approach, this would mean ableism at its finest.
(DIR) Post #AXv9G0UqXzmFKrtASu by feld@bikeshed.party
2023-07-21T13:43:59.910366Z
0 likes, 0 repeats
What do your scripts do and which websites?
(DIR) Post #AXvAbJGw2EbNbQ6UMa by Moon@shitposter.club
2023-07-21T13:59:19.994332Z
1 likes, 1 repeats
@feld @gsderp there's no way they can enforce the integrity of a secure environment if they allow arbitrary plugins and extensions so they will have to be approved specific-use extensions. chrome and firefox have moved to an approved extension model so they have the mechanism in place already to do this. extensions are gatekept and subject to manpower limitations and stupidity, in approval in particular if your extension manifest includes functionality they know is a risk of compromising the environment eg anything that has network access to a remote resource. I feel like the answer is that their statement is deliberately misleading.
(DIR) Post #AXvAmh3tvRfWZRR344 by feld@bikeshed.party
2023-07-21T14:01:02.519741Z
1 likes, 0 repeats
> there's no way they can enforce the integrity of a secure environment if they allow arbitrary plugins and extensionsbut their goals state they will *not* interfere with their usage. So maybe there's something going on that we do not understand yet.
(DIR) Post #AXvB9AutbgkvXBwXZ2 by noxypaws@packmates.org
2023-07-19T20:21:05Z
0 likes, 0 repeats
@gsderp Jeeez. And I was worried about DNS over HTTPS or TLS, this is a whole other level of horrific.
(DIR) Post #AXvB9BV3RFgBLKrPvM by gsderp@packmates.org
2023-07-19T21:04:03Z
0 likes, 0 repeats
@noxypaws DOH/DOT is dual-use, attestation is not. DOH/DOT is an unequivocal good when it enforces the free choice/consent of a device user-owner to control what resolver is used, and to enforce privacy in that use, (against/over the interests of a network-path interloper,) which is essential for further privacy improvements like ECH to be meaningful. In contrast, the fundamental purpose of attestation is to subvert a device owner-user’s ability to enforce their consent and exercise meaningful control over the what their device does, which is indefensibly evil.
(DIR) Post #AXvB9C4rI8Jr8Nc0jQ by noxypaws@packmates.org
2023-07-19T21:23:06Z
0 likes, 0 repeats
@gsderp Yah, agreed on all points. DOH/DOT is a double edged sword but seems mostly good - I just think a lot about how my LG TV, for example, could start evading DNS based ad blocking.But yeah this attestation crap sounds just deeply awful.
(DIR) Post #AXvB9Cwk3nQ9pUp2ie by gsderp@packmates.org
2023-07-19T21:32:08Z
1 likes, 0 repeats
@noxypaws The problem with the TV falls squarely under the umbrella of eroded owner-user rights. (Well, at the edge where they just flat out don’t exist any more.) DOH/DOT being available for use by your browser doesn’t enable a shit TV to do anything it couldn’t already have done. At most, DOH/DOT being an off-the-shelf standard means a substantial reduction in the work they would need to do to implement their own secured host resolution.
(DIR) Post #AXvBDOnrv0oJlGfczA by Moon@shitposter.club
2023-07-21T14:06:17.586031Z
1 likes, 0 repeats
@feld @gsderp I don't understand how it could talk about security or integrity otherwise but I am open to the possibility I am wrong. I am highly skeptical of this.the way that extensions like userscripts work is interesting because they can modify the dom at a higher layer that is invisible to the web application while still presenting the modified content to the user (it's possible to leak existence of your script though) so you could have an extension that for example does css changes to a secured webpage that isn't any serious risk of violating the sandbox. this can be determined by the extension manifest so I could see a future where google allows arbitrary extensions that can modify any webpage in this way, but then there's other classes of extensions that won't work on a locked down page unless it's gone through an audit by google and approved as an extension in their store.
(DIR) Post #AXvBYeZwSenqlkI7GK by feld@bikeshed.party
2023-07-21T14:09:58.530276Z
0 likes, 0 repeats
I think it's a lot of overreaction and armchair analysis right now
(DIR) Post #AXvBiA6wauAvAfGHya by Moon@shitposter.club
2023-07-21T14:11:51.473881Z
0 likes, 0 repeats
@feld @gsderp I'll read the entire proposal this evening and see what I think. To me this seems like a logical progression from how they've already crippled and locked down extensions and have been trying to remove extension functions that allow effective adblocking so I don't feel like giving them benefit of the doubt. but I want to be accurate if I tell people what I think they're doing so I'll educate myself fully on it.
(DIR) Post #AXvBy8tOtNB01dXxx2 by feld@bikeshed.party
2023-07-21T14:14:30.485142Z
0 likes, 0 repeats
It just feels like nobody really read this
(DIR) Post #AXvCERj4dadP4NUUiW by i@declin.eu
2023-07-21T14:17:42.223471Z
0 likes, 0 repeats
@Moon @feld @gsderp this and https://lapcatsoftware.com/articles/2023/7/1.html is probably going to be for corporate offices and schools, where the user doesn't own the device anyways and can't do any of that without bypassing systems that this would enforce in the first placethe new generation of computing is suffering
(DIR) Post #AXvCFB4E3nIBh0jWQy by Moon@shitposter.club
2023-07-21T14:17:48.923619Z
0 likes, 0 repeats
@feld @gsderp to be fair it's listed as an open question, I read it like a fig leaf so later they can say "well we tried but it was impossible"
(DIR) Post #AXvCQHSSdhTYhPMajA by Moon@shitposter.club
2023-07-21T14:19:49.740484Z
1 likes, 1 repeats
@i @feld @gsderp I'm not 100% opposed to locked down corporate devices except that things like this are the back door and the building blocks of systems forced on everyone later. maybe it won't happen but it's undeniable that if you build it at all for one group of people it's way less difficult to repurpose it for a different group
(DIR) Post #AXvCSXx8HdCCR4n3yK by feld@bikeshed.party
2023-07-21T14:19:51.950089Z
1 likes, 0 repeats
It's also probably worth reading the Github issue that lead to this document being publishedhttps://github.com/antifraudcg/proposals/issues/8#issuecomment-1158928350
(DIR) Post #AXvCcmZgm4kUgFho5g by Moon@shitposter.club
2023-07-21T14:21:54.385317Z
1 likes, 0 repeats
@feld @gsderp I worry that while it is possible to build a decentralized attestation system, the system we will get will be centralized on just a few big vendors. I will read this doc soon.
(DIR) Post #AXvD8De0BFGDc1iGu0 by teknomunk@apogee.polaris-1.work
2023-07-21T14:27:44Z
0 likes, 0 repeats
@feld @gsderp @Moon The stated goal of creating an environment that can't be tampered with explicitly excludes customization of any type.That is the feature: no customization allowed.
(DIR) Post #AXySTTXuKp3vnZKuGG by ginsterbusch@kosmos.social
2023-07-23T03:41:29Z
0 likes, 0 repeats
@feld @gsderp I use Bookmarklets / GreaseMonkey / TamperMonkey scripts to improve the overall accessibility and usability of sites.Eg. a semi-dark reader with bigger font sizes for selected or all sites whenever I need it. Some sites tend to eg. enforce nasty unreadable sizes, or use garbage contrasts etc.Its not that I'm near blind, but I'm both strongly sight-impaired and am light-sensitive in combination with synesthesia, so overload gets induced quickly if there is .. interference.
(DIR) Post #AXyeIaqy1agYj6pQvY by chfour@wetdry.world
2023-07-20T18:36:11Z
1 likes, 1 repeats
@gsderp i love declaring war on corporations