Post AY5XsqP8Try2m8XWts by emma@orbital.horse
 (DIR) More posts by emma@orbital.horse
 (DIR) Post #AY3c1xubwpM0AOwmBc by pimterry@toot.cafe
       2023-07-25T14:12:29Z
       
       3 likes, 10 repeats
       
       Turns out that Web Environment Integrity proposal everybody is getting angry about (imo very legitimately) was effectively already shipped by Apple in Safari last year: https://httptoolkit.com/blog/apple-private-access-tokens-attestation/That means if Chromium ships it too, we could quickly move to 90%+ of browser traffic being attested. Not good!
       
 (DIR) Post #AY3c1yjIuLu4hcfGCW by feld@bikeshed.party
       2023-07-25T15:43:57.626058Z
       
       1 likes, 0 repeats
       
       but Private Access Tokens are *good* and kill captchas forever, and I'm here for that
       
 (DIR) Post #AY3tNUlMhcpVM0TTCC by jazzilla@noagendasocial.com
       2023-07-25T18:58:52Z
       
       0 likes, 0 repeats
       
       @feld https://noagendasocial.com/@jazzilla/110776243973785907@pimterry
       
 (DIR) Post #AY3tRrVo42PL4EHN4K by alcinnz@floss.social
       2023-07-25T17:15:18Z
       
       0 likes, 0 repeats
       
       @Chronotope @pimterry In fact, I think I recall the proposal specifically calling out this difference...
       
 (DIR) Post #AY3tRsNKr1E3kFK7VI by pimterry@toot.cafe
       2023-07-25T17:23:27Z
       
       0 likes, 0 repeats
       
       @alcinnz @Chronotope I'm certainly not an expert, but Cloudflare's description (directly linked from Apple's announcement) clearly says the device makes a call to Apple to validate device details.Apple's settings page describes the feature as "Bypass CAPTCHAs ... by allowing iCloud to automatically and privately verify your device and account"Can you share more details on how that's not correct?
       
 (DIR) Post #AY3tRszGZzZDdt4Pcu by jazzilla@noagendasocial.com
       2023-07-25T18:59:36Z
       
       0 likes, 0 repeats
       
       @pimterry https://noagendasocial.com/@jazzilla/110776243973785907
       
 (DIR) Post #AY4It9uYGKUqntxyZU by didek@101010.pl
       2023-07-25T23:44:41Z
       
       0 likes, 0 repeats
       
       @feld @pimterry The thing is, a site can know if you completed the captcha or if it was based on checking your browser. Banking sites can use this to limit any browsers besides two most popularm
       
 (DIR) Post #AY4Uz6eGVMAls8x15U by tenth@mstdn.social
       2023-07-26T02:00:08Z
       
       0 likes, 0 repeats
       
       @pimterry @feld @didek Is there a real world impact of attestation now for iPhone users (I used to be on WP/Android)? What if none of the scenarios mentioned comes true?Shouldn’t we focus on attestation standards so smaller players can also participate? I certainly do not trust or want to use a little known browser unless they have been verified to be safe. Another example is that you can be fined to drive an illegally modified cars on public roads.
       
 (DIR) Post #AY4gw9YWRCIHTEcgOu by didek@101010.pl
       2023-07-26T04:14:09Z
       
       0 likes, 0 repeats
       
       @tenth @pimterry @feld > Is there a real world impact of attestation now for iPhone users (I used to be on WP/Android)? What if none of the scenarios mentioned comes true?iPhone users are not affected, because those devices already cannot run any code that Apple don't like. Where the discussion should be is on universal devices that can do any mathematically possible tasks like computers or some smartphones.> Shouldn’t we focus on attestation standards so smaller players can also participate?They wouldn't be able. Great example is Raspberry Pi. Even if their devices are used around the world to build smart TV boxes, radio players, jukeboxes and multimedia centers, to this day the only way to play content restricted with Google Widevide is an image semilegally scraped from ChromeOS. Google never "attestated" Raspberry Pi, as it competes with their Android TV.Like with web DRM we have today, even if the API is standardized, sites would require **Google's** attestation.> I certainly do not trust or want to use a little known browser unless they have been verified to be safe. Another example is that you can be fined to drive an illegally modified cars on public roads.Great for you, I also only use programs I trust, but that doesn't mean I should be locked from running programs Google don't trust or don't want. Cars can literally kill other people, when a browser choice is a matter of only your own security.The car ananogy should be General Motors building gates on public roads that only allow new cars to drive through. Rejecting no matter if It's engine swap or just a different door handle.Example: In my country we cannot use our public, goverment funded app on device with YouTube uninstalled. Or on phone with CalyxOS, one of the most secure Android builds ever created. Just because Google won't "attest" it.
       
 (DIR) Post #AY5LcSxofLZJzaBXjE by whynothugo@fosstodon.org
       2023-07-25T16:29:42Z
       
       1 likes, 0 repeats
       
       @pimterry The whole concept of “a mechanism to ensure that the user is not in control of the device” ought to be banned from any consumer product.
       
 (DIR) Post #AY5LcXFgiqF1IAZs8m by niclas@angrytoday.com
       2023-07-26T11:49:58Z
       
       0 likes, 0 repeats
       
       @whynothugo How about people not buying/using it?@pimterry
       
 (DIR) Post #AY5VdMf4aAE2HFU968 by whynothugo@fosstodon.org
       2023-07-26T13:42:12Z
       
       0 likes, 0 repeats
       
       @niclas @pimterry The average person isn't informed about how this impacts them.It's kinda like when some substance turns out to be poisonous for humans. We ban that substance in face-creams for consumer products.You'd expect people not to buy things like wallpapers with paints that kill humans in a few months, but history has proven over and over again that the average person simply doesn't/can't stay informed of everything. Hence why specialists seek bans to help everyone.
       
 (DIR) Post #AY5XsqP8Try2m8XWts by emma@orbital.horse
       2023-07-25T16:48:09Z
       
       0 likes, 0 repeats
       
       @pimterry because of the moral hazard problems, I think we need to block companies that depend on advertising for revenue (Google, and very much Apple) from making browsers.
       
 (DIR) Post #AY5XsrGJIAVBR3Pzma by dmarti@federate.social
       2023-07-25T17:38:32Z
       
       1 likes, 0 repeats
       
       @emma @pimterry yes, also any time a company has to sign a consent decree over any antitrust violation, boilerplate text stating that they will stay out of browser development should be in there
       
 (DIR) Post #AY5hAV6PJqxDVZH2MS by niclas@angrytoday.com
       2023-07-26T15:51:28Z
       
       0 likes, 0 repeats
       
       @whynothugo Maybe some evolutionary pressure isn't all that bad.@pimterry
       
 (DIR) Post #AY5i6AN0YjR40JXH4S by whynothugo@fosstodon.org
       2023-07-26T16:01:52Z
       
       0 likes, 0 repeats
       
       @niclas Isn’t regulation and legislation like the DNA of a society?
       
 (DIR) Post #AYazhd2yo05z1Gweu0 by Jeramee@mastodon.social
       2023-08-10T16:18:02Z
       
       0 likes, 0 repeats
       
       @feld @pimterry Are you 1,000% sure that you can trust Google now and forever?Once implemented, Google's cabal will effectively own the internet, and there's no assurance we'll ever get it back. They already data mine us constantly. How much further will they go to exploit us for money?
       
 (DIR) Post #AYazheCEX55kaGHYxs by feld@bikeshed.party
       2023-08-10T18:14:42.078870Z
       
       0 likes, 0 repeats
       
       This is not the same as the other attestation stuff that Google is pushing.