[HN Gopher] The Right to Lie and Google's "Web Environment Integ...
___________________________________________________________________
The Right to Lie and Google's "Web Environment Integrity"
Author : boramalper
Score : 143 points
Date : 2023-07-30 20:53 UTC (2 hours ago)
(HTM) web link (rants.org)
(TXT) w3m dump (rants.org)
| TX81Z wrote:
| At no point does he explain what the hell the rant is about.
| gochi wrote:
| Is there a link to an article that actually goes into WEI on a
| technical level that isn't the proposal itself?
|
| So many things posted to HN about it have been the grand
| overview, which is a perspective worth diving into but also has
| drowned out every other perspective to the point where it's very
| difficult to figure out what's really happening with the proposal
| here.
| tedunangst wrote:
| Not really. Every explainer assumes the proposal is lying, and
| explains how half of it means the opposite of what it says.
| therein wrote:
| I'd avoid taking that route because that would move the Overton
| window [0] on the issue to Google's side.
|
| The premise is unacceptable and discussion on the technical
| merits will only give it the fuel to make it more material.
|
| [0] - https://en.wikipedia.org/wiki/Overton_window
| haswell wrote:
| If the window even applies here, it expanded the moment
| Google initiated all of this publicly.
|
| We're in it now, and fully understanding the issue and the
| problems it purports to solve is incredibly important.
|
| Dialogue is all we have, and to even build a solid argument
| against WEI, understanding the details matters.
| the_lego wrote:
| But the details aren't the issue. It's the entire idea of
| remote attestation that is repulsive and user-hostile.
|
| Otherwise I agree that examining the details doesn't move
| the Overton window - the broad idea already did that.
| therein wrote:
| Details aren't the issue and that's exactly my point.
|
| There is no reason to discuss on average how many
| lightning rods we should place on each street and the
| necessary budget allocations and compromises that would
| need to be made and how this whole undertaking would be
| facilitated.
|
| We have been doing just fine without these lightning rods
| on every street proposal Google made. We knew we could
| have it, we don't have it because we don't want it.
| wudangmonk wrote:
| The problems it aims to solve seems like an issue for
| google or those that care if their ad is viewed by a human
| or not. Can someone give a counter argument of how this
| might benefit the users themselves?.
|
| Chrome on android is completely unusable due to no
| adblocker, is this what WEI will do everywhere?
| JoshTriplett wrote:
| It's worth understanding the problem it purports to solve
| in order to properly dismiss it. WEI positions itself in a
| way that sounds ambiguously like it might ever serve the
| user's purposes, and a clear framing of the problem
| statement would make it more obvious that it does not serve
| the user at all.
|
| For instance, one of the framings of WEI is that it gives
| advertisers a way to verify the client so they don't "have"
| to do fingerprinting. Except WEI does _nothing_ to take
| away fingerprinting, so advertisers will then have
| fingerprinting _and_ WEI. (Even if it _did_ simultaneously
| take away fingerprinting it would _still_ not be OK, but
| the current framing is not even offering the user benefit
| it claims to offer.)
| charcircuit wrote:
| Before taking away fingerprinting there would need to be
| a sunset period to have everyone migrate over to the new
| API. Ripping it out before new APIs are available or
| doing it at the same time is irresponsible.
| ImPostingOnHN wrote:
| I'm not sure how that addresses the point you're
| responding to: regardless of the excuse, WEI with
| fingerprinting is bad, and WEI without fingerprinting is
| also bad, and fingerprinting without WEI is also bad
|
| doing bad things (for example, any of the 3 above
| options) is more irresponsible than implementing bad
| things poorly
| flangola7 wrote:
| So how do you intend to prevent fraud and abuse? You need
| signals of some kind to know whether a visitor is likely
| to be malicious or not.
| wmf wrote:
| You don't have to worry about ad fraud if advertising
| goes away.
| surajrmal wrote:
| Agreed. If WEI means browsers can more aggressively
| restrict fingerprinting in all for it.
| toyg wrote:
| You can't "take away" fingerprinting, because it isn't a
| single API or even a single set of APIs. Fingerprinting
| is _a set of techniques_ ; you can nullify some of them,
| but there is nothing stopping companies from inventing
| new ones.
|
| Despite what Google say, fingerprinting will never go
| away - any new feature in that space will just be _in
| addition_ to existing and future fingerprinting
| techniques.
| gochi wrote:
| I'm not trying to understand it's "technical merits" but what
| exactly it is. Even experts on The Registry are quoted saying
| it's "nebulous".
|
| So what exactly are we even talking about here? The idea of
| attestation or just this proposal or is it a Google thing?
| Does this compare to cloudflare private tokens or safetynet
| or are they completely different? If proposal goes through
| what does that functionally mean for browsers both ones based
| on chromium and ones not?
|
| I don't know why it's so difficult to find these details and
| I'm instead being told to just accept the idea that the
| premise is unacceptable.
| powera wrote:
| I am starting to get more than a bit concerned how many of the
| objections to WEI are very openly "this makes it harder to commit
| crimes".
| meindnoch wrote:
| >Not looking at ads is a crime.
|
| Oookay, I had enough HackerNews for today.
| [deleted]
| stoolpigeon wrote:
| Almost anything one can do, of value to their fellow humans, is
| a crime somewhere.
| Zak wrote:
| Where are you seeing that? This article discusses lying about
| one's user agent string, presumably to get better behavior out
| of a website that's making bad decisions based on it. That is
| not a crime last I checked.
| userbinator wrote:
| "crimes" according to who?
| superkuh wrote:
| His comment system is currently broken and will just 404 and
| return you to a URL at
| https://rants.org/%5Ehttp:/your.ip.addy.here/. So I guess I might
| as well post here instead,
|
| >My web browser (currently Mozilla Firefox running on Debian
| GNU/Linux, thank you very much) will never cooperate with this
| bizarre and misguided proposal.
|
| Mozilla used to be about user freedoms. Lately Mozilla has been a
| front-runner on turning off and disabling non-TLS just HTTP
| support. They will likely be one of the first browsers to remove
| support for it and eventually HTTP/1.1 as a whole. ref:
| https://blog.mozilla.org/security/2015/04/30/deprecating-non...
|
| Given that HTTP/3 as implemented by Mozilla _cannot_ connect to
| self-signed TLS cert websites this means the future of Firefox is
| as a browser that can only visit websites that third party TLS CA
| corporations periodically approve (even if those corporations are
| currently benign, like LetsEncrypt). Does this remind you of
| anything? That 's not to say other browsers are better in this
| respect. Mozilla's Firefox and it's forks are the least worst...
| it's just everything is getting much worse all together.
| jacquesm wrote:
| That would be pretty dumb then because there is plenty of older
| IoT stuff that you won't be able to access anymore with FF.
| Sick and tired of all these companies, foundations and other
| silos telling people what they can and can not do with their
| own hardware.
|
| If I want to visit scary non encrypted websites I should be
| able to do so.
| cj wrote:
| I agree you personally should be able to as a Haacker News
| user with 200,000+ karma.
|
| But I would prefer my grandma be blocked from all non-
| encrypted sites, sorry!
| saulrh wrote:
| Having _personally_ experienced what happens to my webpages
| when Comcast realizes that it can do whatever it wants to bare
| HTTP requests all the way up to and including inserting
| invasive advertisements loaded with arbitrary javascript, I
| think that "least worst" is exactly the right word for
| requiring HTTPS everywhere. I do agree that it would have been
| nice if there was a standard that required encryption without
| also requiring authentication, but this is the world we live in
| now.
| johncolanduoni wrote:
| If it didn't require authentication, Comcast could just MITM
| you.
| buildbuildbuild wrote:
| "Least worst" is right.
|
| A quick nod to Tor Browser, the Firefox fork which will always
| support HTTP in order to support the vast majority of Tor
| hidden services.
| yjftsjthsd-h wrote:
| Onion addresses aren't CA-based TLS, but they aren't
| unencrypted HTTP either.
| cj wrote:
| You commented on another thread a few days ago (which I also
| replied to).
|
| I still don't understand your distain for the idea of a 100%
| encrypted web.
|
| Rather than saying "does this remind you of anything", can you
| tell us what it reminds you of?
|
| I guess the issue is, eventually, CA's can decide not to issue
| certificates to certain people classified as
| malicious/nefarious/etc?
|
| Can you clearly articulate your position on this point?
| Pannoniae wrote:
| What happens when CA's say "you can't get a certificate if
| you supported <insert ideology here>"? Or "you can't get a
| certificate if you are racist"? Or "you can't get a
| certificate if your credit score is too low"? Or "you can't
| get a certificate if your website contains
| <pornography/warez/p2p encryption/firearms/anything we don't
| like>"?
| jabbany wrote:
| My guess is that if only encryption were the goal, then
| browsers should trust self-signed certs or at least upon
| first visit, present the cert and ask whether to trust it in
| the future. *
|
| Instead the current system depends on some set of built in
| trusted root certificate that's run by opaque monopolies (at
| least pre Let's Encrypt) plus a lot of hassle to add self
| signed certs if it's even supported at all. (IIRC some
| browsers like Chrome will ignore system trusted CAs in an
| attempt to "help the user be more secure" ref:
| https://serverfault.com/questions/946756/ssl-certificate-
| in-...)
|
| * There is precedent for this, for things like Remote Desktop
| or SSH where only encryption is the goal, their default
| behavior is exactly this: confirm upon first access, and
| remember the approved cert for the future. You do not need to
| get your server blessed by a CA to connect over ssh :)
| throwawayadvsec wrote:
| Yeah but SSH and RDP aren't used by grandmas that get their
| wallets emptied by scammers. Forced SSL everywhere is a
| good thing.
|
| It's bad that it's run by corporations, but it's still a
| good thing overall. Maybe it should be run by different
| people(like IDK ICANN over something like the UN)
| mrd3v0 wrote:
| Not to mention the CA could potentially, intentionally or
| not, leak keys and allow governments, hackers or other
| interested entities to decrypt traffic.
|
| Centralising trust will always be a bad idea, regardless of
| context.
| johncolanduoni wrote:
| Most TLS connections these days use cipher suites with
| perfect forward secrecy so governments won't be able to
| decrypt the connections without an active MITM attack.
| Since Certificate Transparency is effectively required for
| all CAs now, that will leave a paper trail.
| nimbius wrote:
| Couldn't I just stand up a quick CA with easyrsa scripts?
| JoshTriplett wrote:
| Yes, absolutely. Nobody else will trust it, but you can
| always set up your own CA for use by computers you use.
|
| Which is fundamentally still better than insecure HTTP,
| because it's at least _possible_ to take steps to trust it
| and make sure it 's the same server you expect to talk to.
| Aerroon wrote:
| This sounds like a great way to get lots of people to run old
| software. I'm sure most people wouldn't even bat an eyelid when
| they go on to install an out of date browser to make sure a
| website they want to visit works.
|
| Security people can complain as much as they want, but it's
| these kinds of anti-user practices that makes users hate
| updating.
| version_five wrote:
| I'd guess that ship has sailed for many people. I never
| update my "consumer" software because every update makes it
| worse. I can't be the only one. Nobody is getting any kind of
| positive reinforcement on updating, best case scenario it
| does nothing, mostly it makes stuff worse or takes away
| freedoms.
| nofunsir wrote:
| I'm currently at 399 apps that "neeeeeeed" to be updated.
|
| I manually only update banking apps and the likes.
|
| And if an app forces me to update (lazy API devs!) I
| usually delete it and find a new one.
| johncolanduoni wrote:
| This would likely be a great way to get lots of people to run
| old software for a while, until criminals take advantage of
| all those juicy unpatched vulnerabilities and all their
| devices start showing them ads for penis pills on every
| webpage and their credit card number gets stolen every other
| week.
| userbinator wrote:
| _Security people can complain as much as they want, but it 's
| these kinds of anti-user practices that makes users hate
| updating._
|
| Indeed, I've always thought the classic saying about those
| who give up freedom for security is very relevant in the
| current times. I'm quite certain that it's possible to
| respect the user and improve security (for the user), but
| instead they've been using security as an excuse to do worse
| to the users.
| derefr wrote:
| > a browser that can only visit websites that third party TLS
| CA corporations periodically approve
|
| Er... no. It means that Firefox will only connect to websites
| that _the domain administrator of the system_ approves of. You,
| as the administrator of a computer, can install whatever X.509
| roots of trust you want. Including a root of trust _you own_ ,
| which can issue certificates for whatever websites _you approve
| of_.
|
| Today, where there are residential users who can't get the
| attention of big companies, you'd probably then run a local
| forward-proxy that re-wraps connections to sites you trust,
| with certificates rooted in your root-of-trust.
|
| But this is just a sociological evolution of the original
| design intent of X.509: where each corporate/institutional/etc
| domain would _directly_ manage its own trust, acting as its own
| CA and making its own trust declarations about each site on the
| internet, granting each site it trusts a cert for that site to
| use _when computers from that domain connect to it_. Just like
| how client certs work -- in reverse.
|
| (How would that work? You'd configure your web server with a
| mapping from IP range to cert+privkey files. Made sense back
| when there was a 1:1 relationship between one class-A or
| class-B IP range, one Autonomous System, and one
| company/institution large enough to think of itself as its own
| ISP with its own "Internet safety" department.)
| Macha wrote:
| > In the normal world, you show up at the store with a five
| dollar bill, pick up a newspaper, and the store sells you the
| newspaper (and maybe some change) in exchange for the bill. In
| Google's proposed world, five dollar bills aren't fungible
| anymore: the store can ask you about the provenance of that bill,
| and if they don't like the answer, they don't sell you the
| newspaper. No, they're not worried about the bill being fake or
| counterfeit or anything like that. It's a real five dollar bill,
| they agree, but you can't prove that you got it from the right
| bank. Please feel free to come back with the right sort of five
| dollar bill.
|
| Side note: This at least would occasionally happen if you tried
| to spend Scotland or NI PS5 notes in England.
| HWR_14 wrote:
| That's closer to my inability to spend US dollars in England.
| Different countries have different currencies.
| adamckay wrote:
| No it's not, Scottish bank notes aren't of a different
| currency - they're still pound sterling. The reason they're
| typically not accepted in English shops (at least, those not
| on the Scottish border) is most often because they're rather
| uncommon so it's more difficult for cashiers to detect fakes.
| My understanding is also that some banks, when depositing,
| require the English and Scottish notes to be separated and
| may charge a fee to convert them to English notes, so it's
| more effort to accept and handle them.
| toyg wrote:
| Tbh, in practice that really has something to do with
| counterfeiting worries.
| throwbadubadu wrote:
| We have come a long way since "don't be evil", would be funny if
| not so sad..
| aabedraba wrote:
| For crying out loud, Google
| Pxtl wrote:
| On the one hand, I firmly do believe that we need a proper way to
| verify identity globally over the internet. The Turing Test is
| over and AI is going to destroy every user-submittable form
| online.
|
| On the other hand, it's infuriating that advertising is the first
| front in this war. I specifically don't want advertisers to have
| my identity. I'm fine with like my Mastodon server or a site like
| HN to know I'm me because I'm actively interested in interacting
| with them. I don't want to interact with advertisers, or for them
| to have my identity, but they're going to wall off half the
| internet for people who opt out.
| nickisnoble wrote:
| On the internet, no one knows you're a dog.
|
| https://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_...
| oh_sigh wrote:
| The premise of this article is fundamentally wrong.
|
| > On that Web, if you send a valid request with the right data,
| you get a valid response.
|
| Explain DoS protection then.
| skybrian wrote:
| > If your computer can't lie to other computers, then it's not
| yours.
|
| And why is that not okay?
|
| I think this sort of attitude is left over from when computers
| were expensive. Nowadays, I have multiple computers, some of
| which are fun toys I mess with, while others are appliances that
| I just use for their intended purpose. And that's fine, because
| when I screw up, maybe I don't want to have broken the computer
| that I use for video chats and to do my banking? Maybe I don't
| want my main phone to stop working?
|
| It's okay to be a hacker and buy a router that you just use as a
| router and a Chromebook that you just use for web browsing. You
| can also buy a Raspberry Pi and mess with embedded programming on
| cheap devices. The appliance computers should be as low-
| maintenance as possible so you have more time for hacking.
|
| The nice thing about really cheap devices like a Raspberry Pi
| Pico is that if you actually build something useful for real
| work, you can deploy it, stop messing with it, and buy _another_
| computer for experiments.
| JoshTriplett wrote:
| You're absolutely welcome to choose to have an appliance; for
| some purposes that may be desirable. Don't tell other people
| they _can 't_ have a general-purpose computer.
| MildRant wrote:
| I don't understand the point you are trying to make and how it
| relates to the quote or the post as a whole.
| caslon wrote:
| Your bank and the company that hosts your video chatting
| software should _pay for the computer,_ if it isn 't yours.
| the_lego wrote:
| > Maybe I don't want my main phone to stop working?
|
| You are conflating the alleged benefit of locking down devices
| to assure users don't break them [1], with websites and
| services getting the ability to remotely verify your
| software/hardware stack is "approved", and block you if it
| isn't.
|
| It's not about what you want - it's about taking away your
| ability to choose. The "fun toys" that can be modified to your
| liking will get increasingly useless as they'll be blocked from
| large chunks of the web, especially after Google will start
| pushing WEI if sites want ad revenue, under the logic of
| preventing click-fraud.
|
| [1] There are plenty of ways to limit unlocking to the
| technically-savvy, and making it tamper evident to the owner
| (e.g. a "bootloader unlocked" notification during boot), and
| many existing phones implement them, so any claims by phone or
| other device manufacturers that making devices impossible to
| unlock are outright lies.
| userbinator wrote:
| The underlying hostile technology is "remote attestation" and
| it's what we should all be fighting against.
|
| People justify the latter by speaking about companies wanting
| control over employees' environments, but IMHO that shouldn't be
| allowed either. This is also why "zero trust" is problematic;
| they want to replace humanity with centralised control.
| tedunangst wrote:
| Funny that this was cross posted to fediverse, a network that is
| heavily reliant on digital signatures to prevent lying.
| gumby wrote:
| The point is it's optional, right?
| tedunangst wrote:
| Good luck getting another server to accept your post without
| cryptographic attestation of its origin.
| surajrmal wrote:
| Android apps can use safety net for a similar purpose but
| most don't. You are spreading FUD.
|
| Additionally, if a place of business asks you for state id,
| you are free to choose not to share it. It's not your
| choice whether they get to ask you nor your right to
| provide a fake id and expect it works. Views on the website
| make it sound like everyone should be allowed to own a gun
| without a licence. I bet most people don't feel that way in
| reality.y
| hkt wrote:
| I can't convey how disgusted I am at the thought of WEI becoming
| a reality.
|
| It will lead to three webs: the remainder of the open web, the
| new closed web, and the pirate web.
|
| Personally I'll do my bit to preserve openness, even if that
| means working socially and technically to support the new world
| of piracy. It will always be a losing battle without institutions
| fighting for openness, though.
|
| This is a moment when Sun's old line - "the network is the
| computer" - starts to look hideous and dystopian. Prophetic, but
| maybe not how we thought.
| version_five wrote:
| It's not immediately obvious to me that the closed web will
| have anything good on it. People that want other people to see
| their stuff won't lock down who can visit, it seems like it's
| mainly for ad supported crap? Optimistically, the web will
| break apart into some AOL Disneyland Cable shit experience and
| an actual good internet whose participants are not just
| pretending to have engaging content so they can get ad views. I
| know that sounds too optimistic, what's the flaw in it? Google
| will use it's monopoly on a few things to push it, I'm happy to
| move away from gmail and I don't use Google search anyway. What
| other practical changes will there be?
| EGreg wrote:
| _My web browser (currently Mozilla Firefox running on Debian GNU
| /Linux, thank you very much) will never cooperate with this
| bizarre and misguided proposal. And along with the rest of the
| free software community, I will continue working to ensure we all
| live in a world where your web browser doesn't have to either._
|
| That depends on Mozilla. As long as our software comes from
| corporations, we will just be reduced to begging.
| 1vuio0pswjnm7 wrote:
| "By analogy: right now, you can tell your browser to change its
| User-Agent string to anything you want."
|
| You can also choose not to send this header. By default I do not
| send it. The RFCs do not require it^1 and very rarely do I find
| sites that do. When I do find such sites,^2 I just add them to
| the proxy config so that a UA is added on the way out. Almost
| invariably these sites will accept a made-up UA, so long as it is
| well-formed, which is interesting.^3 It suggests no one knows
| what new UA strings will appear.
|
| The origin of changing the User-Agent header dates back to one of
| the earliest browsers, written in part by a well-known Silicon
| Valley VC.^4 It was always possible for the user to control HTTP
| headers such as UA and the designers knew it. Later in the
| "browser wars" Microsoft changed its UA header to match
| Mozilla's.^5
|
| 1.
|
| https://towardsdatascience.com/the-user-agent-that-crazy-str...
|
| 2.
|
| For example, www.federalregister.com and sec.gov.
|
| 3.
|
| Many users want to "blend in" and use common strings so perhaps
| use of made-up strings remains largely untested.
|
| 4.
|
| https://raw.githubusercontent.com/alandipert/ncsa-mosaic/mas...
|
| 5.
|
| https://webaim.org/blog/user-agent-string-history/comment-pa...
|
| https://humanwhocodes.com/blog/2010/01/12/history-of-the-use...
|
| As for WEI, I'm inclined to think that the terms "abuse" and
| "fraud" in the spec may actually refer to ad fraud, including
| potential fraud by Google itself in marketing its ad services
| because it hides the true extent of ad fraud from its customers.
|
| People who like to access the web with uncommon TCP/HTTP clients
| may not be a significant problem. There are no details given in
| the spec about this alleged "fraud"; perhaps that's intentional.
| Although by being vague in the spec, real humans that prefer not
| to use popular browsers may jump to conclusions.^6
|
| It could be that we're on the cusp of exposing the true extent of
| ad fraud with respect to Google, and the ultimate unworkability
| of Google's core "business" (selling ad services). Perhaps Google
| believes its advertiser customers could begin to lose trust;
| maybe direct more ad spend to Apple.
|
| 6.
|
| Some pre-spec discussion:
| https://groups.google.com/a/chromium.org/g/blink-dev/c/Ux5h_...
| theteapot wrote:
| In other words, Google earnestly believes your browser belongs to
| them and your just using _their_ tool. They 're not really wrong
| either. What'd we think would happen when Google (an ad company)
| dominated browser market share ...
| Aerroon wrote:
| If it belongs to them, then they assume legal liability for
| everything my browser does, right?
| jacquesm wrote:
| Google is edging towards believing that the internet belongs to
| them.
| userbinator wrote:
| I suspect they already believe that.
| slimsag wrote:
| I suspect they're largely correct about that, sadly.
| okasaki wrote:
| That attitude should have been apparent from the fact that you
| can't even change the new tab page, and a thousand other
| things.
| greyface- wrote:
| You can change the new tab page via extension. E.g.
| https://chrome.google.com/webstore/detail/empty-new-tab-
| page...
| Georgelemental wrote:
| There is no right to lie. There is a right to remain silent. That
| is what "Web Environment Integrity" threatens.
| greyface- wrote:
| There is no right to remain silent in the United States. Courts
| can compel testimony.
| reaperducer wrote:
| _There is a right to remain silent. That is what "Web
| Environment Integrity" threatens._
|
| Google's WEI doesn't threaten your right to be silent.
|
| Based on Google's previous behavior, if your web site doesn't
| go along with its plan, it will be more than happy to
| silence/delist/derank it.
| belthesar wrote:
| That's the thing though. Even though Google's search quality
| has diminished, and they attempt to enforce things like WEI
| or other abjectly terrible things, they remain the market
| leader in search, and this threat still holds a lot of
| weight. The amount of inertia to go against this change feels
| Herculean, and I'm honestly not sure how we would go about
| educating the vast majority of the Internet's user base to
| care about it.
|
| Sure, as the technologists we are, we can see just how
| dangerous this can be, and why it's offensive to even
| consider. Without getting the masses on board though, we're
| pretty outmatched and outgunned.
| pravus wrote:
| You need to include the first phrase. It is the right to lie
| that is being threatened.
| throw7 wrote:
| > There is no right to lie.
|
| Tell that to the police.
| quailfarmer wrote:
| I disagree, you have the right to set your user-agent to
| anything you'd like, or nothing at all.
| rolph wrote:
| i found a page with some helpful suggestions for user-agent
| strings that could be adopted by default , ideally at
| ^scale^.
|
| Google Crawlers and User Agent Strings - 2023 List
|
| https://www.stanventures.com/blog/googlebot-user-agent-
| strin...
| rileymat2 wrote:
| I am not sure where you are getting this as a right, because
| things like fraud are illegal. It might be good policy but
| where is the right?
| quailfarmer wrote:
| Agreed there is no explicitly enumerated right, but in the
| context of computing, it is not illegal for a computer to
| transmit "untrue" information. Fraud is a significantly
| higher bar. I am not a cyber-lawyer.
| emacsen2 wrote:
| [dead]
| aionaiodfgnio wrote:
| [dead]
| aionaiodfgnio wrote:
| [dead]
| jtbayly wrote:
| Actually, it's not a right to remain silent that is threatened.
| It's a threat to refuse to let anybody else speak to you or you
| to anybody else unless you first give Google enough info that
| they can silence you.
| seo-speedwagon wrote:
| I figured I'd take a minute to try and find the proposal itself,
| so I could see what the proponents considered the virtues of this
| to be.
|
| https://github.com/mozilla/standards-positions/issues/852
| https://github.com/RupertBenWiser/Web-Environment-Integrity/...
|
| I stopped reading after the explainer's intro section. The first
| example is making it easier for websites to sell adds (lmao) and
| the other 3 are extremely questionable whether if the proposed
| remedy even helps. And it's presented as a benevolent alternative
| to browser fingerprinting, as if we must choose between these two
| awful choices. It's an absolute joke of a proposal.
| liveoneggs wrote:
| I think the fundamental disconnect here is that Google's view of
| "user" is a "Chrome/Android User Who Shops from SERP Pages" --
| google makes money vs the more nebulous "user" of "the (open)
| web" which is probably only understood by a few people who were
| alive in the pre-web world (people 35 and older who were also
| online).
|
| Google does not care about the later and only wishes to make more
| money from the former. Google has a clear and blatant monopoly
| position over ad-based web monetization so _most_ of the web will
| follow Google 's will. We all need paychecks. The group of old
| farts who saw the world change are growing older and irrelevant.
|
| I am extremely pessimistic about the future of "the (open) web"
| as the vehicle of our modern low-friction economy as these
| corporate gatekeepers (Google and Microsoft) are making such big
| wins recently.
|
| Good luck out there. The World Wide Web (old school) and Old
| Fashioned HTTP+HTML are under grave threat from carpetbaggers.
| amlib wrote:
| Is there any chance of a hard fork? What about, let's say, a
| web 1.1 where we intentionally remove all the fancy new web
| APIs and mostly revert back to what we had in the late 90s?
| Sure, things like video support can remain but all the crazy
| stuff for building web apps would go away. Let the current web
| rot away under its corporate overlords and then, maybe, we can
| have the fork go back into being a fun way of publishing and
| sharing information.
| pravus wrote:
| > Is there any chance of a hard fork? What about, let's say,
| a web 1.1 where we intentionally remove all the fancy new web
| APIs and mostly revert back to what we had in the late 90s?
|
| Sure. It's really just a matter of mass appeal. We could fork
| the existing browser base and eliminate the new attestation
| API. Some projects are already doing this from what I
| understand.
|
| What will keep attestation from being used is websites will
| lose business if their customers can't access the site. We
| went through this with user-agent string checking in the
| 90's/00's when IE and Netscape/Mozilla were at war and every
| site had a very strong opinion on which browser they would
| support. Even today you occasionally see sites that will hit
| you with "unsupported browser" errors if you aren't running a
| specific version of something.
|
| The solution to this was everyone realized they were throwing
| money away by excluding a large portion of their customer
| base. At the time no single browser really dominated the
| market share so it was easy to see that an IE-only site was
| losing 33% of internet traffic. These days everything is
| basically chrome-based so this hasn't been as much of an
| issue.
|
| So in the future we'll see this same thing. Non-attestable
| browsers will be locked out of attested sites and it will be
| a numbers game to see if sites want to risk losing these
| customers/viewers.
|
| At the end of the day, you have to remember that everything
| on the web is just a TCP socket and some HTTP which is a
| flexible text protocol. We can build pretty much anything we
| want but it takes inertia to keep it going.
| airstrike wrote:
| I'm down. Sign me up.
| afandian wrote:
| Here you go.
| https://en.m.wikipedia.org/wiki/Gemini_(protocol)
| floren wrote:
| "http get but we chopped off the low order byte of the
| return code" is not sufficient or necessary to
| implementing a non-Googlized web.
| charcircuit wrote:
| Nothing is stopping you from just not using new features in
| your website.
| userbinator wrote:
| The problem is convincing everyone else to do the same,
| especially against Google's propaganda and the accompanying
| mob of rabid trendchasing web developers.
| xeonmc wrote:
| A wasm-only web perhaps?
| meindnoch wrote:
| I think you're going in the opposite direction, my friend.
| bobajeff wrote:
| >Is there any chance of a hard fork?
|
| I would like to think so but as someone who's tried to hack
| on the chromium codebase I'd say it's easier to make a new
| browser from scratch than to figure out how to make
| meaningful changes to chromium.
| derefr wrote:
| Have you tried the dark web? For the sake of anonymity,
| everyone has Javascript disabled when browsing Tor hidden
| sites -- so such sites must be designed to conform to web 1.1
| principles.
|
| It's actually a very interesting frontend platform to design
| for, because you don't get any Javascript support, but you
| get full modern CSS support.
| toyg wrote:
| That's the original vision of hypermedia: cross-linkable
| book pages who can express metadata about their content
| while maintaining flexibility in their visual output.
|
| I never thought I'd say this, but HTML4, with all its
| billions of warts, was a pinnacle of this vision. Later
| developments swung too hard towards an excessively content-
| focused vision first (XHTML, the "semantic web"), and then
| swung all the way in the opposite direction, turning web
| protocols into dumb pipes for the general-purpose VM
| runtime that modern JS/HTML engines have become.
|
| Unfortunately, the industry always, always wanted this
| runtime. Plugins, applets, ActiveX -- people just refused
| to accept basic form-based interaction. DarkWeb properties
| accept it only because doing otherwise would be too
| dangerous, in the same way people don't wear jewelry when
| going through a ghetto.
| echelon wrote:
| > Is there any chance of a hard fork?
|
| The only hope is anti-trust breakup of Google. Chrome has to
| be pried forcefully from their hands.
|
| We should launch massive campaigns not just in the US, but
| also Europe and other critical markets.
|
| We shouldn't back down even if they abandon WEI. They'll just
| keep trying as they have with AMP, Manifest v2, WHATWG [1],
| etc.
|
| Google can never be allowed to build browser tech so long as
| they control search.
|
| The web must remain open.
|
| [1] WHATWG took unilateral control over the HTML spec. They
| abandoned the Semantic Web, which had led to RSS, Atom, etc.,
| and would allow documents to expose information you could
| scrape and index without Google Search. Google wanted
| documents to remain forgiving and easy to author (but messy,
| without standard semantics, and hard to scrape info from)
| underlipton wrote:
| There are multiple platforms trying to provide this
| (neocities most prominently, mmm.page most recently, various
| others that occasionally get posted to HN). Of course, we
| don't need a platform; we need a culture, and infrastructure,
| and protocols, and some balance of organization and search.
| And have it all not sitting on Amazon's servers. And a way to
| pay for the parts people can't or won't provide for free.
|
| I want to see it; I don't know the path there.
| ranting-moth wrote:
| May I suggest something like "Enterprise Environment Integrity".
| How does the public know that the enterprise (i.e. google) it's
| dealing with is healthy?
|
| The public should have an entity that will receive detailed
| attestation data to assess that. Failing the attestation will
| revoke business permit along with an announcement.
| jacquesm wrote:
| > How does the public know that the enterprise (i.e. google)
| it's dealing with is healthy?
|
| Because they will pinky promise.
|
| I find it funny that for some reason companies get the benefit
| of the doubt when it comes to dealing with data in a
| responsible matter. Yes, it's possible that they do. But it is
| also possible that they don't and no matter what they say in
| public that's just words, it doesn't prove anything about what
| is really going on and that's before we get to honest mistakes.
|
| There is simply no way to be sure, all you know is that once
| you transmit data to any other host on the internet that it is
| quite literally out of your hands whether or not that data will
| one day show up elsewhere.
| mschuster91 wrote:
| > Because they will pinky promise.
|
| It goes a bit deeper than that. Many companies these days
| "choose" to get certified under a variety of standards (the
| most common one is ISO 27001), everyone who hasn't been
| completely ignorant is looking for or already got
| cybersecurity insurance and on top of that comes the entire
| GDPR saga. Basically, you got three levels of auditors that
| at least make sure the _basics_ are covered, and on top of
| that come industry specific requirements such as TISAX [1],
| US SOX Act compliance or whatever AWS had to go through for
| GovCloud.
|
| [1] https://en.wikipedia.org/wiki/Trusted_Information_Securit
| y_A...
| charcircuit wrote:
| It doesn't matter to the public. Each site chooses what
| attestors it trusts and the site can keep track of how useful
| that signal is. If the signal turns out to be useless the site
| doesn't have to use it for anything or can stop collecting it.
| thesuperbigfrog wrote:
| "If your computer can't lie to other computers, then it's not
| yours."
|
| This fundamentally comes down to "do you really control your
| computer, or does someone else?":
|
| https://youtu.be/Ag1AKIl_2GM?t=57
| perihelions wrote:
| And also (this one was written in 2002!)
|
| - _" Who should your computer take its orders from? Most people
| think their computers should obey them, not obey someone else.
| With a plan they call "trusted computing," large media
| corporations (including the movie companies and record
| companies), together with computer companies such as Microsoft
| and Intel, are planning to make your computer obey them instead
| of you. (Microsoft's version of this scheme is called
| Palladium.) Proprietary programs have included malicious
| features before, but this plan would make it universal."_
|
| https://www.gnu.org/philosophy/can-you-trust.en.html
___________________________________________________________________
(page generated 2023-07-30 23:00 UTC)