[HN Gopher] Web Environment Integrity has no standing at W3C; un...
___________________________________________________________________
Web Environment Integrity has no standing at W3C; understanding new
W3C work
Author : TangerineDream
Score : 135 points
Date : 2023-08-11 20:30 UTC (2 hours ago)
(HTM) web link (www.w3.org)
(TXT) w3m dump (www.w3.org)
| [deleted]
| bryanlarsen wrote:
| w3c is completely irrelevant. https://whatwg.org/ is the
| functional keeper of the standard.
| tw061023 wrote:
| My understanding is that WHATWG doesn't govern standards at all
| - it basically documents what browsers are doing at the moment.
| So when Google rolls WEI in a Chrome update, it will become a
| WHATWG "standard" automatically. Is that correct?
| Eduard wrote:
| https://news.ycombinator.com/context?id=36882166
|
| W3C is not only about HTML, JavaScript, and CSS.
|
| https://en.m.wikipedia.org/wiki/World_Wide_Web_Consortium#St...
|
| E.g., I don't see WHATWG contributing anything of relevance
| regarding web accessibility, whereas W3C takes care of
| accessibility with WAI-ARIA and WCAG.
| seabass-labrax wrote:
| The W3C is relevant in multiple critical areas of the Web. Just
| to name a few topics where W3C is the primary venue for all
| standardisation efforts:
|
| - Accessibility
|
| - Authentication
|
| - CSS
|
| - Self-Sovereign Identity
|
| - Virtual Reality
|
| - Linked Data
|
| - XML
|
| I wrote a comment about the W3C's relationship with WHATWG a
| few days ago: https://news.ycombinator.com/item?id=37052428
|
| If you do nothing else, please pass your eyes over the list of
| W3C Recommendations and other publications on standards track:
| https://www.w3.org/TR/
| anotherhue wrote:
| This matters about as much as the US defying the UN. Chrome needs
| to be spun out.
| troyvit wrote:
| Heh, yeah or the UN defying anybody who is a member of their
| own security council.
| dragonwriter wrote:
| Considers who was on the other side of the military conflict
| in which the first, only, and still active UN military
| command was involved as a direct party and...
|
| Not sure I understand your point.
| HideousKojima wrote:
| China at the time referred to the Republic of China, i.e.
| Taiwan. And the USSR's delegation to the UN was boycotting
| the UNSC entirely (and immediately began using their power
| to prevent any further UNSC resolutions regarding Korea
| being passed as soon as they stopped boycotting).
| nerdponx wrote:
| Has there ever been an anti-trust suit on the grounds that an
| actor is using their market dominance to subvert a standards
| process/body? Is there any legal precedent or standing for such
| a thing in the US or elsewhere?
| TheAceOfHearts wrote:
| I don't think web standards work that way. Often times we'll
| see things get deployed and implemented before they become
| standards anyway. And it's not as if W3C has any authority.
| But even if W3C had any authority, Google and Apple would
| just pay off every seat.
| warning26 wrote:
| I like the idea of spinning Chrome out, but how would that work
| in practice?
|
| Seems like making a browser isn't profitable at all, and so the
| hypothetical Chrome Browser Corporation would probably quickly
| turn to evil tracking schemes as well.
| jwells89 wrote:
| If Blink and Chrome were to be spun out, it should probably
| be into something like a non-profit organization funded by
| sponsors, with a model similar to that of Blender. The only
| difference is that given Blink/Chrome's dominance, it'd be
| necessary to bar Alphabet and other companies with
| overwhelming power in web tech from becoming sponsors to help
| prevent conflict of interest.
|
| This could have the effect of normalizing corporate
| investment in FOSS web engines and browsers, which could
| benefit Mozilla as well.
| wolpoli wrote:
| The hypothetical Chrome Browser Corporation will likely
| become like Firefox, trying not upset whoever gives them a
| search deal.
| anotherhue wrote:
| Just so we're on the same page, it has some precedent
| https://en.wikipedia.org/wiki/Browser_wars
| user982 wrote:
| _> This matters about as much as the US defying the UN._
|
| Are those accidentally reversed?
| bryanlarsen wrote:
| No. The US regularly defies and ignores the UN with no
| consequences. One example is that the US doesn't recognize
| the International Criminal Court.
| bawolff wrote:
| The ICC is independent of the UN. Also its treaty based so
| you have to consent to its juridsiction at least once (or
| have the UN security council give it juridsiction) so of
| course there are no consequences for countries that haven't
| signed up. Anyways this is a really bad example (you are
| probably trying to reference invade hauge act, but even
| still that doesn't fit.
|
| US does ignore UN in other ways, but the ICC isnt an
| example of that.
| user982 wrote:
| Right. So the _US defying the UN_ matters in terms of real-
| world effect, but the _UN defying the US_ doesn 't.
|
| In the analogy here, wouldn't the W3C be the UN defiantly
| making toothless proclamations that Chrome (the US) can
| simply ignore? That would be my understanding of it, since
| "mattering about as much" implies not mattering at all.
| anotherhue wrote:
| https://en.wikipedia.org/wiki/American_Service-
| Members%27_Pr...
| mkl95 wrote:
| So? Since W3C approved DRM, any self respecting user should
| struggle to take them seriously.
| yjftsjthsd-h wrote:
| Surely it's the other way: an organization that approved DRM
| pumping the brakes implies that the thing in question is
| remarkably bad
| nilshauk wrote:
| Ok so Google ignores W3C on WEI.
|
| But could someone else create a W3C proposal that could
| counteract WEI? It wouldn't have to implementation-specific but
| rather one or more principles drawing a line in the sand that
| shouldn't be crossed like what WEI is built to achieve?
| ISV_Damocles wrote:
| Not with a "White Hat" on, I think.
|
| If a user who is not you uses a browser using WEI (implicitly
| approving of this attestation tech) and connects to a website
| that uses WEI, that's entirely up to third-parties and there's
| nothing _legal_ that you can do.
|
| The most you can do is protest this with:
|
| 1. Using a browser without WEI or with WEI disabled.
|
| 2. Modifying your own site to talk the WEI protocol but for any
| browser that _can_ talk that protocol, you ban the user from
| using your site (or redirect them to a site explaining how WEI
| is DRM of the entire internet, etc)
|
| Moving beyond White Hat to Grey Hat and Black Hat, you get
| things like:
|
| 1. Modifying your own hosting company to apply this WEI-
| blacklisting mechanism to your clients' websites.
|
| 2. Convincing (or "convincing") owners of core backend
| libraries in popular programming languages to introspect
| connections and blacklist WEI-compatible browsers.
|
| 3. Take advantage of XSS vulnerabilities to interfere with WEI
| operations on other tabs within the same browser on the user's
| machine if they happen to be using your website.
|
| 4. Take advantage of vulnerabilities in the WEI protocol to
| corrupt the underlying attestation system so it fails to
| function in all future WEI requests for that physical machine.
|
| 5. Hack/Crack attestation system security and publicly release
| the keys, making any hardware using that version
| suspicious/blacklisted by users of WEI.
|
| 6. Probably some other things I haven't thought of, but as you
| can see they quickly go from dubiously legal to straight-up
| illegal. It would be best to nip WEI in the bud before such
| measures are deemed necessary.
| thatcherthorn wrote:
| WEI would be super valuable if it was targeted at corporate
| network infrastructure.
|
| In those situations, enterprises have the jurisdiction and need
| to know who is connecting to their network.
|
| Putting a technology like this into a browser seems to only
| benefit sites that monetize their content...
| InTheArena wrote:
| I'd believe this- if it were not for the fact that Google is
| ignoring the W3C across the board. This includes privacy sandbox
| (fledge) and topics (floc) as well. Google can come up with good
| reasons why something that has negative impacts on the entirety
| of the ecosystem (except them), because it always ends with
| Google in a stronger position
| madeofpalk wrote:
| It's not really that Google is ignoring the standards process.
| It's that the process involves a feature-flagged shipped
| implementation before it can be a part of the standard.
|
| The only way for FLoC to become a standard is for them to do
| exactly what they're doing now - opt in/feature-flagged
| evaluation.
|
| Of course, Google could continue to ignore the standards
| process and just make this generally available in their browser
| even if it doesn't become a standard.
| tptacek wrote:
| What's there to believe? Standards follow implementations. The
| W3C aren't the browser police; they just standardize the
| interoperable things browsers do.
|
| It's not W3C's (or WhatWG's) role to "oppose" random things
| browser vendors decide to do.
| btown wrote:
| The W3C's draft vision statement [0] clearly states:
|
| > Aim to reduce centralization in Web architecture,
| minimizing single points of failure and single points of
| control.
|
| IMO it is entirely in scope for, and part of the
| responsibility of, the W3C to introduce a specification that
| _explicitly forbids_ user agents from implementing Web
| Environment Integrity or any similar system as currently
| drafted.
|
| One might say that the members' conflicts of interest make it
| likely that they will abdicate this responsibility, but that
| doesn't make it any less their role!
|
| [0] https://www.w3.org/TR/w3c-vision/#principles
| colordrops wrote:
| Maybe it should be their role. Arguably, things like browser
| standards are as important to society as electrical or
| network standards.
| bawolff wrote:
| _shudders in xhtml_
| PaulHoule wrote:
| I wrote postal letters to the FTC, the president, my
| senators and congressman telling them to investigate WEI as
| another monopoly move on the part of Google and highlighted
| that _the FBI_ says you should use an ad blocker.
|
| You should too.
| tptacek wrote:
| The letter to the FTC might do something, in a
| statistical sense, if they're already tracking the
| correspondence they're getting because this issue is in
| their purview. The other letters are a waste of paper and
| ink.
| PaulHoule wrote:
| See
|
| https://www.ftc.gov/about-ftc/bureaus-offices/bureau-
| competi...
|
| for the FTC's contact information
| tptacek wrote:
| It can't be their role. Standard organizations enjoy no de
| jure authority at all. The most they could possibly do is
| certify all the other "complying" browsers as
| "W3C-approved", and nobody cares who doesn't already care
| about the particulars here.
| [deleted]
| Analemma_ wrote:
| Maybe, but it's a moot point, because there's no way to get
| from here to there. If the browser vendors want to add a
| standard, they will; and if they don't, they won't. On one
| or two prior occasions the W3C has proposed something that
| the browser makers didn't like, they unanimously told the
| W3C to go pound sand, and that was the end of it.
| Semaphor wrote:
| But then you'd also need a world police who enforces that.
| colordrops wrote:
| Who enforces electrical and network standards? Those
| don't require world police.
| wnevets wrote:
| > Maybe it should be their role.
|
| Who would grant them such a authority and how would it be
| enforced?
| tedunangst wrote:
| Can't wait for the FBI to bash in my door for running
| curl because it fails to meet established legal criteria
| for browser operation.
| TheAceOfHearts wrote:
| The W3C had their chance in the early 2000s and they
| hyperfixated on XML nonsense while browser and web
| evolution stagnated. I'm not saying that the status quo is
| perfect, but if we want W3C to try again then we should
| make sure we don't run into the same issues 20 years ago.
| wackget wrote:
| > It's not W3C's (or WhatWG's) role to "oppose" random things
| browser vendors decide to do.
|
| Then why are they making standards in the first place?
|
| They're already deeply involved in the operation of browsers;
| they are practically morally obliged to object to things
| which could harm the Web.
| shadowgovt wrote:
| For the same reason people write dictionaries.
| 9dev wrote:
| Im not sure whether that example supports your point. The
| Oxford dictionary is essentially an authority on
| spelling, and their editors and councils definitely have
| weight in debates on the proper spelling of things.
| [deleted]
| [deleted]
| hangonhn wrote:
| Wait. No. The OED is descriptive of English (UK only?)
| but is not prescriptive. They don't tell people what to
| spell or what they need to mean. They describe the
| spelling and meaning as it is being done. This is why
| there are new words that get added every year. It's not
| as if OED sit around and think of new words.
|
| I'm not arguing if the OP is right or not but I don't
| think the OED example is correct.
| umanwizard wrote:
| The OED is definitely not UK only.
| jonathankoren wrote:
| It's just a bad example. The Oxford Dictionary is just a
| publication of Oxford University Press. A popular one
| perhaps, but fundamentally no different than a Webster's,
| or even say a Random House. Even giving it authority as a
| speller is suspect, since as an American, I can say with
| confidence that Oxford doesn't know how to spell.
|
| A better example would be a language academy, however
| English has never had a language academy, unlike French
| or Spanish, resulting in it being a stubbornly
| descriptivist, rather than prescriptivist phenomenon.
| dragonwriter wrote:
| > Even giving it authority as a speller is suspect, since
| as an American, I can say with confidence that Oxford
| doesn't know how to spell.
|
| The OED, in my experience, covers the varieties of
| English spelling quite well, and if you want no
| distractions as an American but can deal with less
| extravagantly complete coveraged, you can always use the
| OAD.
|
| Oxford seems to know how to spell quite well.
| umanwizard wrote:
| That's not really true. The OED is a
| historical/scientific work. Its goal is to describe the
| English language, not to influence it. Things are not
| described as proper or improper in the OED, though they
| may of course be described as colloquially, nonstandard,
| regional, etc., which are not value judgments. A lot of
| words, especially the ones that have been around for a
| while, have absolutely _tons_ of variant spellings
| listed, most of which a normal literate modern person has
| never heard of.
|
| Source: I have an OED subscription and look at it
| regularly.
| seabass-labrax wrote:
| If you like what the W3C is doing for the privacy, accessibility
| and openness of the Web, you can become a W3C participant. Upon
| finding a W3C Working Group[1] to which you think you could
| contribute, you can send an email to the address of that WG's
| 'Staff Contact' explaining how you think you could help. If the
| Chairs and the Staff Contact agree, they will ask you to join as
| an 'Invited Expert' (IE). This does not confer voting rights but
| grants you access to the meetings, relevant Git repositories etc.
| You'll need to sign a licensing agreement allowing the W3C to
| freely publish your contributions.
|
| I say this because, at first glance, it seems like the only
| stakeholders with any influence are W3C Members. The reality is
| that W3C is very open to contributions from individuals, but just
| has had a constitutional framework that makes things slightly
| more complicated for individuals, a situation which they are
| deliberately improving.
|
| As for myself, I'm an IE for the W3C in the Linked Data area, so
| whilst of course I do not speak for the W3C, I would be more than
| happy to answer questions here on HN about how the W3C works.
|
| [1]: https://www.w3.org/groups/wg/
| [deleted]
| candiddevmike wrote:
| The browsers keep circumventing them, so the W3C seems more
| ceremonial than a real standards body. In an ideal world
| something like the W3C would own Chromium, but alas...
| hanniabu wrote:
| It'd be nice if there were a consortium of organizations that
| maintained a fork of Chromium, such as W3C, Brave, Edge, Opera,
| Vivaldi
| paulmd wrote:
| As long as google gets to use its monopoly to push chrome-by-
| default on its platforms while breaking open safari, none of
| that matters. The council of neckbeards representing 2% of
| browser share is as relevant as polling slashdot opinions, in
| terms of actual effected change on the world.
|
| When those neckbeards represent 50-60% of total web traffic
| their opinion might matter. Marketshare is power and in
| realpolitik power is all that matters. The tech world is
| littered with the remains of the companies that made
| principled stands, google and Microsoft are where they are
| for a reason and it's not because of their overriding morals.
|
| Right now google has >80% of traffic and now that they have
| pried safari open that number is gonna climb. Their opinion
| is literally the only one that matters - what are you gonna
| do, _not use google products?_
|
| if google wants to fight they'll win, have fun getting into
| your gmail account if they require attestation. What are you
| gonna do, _not_ use email? Change your whole internet
| identity to not run on google? Gmail is effectively email,
| and small mailservers are fundamentally broken on the modern
| web. Even for things like outlook.com they could require that
| other mailservers provide the attestation used to send it and
| lock people out of gmail _entirely_.
|
| It's game over, the apple sideloading case swept away the
| last resistance to chrome monoculture, and google already
| runs a supermajority of the other web services that matter.
| This is google flexing their muscles now that they know
| they're utterly unopposed. But unfortunately the EU is way
| more concerned with outlawing the lightning port and
| mandating 2000s-vintage removable battery phone designs than
| actually fighting a monopoly using its monopoly power to
| leverage abusive behavior in related market segments to the
| detriment of consumers.
| __MatrixMan__ wrote:
| A suite of tests might be better: point them at a candidate
| browser and they'll tell you which naughty and which nice
| features that browser supports.
|
| Then point the other half of the test suite at a candidate
| site and get a similar list of naughies and nices.
|
| Conscientious technologists of the world can then refuse to
| support browsers or sites that test naughty.
|
| This is my attempt to avoid preaching to the choir. Market
| share wise, only a tiny slice would opt into the non-evil
| browser. But it's that slice who also makes things work for
| the rest of the world, so:
|
| > it's out of my scope of support unless it passes these
| tests
|
| Might impact a wider audience.
| jefftk wrote:
| _> A suite of tests might be better: point them at a
| candidate browser and they 'll tell you which naughty and
| which nice features that browser supports._
|
| Perhaps we could have a suite of Web Platform Tests? And we
| could host them at https://wpt.fyi ?
| throw_m239339 wrote:
| That's symbolic but important. I wish the W3C had the same
| resolve with EME.
| tiffanyh wrote:
| Does the W3C have any influence anymore?
|
| I thought it lost some of it's influence, but can't recall why.
| t3rabytes wrote:
| At this point I don't think it matters -- if Google wants to do
| it, they'll do it. :/
| DaiPlusPlus wrote:
| And Google wanted WebM to happen and for people to pay full-
| retail price for rented games.
|
| Google isn't (yet) big enough to force it through: given iOS
| marketshare in the US it means web-app devs won't (can't?) do
| anything unless both Apple and Google adopt it (yes, there are
| plenty of Chrome-only websites, and Safari has been slow to
| adopt new web-standards, especially when they begin to tread on
| the toes of Apple's App Store (PWAs, WebUSB, etc).
|
| ----
|
| That said, I am sympathetic to the reasons why orgs like banks
| want things like remote-device attestation (and am less
| sympathetic to the likes of the MPAA, etc) - it is unfortunate
| that better ideas are hard to come by.
| jsnell wrote:
| Apple have already been shipping an equivalent attestation
| mechanism in Safari for a year.
| DaiPlusPlus wrote:
| Safari's support for WebAuthn does not include support for
| "direct attestation", if that's what you're referring to.
|
| EDIT: Or do you mean "Private Access Tokens"? I just found
| out about this now and wow... looks like I've got some
| reading to do, but so-far it seems far more limited in
| scope than Google's version, and doesn't seem like it can
| be used to fingerprint visitors between sessions either. (
| https://httptoolkit.com/blog/apple-private-access-tokens-
| att... )
| jsnell wrote:
| I indeed mean PATs. They are not more limited than WEI in
| any meaningful way. Both could in principle attest
| anything. Both claim they are meant to attest only
| certain kinds of properties. They would be just as useful
| (or useless) for fingerprinting.
| tw061023 wrote:
| Apple doesn't have a monopoly on the web ad market, and
| thus this is kind of irrelevant - they aren't forcing this
| down everyone's throat.
|
| Though I cannot help but wonder why exactly they did that.
| Some kind of a corporate requirement?
| jsnell wrote:
| So, first of all, the entire point of the GP was that
| Apple would be slow to implement this. Clearly that is
| not true.
|
| But also JFC, it is amazing how the moment it is pointed
| out that Apple is already doing a thing that they've been
| railing at, and the reaction shifts from outrage to
| basically "I wonder what amazing and important reason
| they have for doing this" _and_ "nobody but Apple can
| possibly be allowed to benefit from this because
| monopoly".
|
| Apple's stated reason is exactly the same as Google's. To
| make a privacy-preserving anti-abuse signal for browsers.
| Apple need it because they are piping their best
| customers' traffic into what is basically an open sewer
| of IP reputation (Apple Private Relay), and need a way to
| avoid said customers giving up in disgust due to the high
| rate of captchas. Google need it because they want to
| remove all fingerprinting vectors, and need privacy-
| preserving replacements for legit use cases.
| crazysim wrote:
| WebM happened? Safari takes WebM now and Apple SOCs decode
| VP9 that's commonly used in them in hardware.
| tw061023 wrote:
| And we still have people crying Safari being new IE all the
| time. The remaining minor incompatibilities that we have now
| are nothing compared to what we had in IE6 days, and yes,
| this is the price we pay for not giving complete control of
| the web to a single ad company.
| troupo wrote:
| > Safari has been slow to adopt new web-standards, especially
| when they begin to tread on the toes of Apple's App Store
| (PWAs, WebUSB, etc).
|
| Many of those are not "new web standards". Those are Chrome-
| only non-standards, and Firefox agrees with Safari on most of
| them.
|
| As for PWAs, there's no such thing as a single PWA standard,
| and Safari has supported the vast majority of the PWA
| standards for years (but if you point that out, the goalposts
| of what constitutes a PWA shift faster than superheated
| plasma).
| AlexErrant wrote:
| I'd just be happy with Safari having a functional IndexedDB
| - an _old_ web standard.
|
| https://gist.github.com/pesterhazy/4de96193af89a6dd5ce682ce
| 2...
| DaiPlusPlus wrote:
| IndexedDB's API design is one of the worst I've ever seen
| (next to the original JS document.cookies "API")
|
| Fortunately, Safari does support OPFS (
| https://stackoverflow.com/a/71581910/159145 ) so provided
| you don't need all of IndexedDB's features and just need
| an async blob store for large blobs/files/etc
| (potentially gigabytes and beyond) then OPFS should work
| for you.
| tw061023 wrote:
| How critical that is, compared to WEI - and more broad
| problem adopting it entails, namely a single company
| basically dictating the whole web what it can and cannot
| do?
| threeseed wrote:
| Reading through that page it looks like a combination of
| Safari (a) prioritising privacy and performance and (b)
| not implementing draft specs. With a whole bunch of bugs
| that have already been fixed.
| goalieca wrote:
| Banks shouldn't care to authenticate the browser, they should
| care to authenticate the user. WebauthN is the solution there
| and is w3c
| threeseed wrote:
| > Safari has been slow to adopt new web-standards, especially
| when they begin to tread on the toes of Apple's App Store
|
| Cautious.
|
| Many of those web-standards e.g. WebUSB have significant
| security vectors and have been used in the past to
| fingerprint devices for advertiser tracking. Also many have
| impacts on battery life and performance.
|
| Whereas Chrome seems to be getting slower and bloated over
| time, Safari has remained fast and light-weight.
| jwells89 wrote:
| Not to mention that many of the things that the WebKit team
| has been reluctant to implement the Gecko team has been
| similarly reluctant about.
| jchw wrote:
| Why include WebM in that list? WebM is good.
| meragrin_ wrote:
| It is just an example that because Google makes it
| available and wants it to be used doesn't mean it will be
| used in any appreciable manner.
| skybrian wrote:
| This is true in the sense that Google is _running an
| experiment_ (an "origin trial") and they didn't need anyone's
| permission to do that. (None of the other browser vendors need
| to get permission to run an experiment either.)
|
| That's different from making it a web standard. They will want
| cooperation from other browser vendors (not random people on
| the Internet) for that.
|
| I doubt they'll make a serious effort at convincing anyone of
| anything until they decide what they want to do, which will be
| based on the results of the experiment.
| wkat4242 wrote:
| Well, outcry does help. It did manage to nip FLoC in the bud.
| ocdtrekkie wrote:
| Not really, it just got rebranded as the Topics API and is
| still, as far as I know, being pushed into Chrome.
| wkat4242 wrote:
| I don't really agree. Topics are materially different from
| FLoC. Especially in the way of moving it from a shady
| background activity into something the user can interact
| with.
|
| Also, nobody really gives a shit about it. WEI could break
| adblockers and that would be a huge issue.
| nerdponx wrote:
| I just got a topics intro popup on my work computer the
| other day. One of many many other reasons I'm happy I use
| Firefox at home.
| krono wrote:
| Eternal vigilance is the price of liberty.
| koromak wrote:
| Take a stance at least
| ramesh31 wrote:
| > Take a stance at least
|
| A stance to irrelevance, sadly.
|
| This was always the deal with the devil that W3C had; play ball
| with the vendors or get left in the dust.
___________________________________________________________________
(page generated 2023-08-11 23:00 UTC)