Don't. #28
Comments
|
This is DRM infrastructure for websites and fundamentally counter to an open web. So yeah, don’t. |
|
100% agree. This proposal offers far too many opportunities for abuse. The authors have clearly tried to mitigate this, but their measures are insufficient and always will be, because the underlying idea is flawed. Lets leave this one in the past - it will only ever cause more harm than good. |
|
Almost every reasonable use case of this proposal is something that makes the web worse for users. It opens another front in the War On General Computation, and continues the trend of web browsers ceasing to be user-agents, and becoming the property of the website owners. It's a straight-up attack on the open web. |
|
I would add myself to the points above, this is not a good idea and opens up so much potential abuse, and shutting out of marginalised groups who may not be able to use the latest version of a program. The world is also dividing along ideological lines that could see this used to perpetrate a shutdown of information to a select few. tl;dr Don't |
|
Please just withdraw this horrible idea. |
|
Have you lost your fucking minds? DRM never was and never will be a good idea. Just stop. |
|
No. Either no one else than you can build browser engines anymore, or this won't work anyways. |
|
The entire premise of this proposal is completely flawed. To quote the authors,
If the security of your web service depends on a specific client environment, your web service is designed wrong. Period. If something is security-critical, you should not ever delegate that computation to client side and you should not ever blindly trust any client-side input, even if you can attest to any digital signature from the client. Are you sure you are going to be able to maintain an up-to-date list of all the vulnerabilities of all "trusted" clients? And how are you going to mitigate all of them in time? Even with Android, a lot of known vulnerable devices are still "trusted" under SafetyNet / Play Integrity. The only way for any service to be secure is to not trust client input blindly.
Your proposal has exactly nothing to do with whether a human user is interacting with the device. All you can ever do is attest to the fact that the client uses software with a signature trusted by the server. An automated program does not have to actually execute within this environment -- it can be a device outside of the control of the client-side operating system entirely. Are you then going to authenticate all peripherals connected to the device?
Let's make this very clear: the backbone of the open internet is the fact that any client from any vendor can access any website, as long as they implement all the open standards a given website / application depends on. By giving the ability to exclude certain vendors and users to operators of a website, you are destroying the open internet, not the other way around. |
|
^^ what they said. There is no compelling argument for any of this other than "policing the content/services I provide on the internet WITH humans, in order to maintain a productive service FOR humans, is expensive and I don't wanna; so lets add more complexity to an already complicated and impossible to understand/maintain tech stack and add even more hurdles a user has to go through rather than just sending a browser to a URL.." Plus if you add yet another thing I have to 2FA just to read the instructions on how to repair my dishwasher, I may start to get nasty. |
|
Hello! I'm hoping to help with potential workarounds, in case this issue is closed without action. In the United States it might be possible to request a workaround through the involvement of the United States Department of Justice Antitrust Citizen Complaint Center at https://www.justice.gov/atr/citizen-complaint-center — as observers have noted, if we end up with website DRM everywhere and whitelisted entries for browsers like Chrome and agents like Googlebot, the net effects will be radically anti-competitive. Please remember:
In the European Union you want the DG Competition:
|
|
"so preoccupied with whether they could, they didn't stop to think if they should" |
|
how about no TEEs in our phones to attest bootloader lock and SafetyNet (yes it's now Play Integrity) are already way too much |
|
When most ads are malware and most sites are not accessible out of the box, including Google sites, how will this API improve the browsing experience for real users? If your service trusts the client, you have failed as a developer |
|
Authors: Google, Google, Google and Google Maybe Google should play in it's sandbox rather than defining what Internet is? |
|
"what if the web sucked as hard as app stores do?" |
|
I would like to respectfully add my suggestion that Ben Wiser (Google), Borbala Benko (Google), Philipp Pfeiffenberger (Google), and Sergey Kataev (Google) all take this opportunity to engage a personal lawyer and seek legal advice, i.e. do not defer to the corporate counsel (Google), who may not have their best interests in mind. Antitrust law is real. Some violations are crimes. |
|
Oh wow, another Google attempt to lock out adblocking in the long run. Absolutely unsurprising. Knock it off. |
|
This, also quit your jobs at Google. |
This is a masterpiece of doublespeak, I have nothing but awe and congratulations for whoever pinched this one off. |
|
This proposal speaks a lot about trust, but seems not to realize that trust happens in multiple directions, often simultaneously. By locking a user out of changes - possibly even at the configuration level or installing extensions - to their browser, they can no longer trust the browser to behave with their interests in mind. It actively corrodes a user's ability to trust the browser to not spy on them, or perform other malicious behavior such as deleting data without consent. |
|
@RupertBenWiser writes about how frustrating it is to be locked out of your own hardware: http://benwiser.com/blog/I-just-spent-%C2%A3700-to-have-my-own-app-on-my-iPhone.html |
|
Don't be evil. This gets a rousing, unequivocal NOPE from me. I'm sure we all understand the challenges of servers fighting against attacks like DDoS and other issues, but in trying to mitigate against bad actors, we can't break the web in the process. |
@jaredcwhite They dropped that motto a long time ago. Google has accustomed itself to indulge in evil. |
|
This is pure, unmitigated evil. You're basically ensuring a monopoly for your platform. Each of you should be personally ashamed and likely banned from the industry. I will be the first person suing your company if you implement this, this is guaranteed to be illegal. |
|
This is very much a love letter to people who engage in phishing and as well as write malware as it makes their job a lot easier. |
I strongly agree. This is a blatant, willful violation of a bunch of antitrust laws. Remember that the VW engineers were the only ones who served prison time for the emissions scandal. |
|
I would feel deeply, personally ashamed to have my name associated with an idea as bad as this. |
|
Let's imagine this scenario: There is a search engine "A" and a search engine "B", both of which uses scrapers capable of executing javascript code. But the search engine "A" also happens to have some kind of involvement with attester entity called, for example, "Google Play". The question: what are the chances of attester entity to be more biased towards the scraper of the search engine "A", than search engine "B" when giving their verdict? |
|
Human-facing, client-side platform-state attestation won't and will never be used to secure the agency or well-being of a human. I'll put a thousand dollars down that everybody involved in drafting this spec uses an ad-blocker, without exception. And yet here you are trying to strip other people of the agency that you enjoy every day, to shelter a failing business model from inconvenient market realities like "people who don't like the product are allowed to not buy it". Is this the work you wanted to do? Was this the dream, is this the kind of engineer you wanted to be? Because you have agency too, you can still make choices about who you want to be and how you want the world to be different because you were in it, and maybe they can be better choices than this. |
|
I implore everyone involved in working on this proposal to read Phillip Rogaway's 2015 paper The Moral Character of Cryptographic Work and to think about what kind of world you want to live in. |
Everyone should also watch Cory Doctorow's speech on The Coming War on General Computing from 11 years ago that talks about this concept and it's detrimental effects to humanity as a whole. https://youtu.be/HUEvRyemKSg |
|
They're gonna do it, just like they did manifest v3, and you're not gonna do anything about it, just because they can. |
|
Apologies for my earlier snide remark w.r.t. comment deletion, at least one of those did deserve to be removed. I just have one more thing to add. Re-reading the proposal, there are multiple places where you point out several Very Bad Things that it could be used for. It appears that your entire plan for "mitigating" those possible uses is 80% "well we'll just tell people not to" and 20% "maybe we can just randomly not present the information sometimes so people can't rely on it?" and I think it's pretty obvious that neither of those will work. If it is possible for a technology to be abused for oppressive or abusive purposes, it will be. "telling people not to" (or pointing at "agreements"/"pledges" that companies have made, basically them saying "I swear I won't misuse this" despite being under massive financial pressure to take every single possible commercial advantage they can get their hands on) is laughable. Anything that involves intermittently not sending the attestation will just result in people seeing errors until they've mashed refresh enough times to trigger a fallback/failsafe, or begin an unending game of cat and mouse between the masking algorithm and enterprises seeking to bypass it. It is helpful to remember that under our current Western system of economics and government, every single publicly traded business is driven by a single goal: Provide a bigger number on the next quarterly return than the last one. Literally nothing else matters. Adding functionality with such massive potential for misuse and abuse, without any guard rails against abuse other than "we swear we won't uwu", is not even remotely close to good enough - and I fail to see any way this could be made to achieve any of the stated goals (goals I don't believe are remotely necessary or worthwhile, mind you, but that's beside the point) without it being possible to misuse. The only way to stop this technology from being misused is to not implement it in the first place. |
I found this interesting:
Source: |
|
Great so even the powerful Microsoft gave up on writing a web browser and went Chrome. Everything is Chrome, and now here comes the flex to lock us little people out. I understand that pulling up the ladder, and closing out people is a priority but wow just wow. I wonder if we will even be allowed to host web sites in this brave new world? I left blogger for a reason, namely that Google was beyond inept at running it. What happens when this standard gets pushed, and we get locked out, and this will become the IE6 of the 2030's forever locked us into some AOL land where we have zero freedom to use the open networks? If you wanted innovation, it should be leveraging AI to augment routing protocols, dns lookups, threat detection & mitagation. I'd love to see some Gibson-esque ICE. Instead all I see is the slamming wall of the 防火长城. I'd say I was sad, but I'd expect nothing more from an organisation shielding itself from the people, to protect the megacorps. Shame. |
I don't care about SJW "Codes of Conduct." They have no place in open discussions and should be abolished. Anyone in software laying out a "Code of Conduct" is contributing to the social cancer and should be exiled. Bullies like @scanlime [1] who would open project issues just to accuse people of "abuse" are precisely the reason that both "Codes of Conduct" and remote attestation are horrible ideas. Remote attestation in particular will be used to restrict and silence anyone who disagrees with the narrative of those who have access to the technology or the favor of the people controlling it. Even Google themselves admit upfront that this can and will be abused by bad actors.
|
Gonna be straightforward in this one. Don't be a coward and and dismiss your peers outrage as "spam". The level of outrage generated is a valid thing to consider, and deleting issues has never ever worked out for anyone PR wise. I'll also note that abusive comments supporting the proposal so far have stayed up. Just saying...
This is a pretty neat sleight of hand trick you've pulled off. Implicitly assuming that the constructive outcome is to improve the proposal. This is of course a bad response when the community consensus is that the proposal is fundamentally bad not in its methods, but in its stated goals.
Once again, the fundamental issue here is that nobody trusts Google. You can swear up and down that it's not a fait accompli, but it's not like we've seen Google use their market dominance to force through unpopular standards changes before. Part of the long term consequences of this loss of credibility is that any proposal like this is treated as a nine alarm fire because
These things would be obvious to you too if you stopped and listened to other people, rather than talking at us. |
|
Google has often proven untrustworthy. Thus, there's no reason to trust this proposal either. Sure you can claim all you want that "content blocking will still work!" but people clearly know what is up. Do the right thing: It's time to stop this madness just to get people to watch ads or destroy their privacy, for a quick buck. People also have right to their privacy and right to not connect their computer to addresses they do not wish to connect. Leaving a husk of "open" internet to future generations is not what anyone wants. It must be preserved as it is. You do not have to do anything. Or do you really wish your children's and their children's privacy to be invaded? That's the route we're on, once again. And why we're on that route? Because Google has a stranglehold of the internet. For other users of the internet, I hope that you will very least switch your browser from any chromium based ones. |
To a megacorp, children are slaves to be bred into good little worker bee CONSOOMERS. This entire "remote attestation" idea is peak corporatism. |
The proposal is crystal clear, anybody with the slightest experience in software development can clearly see what you are trying to do here. Have you noticed that you haven't got any defenders, under this issue?
Something that you are not willing to withdraw is not a proposal, and given your affiliation with Google it is already a fait accompli.
There is no higher quality feedback than this: show integrity and dump this. Expecting others to even assist you with your nefarious attempt does neither speak for your professionalism nor for your integrity. It just demonstrates that you have already made up your mind and will try to pull this off, at all costs. |
|
@jbruchon it undermines your attempt at taking the high road when you delete the post I was responding to and replace it to obscure the edit history. |
|
Is that whole thing a joke? If something like that gets implemented people will no longer keep dealing with it like it's nothing, a bloody revolution may be the only solution. So just don't implement this |
I don't care about "taking the high road." I care about the "open" part of "open source." You pretend to care until someone says something you don't like, then it's "rules for thee, not for me." If you don't like people seeing the shitty things you say then you're free to stop saying those things. People like you who make it impossible to agree on one thing while disagreeing with something else are the shining example of what I'm talking about in my previous comment. You want a codified method to rules lawyer anyone who disagrees with you out of anywhere you go and a big hammer to enforce it with. Remote attestation is a colossal magic banhammer that can be wielded over the Web. You pretend to be against it until someone disagrees, then it's all "this guy is why authoritarianism is needed, now hand me that banhammer for a minute." |
I'll just brow beat this a bit. If it's actually a proposal and not a fait accompli, by what mechanism would this be dropped @yoavweiss? Not modified, abandoned. Because if there is not a mechanism by which the entire proposal is scrapped then it is a fait accompli. Also, it sure looks like Google is already beginning to prototype this on Chromium. Which begins to call into question whether you're being dishonest or merely misled by your peers. |
So far all I've done is file an issue on your repo with a link to your (now deleted) comment. No bans, no censorship. You've deleted my issue and deleted your comment. I just can't figure out what angle i'm supposed to view your strawman from for it to make sense. |
@scanlime: Suggestion: Add "anti-code-of-conduct" to solidify this project's pro-abuse position (Issue #1) Also @scanlime: "All I did was file an issue and link to a comment!" I can't fix your issue. We can agree to disagree though. Have a great day. |
This is not my proposal. I'm here as chair to make sure this remains a professional working environment. I left open mostly the issues which I think the team working on this proposal should reply on. I closed the issues that were not actionable, spammy, and counter to the code of conduct, or ones that were duplicates.
Presenting unmitigated risks that outweigh the benefits of the anti-abuse use cases, and that go beyond the status-quo of device fingerprinting could be one way of convincing e.g. the Blink API owners not to approve this proposal when it reaches an Intent to Ship stage (quite a long time from now, as it's an early stage proposal).
Code for this is being prototyped in Chromium behind a flag. That means nothing regarding this feature shipping in the future. Lots of code gets prototyped in Chromium and then modified or scrapped when the feature changes course.
Let's keep this civil. |
"Diplomacy is the art of saying 'Nice doggie' until you can find a rock."
|
Well, the community sure seems to think that they've provided such unmitigated risks and they have credibly called into question the purported benefits. It'd be nice if the people supporting the proposal engaged with us. The idea that we have to wait until "Intent to ship" to weigh in seems to tilt the scales more than a tiny bit, don't you think?
Yes, it's also exactly what I'd do if I wanted to be able to ram a feature through ASAP the moment it was green lit. Again, we've seen google do this before. Google implementing features before they're standardized in order to leave other browsers at a permanent disadvantage is hardly new feedback. Repeatedly google has pulled these tricks to accomplish short term goals, at the cost of community and user trust. You were warned repeatedly that such things were costing organizational credibility, and you did not listen. And now you're surprised that you don't get the benefit of the doubt? Come on.
No definition of civility requires that someone who thinks they're being lied to just accept it without comment. |
but it can be activated with an origin trial |
|
Hey all, we plan to respond to your feedback but I want to be thorough which will take time and it’s the end of a Friday for me. We wanted to give a quick TL;DR:
|
|
Hey everyone, thank you for your patience, and thank you to everyone who engaged constructively. It is clear based on the feedback we’ve received that a bigger discussion needs to take place, and I’m not sure my personal repository is the best place to do that - we are looking for a better forum and will update when we have found one. We want to continue the discussion and collaborate to address your core concerns in an improved explainer. I want to be transparent about the perceived silence from my end. In the W3C process it is common for individuals to put forth early proposals for new web standards, and host them in a team member's personal repository while pursuing adoption within a standards body. My first impulse was to jump in with more information as soon as possible - but our team wanted to take in all the feedback, and be thorough in our response. That being said, I did want to take a moment to clarify the problems our team is trying to solve that exist on the web today and point out key details of this early stage proposal that may have been missed. WEI’s goal is to make the web more private and safe Privacy features like user-agent reduction, IP reduction, preventing cross-site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:
All of these options are detrimental to a user’s web browsing experience, either by increasing browsing friction or significantly reducing privacy. We believe this is a tough problem to solve, but a very important one that we will continue to work on. We will continue to design, discuss, and debate in public. WEI is not designed to single out browsers or extensions Maintaining users' access to an open web on all platforms is a critical aspect of the proposal. It is an explicit goal that user agents can browse the web without this proposal, which means we want the user to remain free to modify their browser, install extensions, use Dev tools, and importantly, continue to use accessibility features. WEI prevents ecosystem lock-in through hold-backs This is designed to prevent WEI from becoming “DRM for the web”. Any sites that attempted to restrict browser access based on WEI signals alone would have also restricted access to a significant enough proportion of attestable devices to disincentivize this behavior. Additionally, and this could be clarified in the explainer more, WEI is an opportunity for developers to use hardware-backed attestation as alternatives to captchas and other privacy-invasive integrity checks. WEI does not disadvantage browsers that spoof their identity Let’s work together on finding the right path |
ghost
mentioned this issue
and others
Sometimes you have to ask the question whether something should be done at all, and trusted computing is certainly one of those cases where the answer is obviously a big fat NO.
So please reconsider what you believe in, leave this demon to history where it forever belongs.
The text was updated successfully, but these errors were encountered: