Hello, If you haven't heard about WEI, please take a look at [1], and the explainer/proposal document[2].
I wonder what would be google's strategy to adopt it and how it will play out. The more informed we are, the better prepared we are at defending user freedom against it. For example, if Google enforces WEI only on its services like gmail and youtube, then it is not much of a regression for us, as these services are already bad for user freedom and it is possible to go about one's life without them. OTOH, if we take the explainer at face-value, which describes the process as follows: - js on webpage request attester to attest - attester responds - js on webpage forwards the response to web server - web server verifies the response, with or without the attester, and take actions accordingly. Whether the web server decides to serve user requests with or without attestation, with successful or failed attestation, is up to the web server, not the attester (an powerful 3rd party). This is different from delegating access to a third party like cloudflare which can deny tor users by returning 406 Not Acceptable. Assuming the incentive for the website owner to serve the user does not change, a trivial way for the user to get around WEI without missing out is simply to disable javascript or adding a rule to their blocker to block all attestation calls (`navigator.getEnvironmentIntegrity()` in the explainer), or to block requests to attester IP/domains. But will website owners be more incentivised to deny access to js-blocking users after WEI? That is, will a website that previously was happy to serve js-blocking users stop doing so after WEI is rolled out? I don't see how that could be the case, as long as it is up to the website owner to decide. Conversly, if a website wants to deny js-blocking users, they can already do so, by not serving anything unless the user enables javascript. So it is the usecases where one does not completely block javascript that can be affected. Again, it is only those sites that want to deny some users (e.g. those using adblockers) but currently do not have the means to do so efficiently, that will be able to do so after WEI is rolled out. So it seems to me that for people who care about their own user freedom and already refuse to use sites that do not respect it, the negative effects are limited. That is not to say WEI is not evil or should not be opposed, of course. BTW I see people say "switch to firefox", but if WEI proves to be essential for firefox to retain users, I don't see why firefox would not just add a toggle to enable it like it currently does with the google widevine drm[3]. What do you think? [1] https://www.defectivebydesign.org/blog/web_environment_integrity_is_an_all_out_attack_on_free_internet [2] https://github.com/RupertBenWiser/Web-Environment-Integrity/raw/main/explainer.md [3] https://support.mozilla.org/en-US/kb/enable-drm Best, Yuchen -- Timezone: UTC+10 PGP Key: 47F9 D050 1E11 8879 9040 4941 2126 7E93 EF86 DFD0 <https://ypei.org/assets/ypei-pubkey.txt> _______________________________________________ libreplanet-discuss mailing list [email protected] https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
