On 7/30/23 17:35, Yuchen Pei wrote:
Hello,If you haven't heard about WEI, please take a look at [1], and the explainer/proposal document[2]. I wonder what would be google's strategy to adopt it and how it will play out. The more informed we are, the better prepared we are at defending user freedom against it. For example, if Google enforces WEI only on its services like gmail and youtube, then it is not much of a regression for us, as these services are already bad for user freedom and it is possible to go about one's life without them. OTOH, if we take the explainer at face-value, which describes the process as follows: - js on webpage request attester to attest - attester responds - js on webpage forwards the response to web server - web server verifies the response, with or without the attester, and take actions accordingly. Whether the web server decides to serve user requests with or without attestation, with successful or failed attestation, is up to the web server, not the attester (an powerful 3rd party). This is different from delegating access to a third party like cloudflare which can deny tor users by returning 406 Not Acceptable. Assuming the incentive for the website owner to serve the user does not change, a trivial way for the user to get around WEI without missing out is simply to disable javascript or adding a rule to their blocker to block all attestation calls (`navigator.getEnvironmentIntegrity()` in the explainer), or to block requests to attester IP/domains. But will website owners be more incentivised to deny access to js-blocking users after WEI? That is, will a website that previously was happy to serve js-blocking users stop doing so after WEI is rolled out? I don't see how that could be the case, as long as it is up to the website owner to decide. Conversly, if a website wants to deny js-blocking users, they can already do so, by not serving anything unless the user enables javascript. So it is the usecases where one does not completely block javascript that can be affected. Again, it is only those sites that want to deny some users (e.g. those using adblockers) but currently do not have the means to do so efficiently, that will be able to do so after WEI is rolled out. So it seems to me that for people who care about their own user freedom and already refuse to use sites that do not respect it, the negative effects are limited. That is not to say WEI is not evil or should not be opposed, of course. BTW I see people say "switch to firefox", but if WEI proves to be essential for firefox to retain users, I don't see why firefox would not just add a toggle to enable it like it currently does with the google widevine drm[3]. What do you think? [1] https://www.defectivebydesign.org/blog/web_environment_integrity_is_an_all_out_attack_on_free_internet [2] https://github.com/RupertBenWiser/Web-Environment-Integrity/raw/main/explainer.md [3] https://support.mozilla.org/en-US/kb/enable-drm
I wrote and deleted a lot. I wrote an entire article on this email and deleted it because whatever I say is useless to people at the moment. SO here's some stats:
Google has near-total power over the Web:* 90.8% of all searches on the Web is done through Google (Google: 62.6, Google Images: 22.6, Youtube: 4.3, Google Maps: 1.3).
* Google collects the most revenue from online advertisements with over $32.4 billion ad revenue (in U.S.) while all other major advertisers not being close to it combined (Microsoft: $2.9B, Yahoo: $1B, Yelp: $0.9B, IAC: $0.5B, Amazon $0.5B; combined: $5.8B).
* Google has nearly total control over the flow of information. With its power, it can boycott almost any site or service and wipe them out. With its power over Android and Play Store app directory, which are proprietary, Google controls what can get published.
I also posted something on my blog: https://alirezahayati.com/2023/07/29/google-launches-another-war-at-web/
-- Ali Reza Hayati (https://alirezahayati.com)
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
