Apple has deployed a system called Private Access Tokens that allows web servers to verify if a device is legitimate before granting access. This works by having the browser request a signed token from Apple proving the device is approved. While this currently has limited impact due to Safari’s market share, there are concerns that attestation systems restrict competition, user control, and innovation by only approving certain devices and software. Attestation could lead to approved providers tightening rules over time, blocking modified operating systems and browsers. While proponents argue for holdbacks to limit blocking, business pressures may make that infeasible and Google’s existing attestation does not do holdbacks. Fundamentally, attestation is seen as anti-competitive by potentially blocking competition between browsers and operating systems on the web.
“Sorry, your device appears to be running Linux, please only use approved Apple or Windows devices to log in, with our required surveillance system pro installed. Thanks.”
Yeah, but so far you can just spoof your user agent. Not sure how easy cracking private access tokens will be. I assume they’ll be pretty proactive about keeping it locked down.
If a website doesn’t want me to see their shit, then I guess i won’t see their shit. I already have some sites that don’t work because of my aggressive use of lists on my pihole, in addition to the usual browser plugins. If a site doesn’t work now, I just move on. I don’t give a shit about any site enough to put up with this type of bullshit.
What if it’s your bank’s website? Or email provider? Or literally anything else you actually have to choose and can’t pick? “It’s okay because I don’t think it affects me / I can ignore it” is always a bad reason to allow a bad thing happen.
Honestly, if you’re telling people to run their own email host, you’re either trolling or a moron.
Run your own email like people should?
This hasn’t been practical for a while now. If you’re not on a major domain, Google, MS, etc will block you as likely spam.
Change your email provider? Run your own email like people should?
This isn’t a practical suggestion for the vast majority of the population.
It’s pretty shitty for a company to force someone to use a phone app or go to something as vital as a bank just because they won’t let the customer access the website. And there are plenty of reasons why someone wouldn’t be able to go to the bank in person every time they needed to, or at least it’d be extremely inconvenient to (especially for small things like checking your balance or transactions). Not everyone has a phone either.
Change your email provider? Run your own email like people should?
I’ve never deleted my email before but I’m pretty sure that means losing access to your entire inbox that you’ve likely had for years and having to update your contacts, the emails for all the accounts you have under it, etc. And being blocked from the website means you won’t be able to do any of those things through the official website. Does device atteststion prevent you from accessing your email through third party clients?
Also, it’s not exactly easy or practical to host your own email. And for many people that would mean spending money on servers. I read a blog post last year of someone who gave up hosting their own email after 23 years doing so.
And how the fuck is a phone app an alternative for avoiding attestation??? A phone app is inherently attested by being distributed through the app store.
Who the fuck goes into a bank in this day and age?
Shit most branches I see are closing down.
There’s no need to be so nasty, friend. I’m removing your comment because this isn’t the in line with our community value of ‘be(e) nice’
Use the phone app
Jokes on you. It refuses to work as my phone configuration is not approved by our corporate overlords. And yeah, obviously you can go to the bank at any moment, there are no times whatsoever when you need to do something right now, without lets say leaving the cash register at the shop
Well you can protest, inform others, switch browsers, make your family switch…
It’s not easy and might not accomplish much but at least you’re trying.
We need to fight against this and stop this from happening before it’s too late.
To see how your approach works, try using the Internet with Javascript turned off for reading text. You will realize you can’t organize your life nowadays without bowing to what websites do technically.
You can’t use websites when you disable a major piece of functionality? Shocker
Expect corporations to be lazy. Just look at how every website handles cookies now. They could do it smartly, limit their cookie exposure, or only send the messages to IPs in the EU. But they just put an “accept all cookies or get out” OK box on your screen. And that’s what they’re going to do once attestation gets popular.
Sites will just require an attestation token and likely only accept ones from Safari and Chromium browsers since those are the ones pushing it. That will effectively make Firefox, Opera and other browsers incompatible with those websites. And once it catches on or becomes law somewhere, it’ll be the entire internet. It’s an extremely anticompetitive measure and it’s internet-wide DRM. Fuck. that.
But they just put an “accept all cookies or get out” OK box on your screen.
Which doesn’t comply with GDPR
Opera is chromium based though.
You dont even need this DRM bullshit to become law. Chrome will simply put a warning before entering websites without it that goes “this website doesnt use name of a technology the user doesnt understand and therefore might be dangerous”. Thats it. Every and all websites will immediatly implement this DRM bullshit or die.
Google mentioned these in their explainer (they don’t like that they’re fully masked): https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md#privacy-pass--private-access-tokens
Cloudflare explains them more too: https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/
They are currently going through an IETF standardization: https://datatracker.ietf.org/wg/privacypass/about/
You can also read the architecture. In general I do trust Cloudflare more than Google. I have no doubt shitty sites won’t fall back to a captcha and will instead block access though, with either solution.
In general I do trust Cloudflare more than Google.
A large portion of the internet runs through Cloudflare’s network though, so IMO they’re just as much of a risk as Google.
However unlike Google, CloudFlare doesn’t have a history of killing off products just as users begin to adapt to them.
That’s not why Google is harmful though - they’re harmful because almost all of their revenue comes from advertising - everything else they offer is just a funnel to gain data on the worlds population in order to better target advertising.
As for cloudflare - they showed their true colours last year with kiwifarms. They’ll happily host the worst websites in the world as long as they don’t get bad press.
CF has only been public for a few years. Give it a decade and I’m sure they’ll be just as evil as Google.
The main risk with Cloudflare is that if they think your device is malicious, it gets very hard to browse the internet, as every site hosted behind Cloudflare starts showing CAPTCHAs or rate limiting you. This could get worse if new APIs that determine if you’re legit don’t like you for whatever reason.
I’m with you there, but that seems like a reason to fight
This would very likely be added to cloudflare by default (it would lower their costs), and that would put a solid chunk of the Internet behind the blackwall
