• deweydecibel
    link
    fedilink
    English
    93
    edit-2
    1 year ago

    I’m getting here too late for this to be visible, but fuck it.

    The difference is Apple doesn’t pass any information on to the website. It just tells the website whether or not it passes their integrity check. Your web environment gets the Apple stamp of approval or it doesn’t, that’s all the sites will know.

    Googles shit is going pass actual information about the browser state, add-ons, and the device to the site so they can restrict access based on any criteria they choose. That creates endless more avenues for abuse by giving the websites the ability to judge you for themselves and micromanage how you are allowed to visit their site.

    Apple’s is the equivalent of a metal detector before walking into a building. It will go off but it doesn’t violate your privacy or enable targeted screening by telling anyone what it detected.

    Google’s is the equivalent of a strip search, where it will drop your clothes and pictures of your junk onto the property managers desk so they can decide if you’re worthy to enter. Maybe they don’t like your brand of underwear, or a tattoo you have, and refuse to let you in.

    • @grue@lemmy.world
      link
      fedilink
      English
      27
      edit-2
      1 year ago

      It’s hardly OK for Apple to be doing even that either, you know. Who the fuck does Apple think it is, to be entitled to “attest” to a goddamn thing?!

      The notion that anyone can “attest” to users’ caputured-by-DRM status is fundamentally toxic to the Internet as a whole and must be resisted at all costs and by any means necessary, legal or illegal.

    • Rentlar
      link
      fedilink
      English
      151 year ago

      Your comment was on the top for me, Lemmy’s default “hot” sorting brings fresh takes to the front, so don’t worry too much about your answers always getting buried.

    • @realharo@lemm.ee
      link
      fedilink
      English
      131 year ago

      Can you post any source at all that would back your claims? Or any technical details at all?

      Neither the actual proposal https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md#what-information-is-in-the-signed-attestation, nor the article itself seem to show that there would be a difference when it comes to privacy.

      The entire problem with this proposal is that it limits client choice, similar to how Google Play integrity API on Android restricts some apps from running on rooted/unlocked phones.

      That same problem obviously also exists in Apple’s implementation.

    • @Serinus@lemmy.world
      link
      fedilink
      English
      41 year ago

      Transmitting that info to Apple is still a problem. Why do you trust Apple, but not Google?

      Google’s version will likely ask you first, and you’ll know which sites are asking for it. Apple’s won’t.

  • kitonthenet
    link
    fedilink
    931 year ago

    These schemes all have the same problem that reddit and Twitter have: they need me more than I need them. If your website or app or whatever won’t work if I’m not on the right device I won’t visit it, and that’s not a bad thing

    • @Zoidberg@lemm.ee
      link
      fedilink
      English
      411 year ago

      It’s a bit more complicated than that, unfortunately.

      What happens when Microsoft adds something to their web building tools that forces all visitors to websites using these tools to use IE? Or when your bank (or even worse, utilities) start requiring Windows and IE?

      • @toddestan@lemmy.world
        link
        fedilink
        English
        26
        edit-2
        1 year ago

        It’ll probably end up worse than that. Turn off secure boot and Windows may still run, but it will no longer verify and all these sites will now refuse to work on your computer. So if you like to run Linux, even dual booting or running Windows in a VM for those things that absolutely require Windows won’t be good enough anymore.

        • deweydecibel
          link
          fedilink
          English
          91 year ago

          It’s not just that.

          Apples implementation of this doesn’t tell the website anything about the device other than “Apples approves”.

          Google’s implementation will give the website direct information about the browser and computer. Which permits them to get granular and targeted on restrictions.

          • Hello Hotel
            link
            fedilink
            English
            5
            edit-2
            1 year ago

            “Apples approves”

            This reminds me: If you want to see what happens when a company implements this system where they approve your usage and then warps it into a punishment system later by revoking their approval when youve been naughty, see minecraft chat reporting.

          • Hello Hotel
            link
            fedilink
            English
            5
            edit-2
            1 year ago

            Its a fixed identifier, it can be a replacement for amythimg to forcably identify users:

            • super cookies
            • gpu profiling
            • unwanted cookies
            • IP adress recording (increseingly unusable)
            • phone numbers
        • deweydecibel
          link
          fedilink
          English
          41 year ago

          if my utility company requires me to have a Windows PC to get gas or electricity, then they can supply me with a Windows PC just for that purpose

          They won’t. Then what’s your plan?

          What are they going to do, tell some 90 year old lady who has never touched a computer in her life that she needs to get online with an approved device to keep her light on?

          No, they’ll tell her to pay via check/mail as usual.

          But that’s a ridiculous argument anyway, because if there’s anyone that’s going to own an unmodified, store bought, “approved” device, it’s a 90 year old.

          • @grue@lemmy.world
            link
            fedilink
            English
            21 year ago

            They won’t. Then what’s your plan?

            INB4 “I’ll just switch my appliances to electric and go off-grid solar.”

            Good for you, hypothetical yet inevitable replier, you should absolutely do that. But that doesn’t solve the collective, societal problem. The real issue here is not whether it’s possible for individuals to resist or implement a workaround, but that it is fundamentally wrong for corporations to have that much or that kind of power in the first place!

            The only actual solutions to the systemic issue must be legislative – this kind of abusive corporate power-grabbing has to be outlawed!

        • @cy_narrator@discuss.tchncs.de
          link
          fedilink
          English
          31 year ago

          What are they going to do, tell some 90 year old lady who has never touched a computer in her life that she needs to get online with an approved device to keep her light on?

          Thats exactly what they will do

      • kitonthenet
        link
        fedilink
        -131 year ago

        I’d be very surprised for one thing, because IE is no longer a product Microsoft supports in any capacity. I’d also be confused as to which tools the web hosting market just shifted to that they’re using Microsoft tools, there are monopolists out there I’m worried about but Microsoft isn’t my main one right now

        • Daniel
          link
          fedilink
          English
          11 year ago

          Microsoft tools are still very much used on the web, at least here in Washington there are a few state sites featuring the ✨aspx✨ framework.

    • @Thorny_Thicket@sopuli.xyz
      link
      fedilink
      English
      191 year ago

      If I as an adult still had my mom telling me that’s enough internet for today, and taking away my laptop, I’d hate it but it would objectively be good for me. This is kind of a similar thing. I don’t like that these companies fuck up services I like but there’s no denying that me leaving reddit for example was overall quite positive thing to happen.

      • kitonthenet
        link
        fedilink
        5
        edit-2
        1 year ago

        Yep, that’s the bargain I’m making. I’m way happier now that I’m not yelling at nerds on Reddit/Twitter/etc. The nerds on the fediverse are much less time consuming

        I think it also goes back to the fact that Twitter et al are meant to be addictive, the way I don’t like giving up Twitter is the same way I wouldn’t like giving up smoking, which both alarms me and makes me ok giving those things up

        • @Fades@lemmy.world
          link
          fedilink
          English
          0
          edit-2
          1 year ago

          Can totally relate.

          I went back and visited leddit recently and it really does make me feel more angry/annoyed overall, it’s definitely changed but it’s also definitely not new either.

          No doubt the lack of mod support is partly to blame but given that rage bait is essentially the most popular tool for engagement it wouldn’t surprise me if these social media companies try to play mind games in some way

    • deweydecibel
      link
      fedilink
      English
      81 year ago

      These schemes all have the same problem that reddit and Twitter have: they need me more than I need them.

      This sentiment comes off a lot like “it won’t affect me, I don’t care”.

      Like, it doesn’t really matter whether you decide not to use these websites anymore. Nobody should have to put up with this shit. That’s why we take a stand against it.

      • kitonthenet
        link
        fedilink
        81 year ago

        This sentiment comes off a lot like “it won’t affect me, I don’t care”.

        Then you’ve severely misunderstood what I wrote

        Nobody should have to put up with this shit. That’s why we take a stand against it.

        That is exactly what I’m advocating for

      • @grue@lemmy.world
        link
        fedilink
        English
        31 year ago

        Exactly. There’s a good reason why we don’t, for example, allow people to sell themselves into slavery, even if they “consent” to it!

  • elouboub
    link
    fedilink
    431 year ago

    The danger would be important entities like governments and banks using attestation. Then you’d be limited to using only Chrome, Safari and Edge, and Firefox could kiss its ass goodbye.

    • kitonthenet
      link
      fedilink
      311 year ago

      Bank: my bank is too boomercore to ever implement something like this, we only recently got 2fa

      Government: my government still makes me file my taxes on paper and mail it to them so I’m ok for now

      • Kbin_space_program
        link
        fedilink
        141 year ago

        Banks and governments could get trapped into this because a third party vendor implements a system for them that includes this.

        Like Salesforce’s “Lightning Experience sites” only supports the latest versions of iOS and Android, as well as only supporting chromium based browsers and Firefox.

        A lot of banks and government services run on that platform, and not all of them are going to be smart enough to pay for a custom solution that increases device support.

        • kitonthenet
          link
          fedilink
          11 year ago

          It’s less about what they implement, and more about what their users who have clout expect. My regional bank is far more responsive to customer feedback than, for example, Bank of America. As for governments there’s all sorts of bureaucracy I can push on with not a lot of resources. It’s not accessible to everyone but organizations don’t need all that much prodding to respond anyway

          • Kbin_space_program
            link
            fedilink
            1
            edit-2
            1 year ago

            Salesforce dictates what they support now, not on what people want. If an entity implements it, they can use the put of the box functionality or pay to have it customized to increase accessibility, security and support.

            • kitonthenet
              link
              fedilink
              11 year ago

              That’s fine, I will continue to use websites that work for me and when they don’t I will complain

    • @MajorHavoc@lemmy.world
      link
      fedilink
      English
      121 year ago

      My bank is welcome to implement features that prevent using Firefox. It’ll cost them when I move my deposits, but they’re welcome to do it.

      • @Alexstarfire@lemmy.world
        link
        fedilink
        English
        151 year ago

        People didn’t leave Wells Fargo and BoA en masse with all the illegal shit they did, why do you think this would have any real effect on them?

      • @Zak@lemmy.world
        link
        fedilink
        English
        3
        edit-2
        1 year ago

        The EU lets them get away with requiring device attestation for their mobile apps. It’s not exactly the same thing since system requirements for native apps are traditionally narrower than websites, but it’s similar.

    • @_pete_@lemmy.world
      link
      fedilink
      English
      2
      edit-2
      1 year ago

      In the UK at least, switching banks is super easy, I’ve done in twice in the last 2 months because they offered free cash to do so, there is enough competition that the banks have to make it easy to move or else they lose customers.

      For government, generally most systems are built to be as accessible as they can be because there has been [https://www.gov.uk/guidance/accessibility-requirements-for-public-sector-websites-and-apps ](whole raft of legislation) written up to cover this.

      I’m not saying it wouldn’t be a problem (power companies etc could prove to be sticky) but there are legal requirements that entities above a certain site have to meet.

  • @SaintFlow@lemmy.world
    link
    fedilink
    English
    42
    edit-2
    1 year ago

    Somehow, I am not surprised. Both, that Apple already did it and that there was no public outcry about it.

  • El Barto
    link
    fedilink
    English
    371 year ago

    The solution would be not to visit those sites that require this, right?

    • @Earthwormjim91@lemmy.world
      link
      fedilink
      English
      241 year ago

      Well it’s already integrated into cloudfare and fastly. So good luck with that.

      Pretty much all major sites use one of those two as a CDN.

          • El Barto
            link
            fedilink
            English
            51 year ago

            If an instance enforces this, welp, I’ll use a different one.

            • @Earthwormjim91@lemmy.world
              link
              fedilink
              English
              21 year ago

              It wouldn’t be an instance. It would be their CDN. And your browser.

              And any instance of significant size is going to have a CDN to help deal with the DDoS attacks and bots. Hell I would bet that outside of very carefully curated instances, all fediverse instances will start using CDNs here soon just because of bots.

              And chances are they will use cloudfare or Fastly.

              But there’s nothing to “enforce”. It’s not a “you must be attested or you can’t access” it will be “if you’re not attested you will have a captcha shown for most things”.

              Cloudfare already does this. If your browser looks suspicious, and the website you’re visiting using cloudfare as a CDN, you’ll be redirected to cloudfare to enter a captcha before they’ll let you into the site.

              Attestation removes that captcha part using a token generated by your device and validated by the maker of the browser you’re using. So you’d never even see the redirect at all, it would just take a second or two longer to connect.

              People using heavily modified machines or browsers wouldn’t be attested and would have to enter a captcha. That’s about it.

        • @herrvogel@lemmy.world
          link
          fedilink
          English
          81 year ago

          If you’re gonna make a conscious effort to not use cloudflare and fastly you might as well quit the internet altogether. You use those things all the time, mostly without even realizing it.

          • kitonthenet
            link
            fedilink
            -41 year ago

            I realize exactly how much I use them, reread what I have written.

        • El Barto
          link
          fedilink
          English
          11 year ago

          Right. It’s sort of like a paywall site. I simply find what I need elsewhere.

      • @bobs_monkey@lemm.ee
        link
        fedilink
        English
        31 year ago

        Wouldn’t cloudflare’s client (the website you’re trying to visit) be the one to implement this, while cloudflare simply does the verification?

        • @Earthwormjim91@lemmy.world
          link
          fedilink
          English
          91 year ago

          No it would be cloudfare. That’s their whole business.

          So, for example, right now if you visit a website using cloudfare as their CDN, and your browser looks “suspicious”, cloudfare will grab you and redirect you to a verification page to put a captcha in to verify that you’re human before they will direct you back to the website you’re trying to go to. That’s why people use cloudfare in the first place instead of trying to implement some verification themselves. It’s easier and cheaper to outsource to a specialist.

          Attestation would just be a “fast pass” for users. If your browser looks “suspicious” then you would be redirected to cloudfare for verification. Instead of a captcha though, it would automatically negotiate with your browser that would present a token generated on device to cloudfare. Cloudfare would reach out to the attestor for that browser with that token to validate it. For safari it would be Apple, for edge it would be Microsoft, for other chromium browsers it would be Google. The attestor would look at the token and be able to say “yes this is a valid, unmodified version of macOS/Windows/ChromeOS/etc and likely to be a normal human” and you would be directed back to the website you want to go to instead of having to put a captcha in.

          The danger is when these companies start to control attestation. If you have a modified OS? Sorry we don’t know if they’re human. And you’ll have to enter a captcha. Potentially, if your phone/machine is not the latest version? Sorry don’t know, enter a captcha. Using lineage instead of a licensed version of Android (like Samsungs skin, etc), sorry not validated, enter a captcha.

          If attestation becomes mainstream, then it will be the default because it’s cheaper for the CDNs and everyone to do. But it puts the power in the hands of like 3 companies for attestation. And it’s very very likely they will start limiting attestation as a “feature”. Have a galaxy phone? Well if you haven’t upgraded in a few years and are no longer in recurrent supported devices list, sorry no attestation. And they only offer like 3-4 years of official support. So if you don’t want to enter a captcha every time you change webpages, better upgrade homie.

          So naturally it will push your average consumer to just upgrading a perfectly fine device instead of keeping it. And it will discourage a ton of FOSS stuff because that will all be “unvalidated modifications” or won’t implement it. If Google implements it, that will be the nail because chrome has like a 70% market share and pretty much everyone will develop for that. So they’ll all develop with Google’s attestation in mind. If you’re using Firefox which won’t implement it, you’ll be entering a captcha every time. And that will push people over to the big companies.

          Attestation is a MUCH bigger thing than people think. You don’t need to worry about every website implementing it. You only need to worry about like 3. Cloudfare and Fastly are two huge ones, which have already implemented it on an as available basis. Right now it’s just Safari but they have it available if Google and Microsoft implement it.

          Google themselves are the third one since the way operate their own CDN for themselves and clients. If they implement attestation there will be immediately a huge chunk of the web using it. Like 70%+. Cloudfare has 20%+ of the market and Fastly is like 18%. Google makes up another huge chunk but I couldn’t find any figures.

          That would be such a huge immediate usage that it would very rapidly become the default and would lock people into only the big companies.

    • Otter
      link
      fedilink
      English
      61 year ago

      Getting a list together would be step 1

      • El Barto
        link
        fedilink
        English
        11 year ago

        Would a list of “offenders” be necessary? I’d say a list of alternative sites that don’t implement this BS would be better.

  • Mwalimu
    link
    English
    351 year ago

    your treatment on the web depends on whether Apple says your device, OS & browser configuration are legitimate & acceptable.

  • @phx@lemmy.ca
    link
    fedilink
    English
    211 year ago

    It’s not a problem until more sites start REQUIRING it, and then it’s too late. Even if some Apple already provides it, it’s more dangerous as use grows