Web Environment Integrity Explainer
github.comThe reason we can still run Linux on our desktops and laptops today, is that Linux was already popular enough back when Secure Boot was specified, so that Microsoft could be convinced to allow Secure Boot to be disabled and/or user-specified keys to be enrolled (and also to sign the bootloader for Linux distributions which follow a specific set of criteria when Secure Boot is enabled). Had desktop Linux not been popular enough, Microsoft would have required all OEMs to not allow disabling Secure Boot or enrolling user-specified keys (as they later tried to do with ARM laptops).
In the present day, are alternative browsers popular enough that we can avoid the worst-case scenario? Do enough people compile these alternative browsers from source code (meaning each binary is slightly different) to make a difference?
I think Microsoft made it mandatory to allow disabling secureboot because they wanted their older OSs to work, didn't want devices getting bricked when a vendor poorly implemented it, and didn't want to get hit with another anti-trust suit. not necessarily in that order.
I've read that Surface ARM hardware had a secure boot that could not be disabled. This would make a lot sense; there was no legacy Windows for ARM to keep backwards compatibility for.
The first use case they mention is restricting ad fraud (and, presumably, ad blocking):
> Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they're human, sometimes through tasks like challenges or logins.
So if this goes forward, websites will be able to call the web environment integrity API to check you are a proper ad-watching human before serving content.
"Your contract with the network when you get the show is, you're going to watch the spots. Otherwise you couldn't get the show on an ad-supported basis. Anytime you skip a commercial or watch the button you're actually stealing programming."
Jamie Kellner's words still ring true today. When corporations make content available supported by advertisements, they are assuming a moral obligation on your part to see those advertisements. Violating that obligation is felony contempt of business model.
Jesus, I thought this was satire, but this guy is for real.
Not a lawyer, but in my understanding, the core property of a contract is that both sides are aware of it, in particular of their obligations in the contract. There must also be a defined moment the contract is concluded.
This is specifically not the case with ads: Ad-supported services are frequently advertised as "for free", not in the sense that ads are the "payment". Even if they were, they would be unlike any other business transaction as the service provider is free to change the "price" (i.e. amount of ads shown) at any time.
That's not even considering all the situations where you're subjected to ads without receiving any kind of service - or where something that you paid money for suddenly starts to show you ads too.
Felony contempt of business model indeed, as well as theft of assumed future profits!
But why should I care about the contract when the providers violates it as well? When you provide your services in the country I reside in but refuse to follow our national laws, you have violated the contract as well.
I live in Norway, and even "serious" advertisers shows me alcohol and gambling advertisiments. This is strictly forbidden by norwegian law, yet I have seen multiple advertisements of this kind from Google, Facebook and Discovery. Discovery in particular has just recently agreed to follow the law for television broadcasts, to be fair.
GDPR is also violated a lot, especially by advertising corporations. I have never consented to the vast amount of tracking that I'm subjected to when browsing the internet, even though I have that right.
It's not like they are obligated to provide services to my country either. If european laws are too strict, they can always leave instead of violating our rights.
You don't have a contract with the network. The advertisers do. The network is committed to deliver audiences to the advertisers in return for money. The way they do this is by showing content that the audience wants to watch. You don't owe neither of them nowt.
This is sarcasm right? Because otherwise it sounds like going to the bathroom during a commercial would be illegal.
Kellner did add "I guess there's a certain amount of tolerance for going to the bathroom." But if your bathroom breaks become too frequent, I guess you run the risk of "actually stealing programming".
Looking forward to the debates about the precise number and length of bathroom breaks per session that the networks would be willing to grant.
(I'm very sure they'll be willing to work out reasonable solutions for edge cases - i.e. you'll be granted up to 2 extra bathroom breaks if you have a corresponding medical condition. Just connect your Netflix and Samsung accounts with your healthcare provider's and they'll figure out the rest. We're all humans after all!)
Verification can solves this.
Don't worry, Sony's already figured this out out https://www.creativebloq.com/sony-tv-patent
McDonalds!
I would love to know the personal motivations and moral feelings of those who work on features like this. Are they naive about how these features will be used? Do they not care? Do they not have a personal sense of responsibility for contributing to the end of open, free computing? It's been a while since I took a Big Tech paycheck, but I don't remember being this willing to go build nightmare tech when I was getting one.
"It is difficult to get a man to understand something, when his salary depends on his not understanding it."
All of the above. Whatever puts food on the table and gas in the car
They dropped "Don't be evil" for a reason.
This topic was posted earlier today but was seemingly killed..
> This topic was posted earlier today but was seemingly killed..
I don't like you cause you contradicted me the last time, therefore I'm going to mod you into oblivion :]
It set off the flamewar detector.
Google marketing exec: "We need to lock down web browsers so we can make more money by showing ads."
"Ad blockers need to be prevented. The new WEIE APIs will ensure that ad blockers aren't running and that no DRM is being compromised."
"We also want to prevent ad fraud. With WEIE we can ensure that ad clicks are legit and that people are watching the ads we show. If we can't control the operating system like we can on Chromebooks and Android phones, then we need to control the web browser with cryptographic certainty."
Will anybody be able to do anything about it? This is not API for you and me. This is API for the big tech, for corporations, for Banks. They will use it, they will honour it. You may not use it, but because corporations will use it, it will become a standard. Three is no leeway. You have no control over big business. You will scream, they will do what they want.
So, in short: Google and other companies shamelessly polluted the web with ads and personalized ad driven content, and since regular folks use ad blockers, and ad manipulating people abuse the very system those companies fostered, there is now a supposed need to get the house in order... ...by force feeding us ads and trackers, bypassing whatever still allows people to browse sanely.
What if I tell my browser to not respond to these attestation requests?
What about all the people who have an outdated browser and don't know how to update it?
edit: One of the goals addresses this[0]:
Continue to allow web browsers to browse the Web without attestation
Maybe you'll just have to fill a captcha on every other request, but technically you're still allowed to browse the web (:
Absolute worst spec I've ever seen. Google needs to be loaded into a cannon and fired into the sun.
> How does this affect browser modifications and extensions?
> Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality: E.g. if the browser allows extensions, the user may use extensions; if a browser is modified, the modified browser can still request Web Environment Integrity attestation.
Then what's the point? I can make modified bot browser that commits ad fraud as long as I don't use a rooted Android phone?
I don't believe they're being honest with how this will be used. We need to legally regulate remote attestation.
> As new browsers are introduced, they would need to demonstrate to attesters (a relatively small group) that they pass the bar, but they wouldn't need to convince all the websites in the world.
It speaks for itself. Horrid.
>> I don't believe they're being honest with how this will be used.
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
This is the beginning of the further DRM-ification and enshittification of the Web.
No one can control the web unless every personal computing device on earth is closed source down to the hardware. Digital technology is a double edged sword. I agree that Google would definitely want complete control, but they just can’t do that. We’ll most likely rather see deglobalization of the web with trust shifting from FAANG to states.
>> No one can control the web unless every personal computing device on earth is closed source down to the hardware.
It happens one step at a time:
https://gabrielsieben.tech/2022/07/29/remote-assertion-is-co...
Hell. Heck. Shit. That piece is really scary. I did NOT expect that. Remote attestation really is coming. What will happen to Linux? My beloved NixOS? New OSes, Theseus OS? What is the solution? Don't nation states see that this will give American companies too much power, even more than now, too much to really significantly matter?
I see no solution beyond the deglobalization of the entire tech stack (down to the very OSes) and multiple sources of trust in the form of multiple nation states. Maybe my government will make an official Linux distro and make it mandatory, so we can escape this coming shit.
Trusted computing is all about ensuring that your machine is trusted to run payloads and you can't observe or interact with them. Sad! I see why the free software people call it treacherous computing
Shameless plug for the article I wrote 1 year ago now, "Remote Attestation Is Coming Back," which warned that this was coming to the web and had quite a discussion about that idea:
Thank you for writing this. Remote attestation for consumer software is such a disturbing idea.
In the past the main adversarial pressure has been exploiting security vulnerabilities ("jailbreaking"), but the software industry is getting its act together re that.
I remember this article! And of course, nothing has improved. It's ironic that in 1992, software publishers proclaimed that piracy would be the end of the computer age in the classic "Don't Copy That Floppy!" campaign. To me, it seems like nearly the opposite thing is going to end the computer age: integrity checking. Most computers are toys that we lease from companies that are bigger and more influential than governments, and using it in ways they don't like is against the law.
Exactly. Trusted Computing means that the FAANGs and the MAFIAA can trust that your computer will put their interests ahead of your interests. There is zero benefit to you.
TC is value neutral so the FSF slurs don't make sense. Consider what happens when the machine in question is a cloud VM. Then you can run workloads on a rented machine without the risk of the cloud vendor spying on or tampering with your server. Likewise if the machine gets hacked. These are highly desirable properties for many people. For example Signal uses TC so the mobile apps can verify the servers before doing contact list intersection, keeping the contacts private from the Signal operators.
Another use case is multiparty computation. Three people wish to compare some values without a risk that anyone will see the combined data. TC can do this with tractable compute overhead, unlike purely cryptographic techniques.
Observe what this means for P2P applications. A major difficulty in building them is that peers can't trust each other, so you have to rely on complex and unintuitive algorithms (e.g. block chains) or duplication of work (e.g. SETI@Home) or benign dictators (e.g. Tor) to try and stop cheating. With TC peers can attest to each other and form a network with known behavior, meaning devs can add features rather than spend all their time designing around complicated attacks.
These uses require you have a computer that you do trust which can audit the remote server before uploading data to it. But you can compile and/or run that program on your laptop or smartphone, the verification process is easy.
But exactly because TC is general it doesn't distinguish based on who owns the machine. It doesn't see your PC as morally superior to a remote server, they're all just computers. So yes, in theory a remote server could demand you run something locally and then do a HW remote attestation for it. In practice though this never happens anymore outside of games consoles (as far as I'm aware), because most consumer devices don't have the right hardware for it, and even if they did you can't do much hardware interaction inside attested code.
Why should anyone trust a remote server providing a signed statement of authenticity when Intel[1], MSI[2], Lenovo[3], NVIDIA[4], Microsoft and others keep losing their keys? Even if they haven't lost their keys recently, technology companies don't have a great track record of producing foolproof hardware designs (e.g. recent case of [5]), if foolproof was ever a reasonable expectation. For starters, it's assuming technology such as ptychographic X-ray computed tomography and focused ion beam machining won't become more commonplace and commercially viable to readily break TPM attestation schemes. Or that with wider use of TPM attestation, more effort will be expended into breaking it whereas for the current state with minimal adoption, few people care.
The issue client-side is that if a single vendor or TPM design is compromised, threat actors have ample motive, resources and ability to exploit this compromised hardware, whilst everyone else has few choices, such as dumping at great expensve some more e-waste. And critically, you as a user are blocked by your acceptance of TPM attestation technology from discovering attacks and auditing your own system security, as you ceded control of your own systems. Instead, your systems are controlled by a few technology companies that have a proven terrible track record of fulfilling their alleged intent of keeping your systems and data secure. And why should they care if it doesn't lead to a higher profit at the end of the year?
[1] https://github.com/binarly-io/SupplyChainAttacks/blob/main/M...
[2] https://github.com/binarly-io/SupplyChainAttacks/blob/main/M...
[3] https://github.com/binarly-io/SupplyChainAttacks/blob/main/L...
> TC is value neutral so the FSF slurs don't make sense
Trusted computing is often used such that one might think, it implies the user can trust something (his computer). But it is the other way around. A service provider can trust a machine - that a user bought -- to not do what the user wants. That is misleading at best.
There are really only two ways TC is used in practice in today's economy:
1. Clients verifying cloud VMs. The "user" in this case is not the same person as "his" in "his computer".
2. Games consoles being verified by PS/Xbox online services. In this case the users are in effect verifying each other, because part of why they need such tough security is to stop online gaming being wrecked by cheaters.
At a stretch you could talk about credit card chips and the ATM network as (3) but that's far enough away from general computing that it doesn't really count.
In both cases these are firmly pro-consumer use cases. Unless you want to pirate or cheat in gaming of course, but there's plenty of users who don't want to subsidize your fun with their own suffering, so they're happy to rely on TC to stop that. It's a big part of why console gaming dominates PC gaming. It's wrong for the FSF to imply all those people are brainwashed dupes because they have a different value system to Richard Stallman.
> There are really only two ways TC is used in practice in today's economy:
Isn't that exactly the case, because the idea of using TC in every PC produced a huge backlash?
No, 'fraid not. There was no backlash except amongst a tiny subset of ideologically motivated developers who aren't making the decisions in these companies anyway. See how the big cloud providers all have TC efforts without fuss. Smartphones implement a much less open form of TC too again, devs don't care or welcome it (less piracy), users don't care or welcome it (see how HN threads fill up with praise for Apple's walled garden when it gets discussed). Linux supports all this tech just fine as well.
The reasons it hasn't taken off in desktop PCs are rather complicated and mostly due to patchy hardware support for the use cases that most matter there. It's much harder to implement in a diverse hardware ecosystem because for devs to rely on a new hardware feature that isn't just performance requires a very wide installed base. Intel and AMD never agreed on the right way to do it, and getting device vendors on board was too difficult outside vertically integrated ecosystems like consoles.
> I can make modified bot browser that commits ad fraud as long as I don't use a rooted Android phone?
Yeah, this just incentivizes spammers to copy the parts of Chromium that do the attestation (or whatever browser has source available), and use that to pretend they're Chromium. There will always be workarounds. This seems to kill innovation and allow spammers to flourish.
I suppose I can understand an argument that they want to prevent scraping, but this is absolutely not going to stop that.
> We need to legally regulate remote attestation.
I'd go a step further. We need to ban it. It should be illegal to sell devices to consumers that already contain private keys, unless all of said keys are provided to the consumer at the time of purchase.
I would do it differently: I would ban remote attestation on all general-purpose electronic devices and for all devices that are meant to be part of the home and run third party software.
So computers, phones, and game consoles cannot have remote attestation but home security systems, ATMs, e-Readers, medical devices, water/electricity usage meters can do remote attestation.
what kind of bs is this?