Oops Google Did It Again
dombytes.com> Computer scientists always consider the worst case scenario because it allows us to edge against the risk—or, well, certainty—that something will go wrong.
> Why are people complaining about WEI and not PATs then?
> Well, Google is simultaneously the owner of the most popular web browser (Chrome) and the most popular mobile operating system (Android) on top of which Chrome runs. WEI is guaranteed to be a recipe for anti-competitive practices.
I don't follow. How is any of this exclusively harmful when WEI does it? Is Apple not also in a position to use PATs for anti-competitive purposes?
It's transformative (in a bad way) for the vast majority of users to be using systems that are capable of attestation, however we get there. Once that happens, it's a slippery slope into a world where you can't use open source browsers for commercial activity and the ladder is largely pulled up on a new browser ever becoming popular again.
At that point, it'll be left as an exercise for the remaining browser makers to slowly enshittify.
What's funny is that this trend could lead to the downfall of Chrome outside of Android and ChromeOS because at the end of the day, attestation is in the control of the OS maker.
Attestation is an issue in incentives, particularly on the part of website owners who lose incentive to offer a decent UX to non-attested users when most users are attested.
Apple PATs in isolation cannot achieve this, while google is making a new web standard that will almost certainly achieve this if it is successfully pushed.
That is, apple-only PATs are compatible with an open web. WEI as a standard is incompatible with an open web.
That said, PATs become dangerous in a world where WEI is being pushed - to that end I’ve recently disabled PATs on my iDevice.
It’s not right now but it will be when combined with WEI or if Safari gains more market share. Overall, I agree with the sentiment expressed in this blog post: https://httptoolkit.com/blog/apple-private-access-tokens-att...
Safari has absolute market share.
Submarket share?
How many iOS safari users are you forgetting about?
This would be, de facto, DRM for whole browsers. It would have all the advantages (to incumbents) of DRM. And for users, all the disadvantages of DRM.
If you think the John Deer tractor maintenance thing is terrible and disgusting ...
The scary part isn’t what happens with attestation on todays web, it’s what kind of web gets built tomorrow when the vast majority of users support attestation.
The author of WEI acknowledges this risk but the only mitigation is a suggestion that maybe browsers can occasionally hold off on attesting - basically, letting market share of attestation hold just shy of 100% in hopes that it doesn’t dominate the web.
I’m sure the future google engineer who removes this restriction and saves 10% of chrome sessions from captchas will also get a promotion.
until sites "find a way" to ask multiple times for attestation (if it has a 10% chance of failing on each request and 10 of them in a row fail, what's chance of the client supporting WEI and randomly holding off on all of them?)
"find a way" because it won't be hard.
> is an example of what happens when you don’t consider the worst case scenario.
This sentence pretty much summarise everything that is wrong with Tech or Silicon Valley in the past 15+ years.
You are spot on.
Part of the problem is that “worst case” is “ideal outcome” to some, and those “some” have a disproportionate level of influence.
I wonder if web crawlers that aren’t Google will be able to produce valid tokens.