- cross-posted to:
- programming@programming.dev
- cross-posted to:
- programming@programming.dev
I’m happy to see this being noticed more and more. Google wants to destroy the open web, so it’s a lot at stake.
Google basically says “Trust us”. What a joke.
You must log in or register to comment.
WEI can potentially be used to impose restrictions on unlawful activities on the internet, such as downloading YouTube videos and other content, ad blocking, web scraping, etc.
Not one of those things is illegal.
Some are against a site’s TOS and some are outright fine.
This is the most disturbing “boring dystopia” thing yet.
deleted by creator
Well ai scrapping is against copyright.
Scraping itself is not illegal. It’s not until an AI generates a copyrighted IP that it becomes an issue.
It’s like if I were trying to start an art business. You come to me and ask me to draw a princess. I’ve never seen a princess before, so I go online and look up images of princesses to get an idea what to draw. I go back to the studio and draw you a picture of Snow White.
Me looking up princess images is fine. It’s only when I sell a Disney® IP without their permission that it becomes illegal. And, even then, it’s a civil matter, not criminal.
Yeah that’s bullsh*t by the author of the article.
So, how the hell is this supposed to prevent bots? Unless Google are planning to completely lock the browser down to prevent user scripting and all extensions then surely you can still automate the browser?
Unless Google are planning to completely lock the browser down to prevent user scripting and all extensions
Ding ding ding!
Then how are Web Devs supposed to run automated tests?
Through the soon to be “Google WebTest, the WEI compliant test suite, powered by AI!”
Or something like that. Selling the antidote for the poison you created.
Or they just don’t enable it in their test env.
It doesn’t actually prevent anything because you can just use a different browser.
Remember those “Please use a supported browser” messages websites had?
With Web Environment Integrity they’ll be back, and worse.
Removed by mod
I came to say the same.
“checks with a trusted party (such as Google)”
Google is not a trusted party.
deleted by creator
Google does not have a trusted position.
From the point of web infrastructure and standards, they certainly do.
They used to have a motto like “Do no evil”, which was kinda sus to begin with (they were a search engine in a time when many didn’t even consider the evil possibilities of the internet). But if you start out with a motto like that, it’s even more sus if you suddenly drop it, which they did.
Usually when a company loudly proclaims that “we have this quality” they’re compensating for not in fact having it.
You get the same in people: “I’m so smart”, “I’m so beautiful”, “I’m so confident” and so on are usually said to others by people who don’t actually believe they have such (otherwise self-evident) qualities.
In that logic “Do no Evil” was a red flag.
They didn’t “drop it”. It’s still there. Scroll all the way to the bottom.
They simply removed it from higher profile places and don’t mention it until the very end. Sort of a jab at the old policy.
Ah, so it is. Still hard to tell if it’s genuine or PR.
I think we need to start being very realistic here.
Google has ad buying customers who want their ads served, and it’s those customers that would probably opt into the SDK and API in the first place. Scope matters.
Next there’s a plethora of freeloaders on the Internet who consume mountains of content but who scoff at paying for or contributing to the Internet.
Lastly I’m not seeing anything here that says it will block a site like Lemmy for example.the one thing I do find problematic is this potentially limiting competing browsers
deleted by creator
Don’t mistake me for excusing their behavior. It’s the contrary. But I do think a grounded conversation starts with understanding what people’s motivations are.
deleted by creator
I actually posted an article about their opening of a data center being detrimental to another countries water supply. Link should be in my profiles recent posts, worth a read.
I think there is a fair lot of people who think it’s absurd to pay for what they consume. And if you asked them what the alternative is to them paying they’d say nothing, it should be free.
Each service they run is binned and probably billed and generates revenue separate ways, but enough of that Im not trying to argue for pro google. The DRM they’re trying to push is bullshit.
deleted by creator
deleted by creator
I guess you missed the part about being able to “validate” plugins, entire operating systems, dns resolving etc.
I don’t care about Googles financial problems. I don’t use their services. They can close down YouTube if they don’t have enough paying customers. Same with Google search. Bye Google. And the internet is suddenly a much better place.
I’m going to guess half of the proposal is to waste time and distract from the minimum requirement they’re hoping to actually pass. We saw this a lot in general politics in the US: you make a bold overshooting statement while passing legislature on the side.
We do not decide what is right and what is wrong.
But you don’t accept our drm do you’re wrong.
From this github comment:
If you oppose this, don’t just comment and complain, contact your antitrust authority today:
- UK:
Dense US citizen here. Eli5 how I should explain “just trust us not to abuse collection of all your data or else get locked out of the world wide web” applies to antitrust laws for the FTC?
I’m genuinely wanting to submit an email complaint/report. I understand that WEI protects nothing, but risks your data with all the sites you visit, all in an effort just to block possibly unprofitable users – but I’m not sure how to tie in and word the Breaks Antitrust Laws part.
Thank for your time to post these links.
Another dense citizen here. I ould say that you put it quite eloquently in your comment.
But direct the question towards them.
“Would googles new changes on their ad and user policy be affected by FTC data protection laws and GDPR or would they be in compliance”
Or something among those lines.
Nothing dense in this, I don’t quite know what to write either. In my opinion what you wrote in your comment is just perfect, you’re a citizen simply expressing an honest concern, without lying – not all people are tech-savvy. It also makes it clear that it’s a letter from a real person.
But that’s only my point of view, and maybe I haven’t thought enough steps ahead. Let’s see what other people suggest and why.
Dear madam/sir
I dont trust googel. take me seriously.
yours, Willer
There’s no way there’s a legitimate argument why this is good for us/the internet
They claim it’s to prevent bots, but we all know it’ll soon become standard in every WAF out there (Cloudflare, Akamai, etc) to just blanket block browsers failing attestation.
All you need to know what will happen is to root an Android phone. You’d expect Netflix and bank apps and other highly sensitive apps to stop working. Okay, I can accept that, it kind of make sense. But the more you use the phone the more you realize a ton of apps also refuse to work. Zoom complains and marks your session as insecure, the Speedtest app refuses to test your speed, even the fucking weather app won’t give you weather anymore. Jira/Confluence/Outlook/Teams also complain about it. It’s ridiculous.
Even if it’d trust Google to not misuse the feature and genuinely use it to reduce ad fraud, the problem is the rest of the developers and companies. Those, they absolutely cannot be trusted to not abuse the feature to block everyone. Security “consultants” will start mandating its use to pass security audits, government websites will absolute use it, and before you know it, half the web refuses to work unless you use Chrome, Edge or Safari.
I have a rooted LineageOS running Android and besides Kostum widgest everything is working fine. Yea I had to fiddle around with the banking app, but other than some popups and ingame stores not working everything is fine.
I use e os and no problems here
I heard spoofing safety net is possible with magisk so banking apps should work with it
Unfortunately some apps don’t check only for SafetyNet
What other ways are there? At least my banking app worked with spoofed safetynet
Checking whether the bootloader is locked or not, checking for abnormal system properties like whether the ROM is using release keys or test keys, and other methods that idk of, you can test momo which is an app that checks the environment and tells you if there is anything abnormal about it, some use it to check if they were successful at hiding root and anything abnormal
Yup I noticed this also. I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background which means Google finds out about literally everything we do on our phones. They already own the entire operating system but we can’t even run apps without them being in the middle.
This is all similar to using Microsoft Windows or Mac OS so I guess people are so used to this behavior that it’s somehow ok.
But I’m a long term Linux user and I’m used to the OS not calling home and not reporting what apps I use. And this is how it should be. I’m so over big tech it’s not even funny anymore.
It’s even worse without Google apps, but I was talking about SatetyNet/PlayIntegrity specifically.
The mere act of unlocking the bootloader, without even modifying anything, will cause all the problems I outlined, and it’s the same API that Google is proposing to use by browsers to check for device integrity.
Stuff depending on Google libraries, eh, that annoying but people can and will reimplement those, be it microG or Wine/Proton. Not being able to see the weather I literally could get just looking out the window because my bootloader is unlocked? That’s insane.
This is all similar to using Microsoft Windows or Mac OS so I guess people are so used to this behavior that it’s somehow ok.
Not so much used to it, but just kinda sigh and accept it because I like my apps to work. I’m a long time Linux user as well, and I still have to keep a Windows box around for random shit that just refuses to work on Linux for various bogus reasons.
I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background
This has nothing to do with being rooted but with Google encouraging people to build apps using its proprietary libraries to make Google Android more valuable than Android Open Source Project. There may be a connection to the EU’s attempts to stop Google from forcibly bundling several of its other apps with the Play Store.
For most use cases, good alternatives are available and it’s just a matter of developers being lazy, but I’m not sure there’s another good option for chat apps to get timely notifications without high battery consumption. MicroG provides an open source alternative to Google’s libraries and works for most apps, including chat notifications.
It’s a bit worse than just Google libraries, apps can use Play Integrity which uses hardware attestation to validate it’s bootloader lock status and that it’s running a vendor signed and Google approved ROM.
Current bypasses emulate older devices without the necessary hardware, but those will eventually stop working and there won’t be bypasses unless someone leaks some master keys or finds TPM exploits to trick it into signing the integrity request. It’s very bad.
Yes, but they’re two separate issues. Many apps that don’t care whether you have root or a third-party Android build use Google’s libraries.
Patching apps is another workaround. It won’t beat server-side checks, but I think those are still fairly rare. ReVanced makes it easy to do, though I’m not sure there are patches related to SafetyNet yet.
If you are not using Firefox now is a good time to start.
I have too use Edge at work. Is Edge also implementing this shit?
Im so sorry u should use it…
deleted by creator
I’ve been using Firefox mobile for a few years now too, and the one thing I’ll point out is that the addon store is a lot more limited than on PC – unless you’re using Firefox nightly or beta, which lets you use any. But for the average user that only needs ublock or noscript, etc. it’s a perfect choice:)
It’s kind of silly. I use nightly with custom add-ons and most of the add-ons work without issue. The UI might not be the best for the phone but they’re functional. I’m not sure why the mobile add-ons are so restricted, even enabling them in nightly is bizarre. You need to go in and tap on the FF icon in the version info page or something like that…
Tampermonkey expands the functionality you can use to take control, I use the twitter control panel to transform the mobile experience of X. No need for the app with all the forced Elmo bollocks.
Just switched yesterday, was way easier than I thought it would be. I’m converted on all my devices, all my stuff has been synced from Chrome in a few clicks. Just do it people.
I love Firefox so much. Specially the built in sync. I can browse something on my phone and open it on my computer later and continue where I left off.
If you haven’t already, check out Firefox Sync.
You can sync your stuff across Firefox instances (PC, mobile, different PC profiles etc.) You can choose to sync logins, open tabs, bookmarks, add-ons etc.
Each place you use Firefox can choose to sync different stuff, so for example you can sync logins everywhere but only sync open tabs on the PC.
In case you replace the phone or your PC HDD crashes etc. all you have to do is login back to Firefox Sync and you get all that stuff back.
Firefox in the meanwhile but long term we need to move away from the unfathomably bloated web
protocolstandard/browsers.What’s the “web protocol”? Are you talking about HTTP?
Seems from their response to me asking the same thing, they mean browser engines, not anything to do with any of the protocols involved.
I wish I’d said “web standards” instead.
You mean HTML, CSS, JavaScript, etc?
Including those but also all specifications defined by the W3C. I would post other examples here but I’m out of my depth.
Ok well, the modern web technology ecosystem is incredibly featureful and flexible, it allows a huge array of options for building rich interactive applications, all delivered to your browser on-demand in a few seconds.
Sure some of the technologies involved aren’t perfect (and I challenge you to find any system that feature-rich that doesn’t have a few dark corners), but there really no alternative option that comes close in terms of flexibility and maturity.
Adding features endlessly, heedless of danger of the inate security issue from the complexity, makes for an uncompetative and ultimatly unsustainable ecosystem.
The alternative I believe in is to use seperare apps for each segmented feature (the dedicated video player plays the video, the browser merely fetches it).
Web protocol? Which one?
I wouldn’t consider http or dns bloated, for instance. And tcp/ip isn’t web-specific enough for me to think that’s what you mean by “the web protocol”.
Are you just trying to say you don’t like websites in a way that sounds techy?
I’m referring to the totality of what is required to make a complete and secure web browser from scratch.
That’s a rant about the complexity of modern browser engines, not the protocols. The web worked just fine before CSS and JS. The protocols aren’t the problem. Lynx is still being maintained if you want the web without the bloat of features like js and inline images.
I believe the rant demonstrates there cannot be more competition for browsers and therefore justifies the idea that browsers will stagnate and come to an end. I think the solution will be to move away from one application doing many things to using separate software dedicated to narrow purposes.
Ah yes, I do the same in my kitchen. One machine that does one job and then sits around unused for the rest of the year.
No, obviously that is not the way. I don’t want to deal with 20 separate programs to do the job Firefox does.
When you want to use the scanner but can’t because the printer is broken.
I recently switched and all’s good so far. Correct me if I’m wrong, wei would also be able to block certain browsers, including Firefox, right? I wish just switching browsers would be enough to avoid Wei though :/
If google gets their way websites will be able to block OS’s and browsers. But if enough people switch to Firefox they won’t be able to push this change as easily. Google Chrome has about an 80% marketshare in the browser market and most of the alternatives are forks of Chromium which google controls. If this doesn’t change Google will be able to do anything they want.
The word “intend” comes up quite a bit around this topic.
Fuck Google 2023
It’s time to use web integrity against them, by blocking access to your site if they “pass” integrity checks, and telling them to use a freedom respecting browser instead.
Absolutely. And build web sites where all browsers and operating systems are welcome.
Not that I find idea bad but doesn’t this statement contradict the one you’re commenting?
Yes you are right actually. :P
Can’t get that past a programmer can I… :)
This is actually already implemented, see here.
I would support this
Lmao this would be hilarious
*waiting patiently for EU to catch on to this.
Google may not like the outcome…
While you are at it, convince Apple to allow Firefox on iOS, and decline to use WEI in Safari. Otherwise there’s no way to avoid WEI on iPhone, and only one mainstream rendering engine free of this insidious malware. Many companies will shy away from it if it breaks mobile apps on the Apple platform.
On mobile web in iOS browsers, they’ll just do the old “install our app to continue” move.
Probably, which gives more ways to collect data and still uses WebKit underneath.
Vote with your wallet. Corporations only understand money. If users leave because they are not getting what they want, they’ll get what they want.
I think with the possibility of sidloading apps, Apple in Eu will have Firefox
Here’s hoping that happens, but it still won’t fix two things: Firefox is kinda weird and clumsy on mobile, and it’ll still need attestation if that’s implemented on key websites as a hard-barrier to usage. I’m now on Android (I alternate between the two, so next cycle will be Apple), and even as a highly technical type I don’t sideload on there anyway, so I think few will sideload on iOS either.
