Apple already shipped attestation on the web, and we barely noticed ( httptoolkit.com )

Apple has deployed a system called Private Access Tokens that allows web servers to verify if a device is legitimate before granting access. This works by having the browser request a signed token from Apple proving the device is approved. While this currently has limited impact due to Safari’s market share, there are concerns that attestation systems restrict competition, user control, and innovation by only approving certain devices and software. Attestation could lead to approved providers tightening rules over time, blocking modified operating systems and browsers. While proponents argue for holdbacks to limit blocking, business pressures may make that infeasible and Google’s existing attestation does not do holdbacks. Fundamentally, attestation is seen as anti-competitive by potentially blocking competition between browsers and operating systems on the web.

vacuumflower ,

Actually I like this.

All those people who’ve been trying to keep corporate technologies “open” were, in fact, working for the corporations to make people come to them. Most unknowingly, maybe. It’s just, well, litany of Gendlin case. You rely on corporate power, even if you are trying to hide it and talk about “open Web”.

The most important thing is that we take ideologically corporate technology where it’s not needed (there’s been plenty of hypertext systems in history, some kinda successful, and all that JS and AJAX stuff and various frameworks on top are so complex not because of any usefulness, but because of the corporate goal of backward compatibility, lumping everything together and even intentional complexity to cut off competition, and a single space).

We’d be just fine with a bunch of incompatible between themselves Hypercard-like things working over network. That’s what I think.

I really dislike Apple for what they’ve been in my somehow conscious years (born 1996), but things like Hypercard and Hotline (or KDX) from their older time seem to be just the right way to use personal computers.

Any single space with propaganda of “fragmentation being bad” is either not immune to what has happened to the Web, or already compromised.

theneverfox ,
@theneverfox@pawb.social avatar

I’m with you there, but that seems like a reason to fight

This would very likely be added to cloudflare by default (it would lower their costs), and that would put a solid chunk of the Internet behind the blackwall

nan , (edited )
@nan@lemmy.blahaj.zone avatar

Google mentioned these in their explainer (they don’t like that they’re fully masked): github.com/RupertBenWiser/…/explainer.md#privacy-…

Cloudflare explains them more too: blog.cloudflare.com/eliminating-captchas-on-iphon…

They are currently going through an IETF standardization: datatracker.ietf.org/wg/privacypass/about/

You can also read the architecture. In general I do trust Cloudflare more than Google. I have no doubt shitty sites won’t fall back to a captcha and will instead block access though, with either solution.

dan ,
@dan@upvote.au avatar

In general I do trust Cloudflare more than Google.

A large portion of the internet runs through Cloudflare’s network though, so IMO they’re just as much of a risk as Google.

fonix232 ,

However unlike Google, CloudFlare doesn't have a history of killing off products just as users begin to adapt to them.

itsAllDigital ,

That still however doesn’t relieve them. Whether they’ve killed of less products, IMHO still leaves them at the position that they route MASSIVE amounts of the entire internet.

One point of failure or control is still a big risk, no matter how you turn it

pemmykins ,

That’s not why Google is harmful though - they’re harmful because almost all of their revenue comes from advertising - everything else they offer is just a funnel to gain data on the worlds population in order to better target advertising.

As for cloudflare - they showed their true colours last year with kiwifarms. They’ll happily host the worst websites in the world as long as they don’t get bad press.

andrew ,
@andrew@radiation.party avatar

Slight correction, generally cloudflare doesn’t host any sites (this is untrue in specific circumstances, but in your example they certainly didn’t host the site) - they just sit in front of existing sites and store some static assets, otherwise acting like a transparent reverse proxy.

Atemu ,
@Atemu@lemmy.ml avatar

CF has only been public for a few years. Give it a decade and I’m sure they’ll be just as evil as Google.

peter ,
@peter@feddit.uk avatar

Public companies will always screw you in the end. It’s part of their fundemental design

dan ,
@dan@upvote.au avatar

The main risk with Cloudflare is that if they think your device is malicious, it gets very hard to browse the internet, as every site hosted behind Cloudflare starts showing CAPTCHAs or rate limiting you. This could get worse if new APIs that determine if you’re legit don’t like you for whatever reason.

azalty ,
@azalty@jlai.lu avatar

Damn, didn’t know that, thanks for sharing!

qwertyqwertyqwerty ,

Back to the days of using a different web browser for each website. I remember the acid test, IE 5.5, etc. Not fun as a user or web developer.

astra ,
@astra@lemmy.deepspace.gay avatar

if you use Safari or Firefox as your main browser it’s already been this way for a while. websites are only tested against Chrome and often times when something doesn’t work switching browsers temporarily alleviates the issue. it’s a sad state of affairs in browser land.

Neato ,
@Neato@kbin.social avatar

Expect corporations to be lazy. Just look at how every website handles cookies now. They could do it smartly, limit their cookie exposure, or only send the messages to IPs in the EU. But they just put an "accept all cookies or get out" OK box on your screen. And that's what they're going to do once attestation gets popular.

Sites will just require an attestation token and likely only accept ones from Safari and Chromium browsers since those are the ones pushing it. That will effectively make Firefox, Opera and other browsers incompatible with those websites. And once it catches on or becomes law somewhere, it'll be the entire internet. It's an extremely anticompetitive measure and it's internet-wide DRM. Fuck. that.

HeartyBeast ,
@HeartyBeast@kbin.social avatar

But they just put an "accept all cookies or get out" OK box on your screen.

Which doesn’t comply with GDPR

blindsight ,

Which only affects companies doing business in the EU. Granted, that’s most of the big players.

Very grateful for the EU to unfuck most of the world from a lot of American regulatory capture.

BubblyMango ,

Opera is chromium based though.

You dont even need this DRM bullshit to become law. Chrome will simply put a warning before entering websites without it that goes “this website doesnt use name of a technology the user doesnt understand and therefore might be dangerous”. Thats it. Every and all websites will immediatly implement this DRM bullshit or die.

sin_free_for_00_days ,

If a website doesn’t want me to see their shit, then I guess i won’t see their shit. I already have some sites that don’t work because of my aggressive use of lists on my pihole, in addition to the usual browser plugins. If a site doesn’t work now, I just move on. I don’t give a shit about any site enough to put up with this type of bullshit.

pineapplelover ,

We need to fight against this and stop this from happening before it’s too late.

shootwhatsmyname ,
@shootwhatsmyname@lemm.ee avatar

Seriously—the consequences are going to be very extreme very quickly if we don’t actively fight against this

argv_minus_one ,

Fight how?

amju_wolf ,
@amju_wolf@pawb.social avatar

What if it’s your bank’s website? Or email provider? Or literally anything else you actually have to choose and can’t pick? “It’s okay because I don’t think it affects me / I can ignore it” is always a bad reason to allow a bad thing happen.

sin_free_for_00_days , (edited )

What if it’s your bank’s website?

Use the phone app or, oh I don’t know, fucking go in?

Or email provider?

Change your email provider? Run your own email like people should?

Or literally anything else you actually have to choose and can’t pick? “It’s okay because I don’t think it affects me / I can ignore it” is always a bad reason to allow a bad thing happen.

When the fuck did I say that? I said I’m not going to deal with it. I won’t. I’ll work around it, or change the company I’m using. That is what you need to do to stop this type of shit.

EDIT: Holy crap some people are stupid. Register a domain <whatever>.com. You don’t even need to host a website. Now configure the register to point to your mail server. I’ve done this for decades, across different carriers. And I haven’t lost my email.

Or don’t do any of that and happily bend over and take whatever Apple or Google force on you. You do you.

Nyla_Smokeyface ,

It’s pretty shitty for a company to force someone to use a phone app or go to something as vital as a bank just because they won’t let the customer access the website. And there are plenty of reasons why someone wouldn’t be able to go to the bank in person every time they needed to, or at least it’d be extremely inconvenient to (especially for small things like checking your balance or transactions). Not everyone has a phone either.

Change your email provider? Run your own email like people should?

I’ve never deleted my email before but I’m pretty sure that means losing access to your entire inbox that you’ve likely had for years and having to update your contacts, the emails for all the accounts you have under it, etc. And being blocked from the website means you won’t be able to do any of those things through the official website. Does device atteststion prevent you from accessing your email through third party clients?

Also, it’s not exactly easy or practical to host your own email. And for many people that would mean spending money on servers. I read a blog post last year of someone who gave up hosting their own email after 23 years doing so.

thepianistfroggollum ,

I’m moving over to a more professional email now, and it’s a huge pain. A password manager helps a lot.

Marsupial ,
@Marsupial@quokk.au avatar

Who the fuck goes into a bank in this day and age?

Shit most branches I see are closing down.

dust_accelerator ,

This is true. However, I don’t see this happening as the website/browser isn’t really the problem with online banking, it’s more often the user.

On another note, how about no access at all, because this is a freaking huge attack surface for (D)DOS. Imagine you just invalidate signatures of all traffic to and from an attestation service. You could almost stop countries from functioning. That’s a serious vulnerability which we can easily do without.

TehPers ,

I rarely do, but when I do it’s for something a bit specific, like ordering/depositing foreign currency (for travel) or depositing large checks that exceed the online deposit limit (which again is extremely rare). For everything else, it’s online only, especially since every time I go in, there’s only one teller working and the line is super long.

some_guy ,

Run your own email like people should?

This hasn’t been practical for a while now. If you’re not on a major domain, Google, MS, etc will block you as likely spam.

neshura ,
@neshura@bookwormstory.social avatar

Cannot confirm, somewhat. Setting it up so you don’t get blocked is rather easy, figuring out how to do that correctly is a bit of a pain though (I only managed to correctly set things up once I started using Mailcow and their built in DNS check tool)

The domain still lands on some blacklists but that is down to one ISP blanket banning any mail servers in the IP block my ISP rotates my IP through.

Deemo ,

Unfortunately google is aggressive at spam filtering. For example when I signed up for bookwormstory.social the confirmation mail was sent straight to spam automatically (I had to fish it out and mark it not as spam) 😔

hascat ,

Change your email provider? Run your own email like people should?

This isn’t a practical suggestion for the vast majority of the population.

dust_accelerator ,

I have both my own email server and an additional paid email provider. not expensive and has very nice functionality in terms of sync, aliases, etc.

If they now said I needed some 3rd party bullshit to access their site, I would quit paying them. There are tons of these smaller businesses.

I doubt they will just be like “oh well, guess i’ll die, Daddy Google said so”

What i’m saying is, it doesn’t have to be google OR become a tech wizard. There is a middle path that just costs a dollar.

masterspace ,

Honestly, if you’re telling people to run their own email host, you’re either trolling or a moron.

JackbyDev ,

Yeah, because not only is it viable, they absolutely never get blocked! lol

masterspace ,

Every time I’ve ever looked into it or read anything on the topic it’s been like “do not do this. I lost my father, my children, two wives, and all my Pokemon cards in this endeavour, but in case you don’t want to listen, here’s how I partially successfully hosted my own email server for three months…”

optimal ,
@optimal@lemmy.blahaj.zone avatar

Most of that is about Exchange. Because Microsoft software is always garbage.

Nalivai ,

Not exactly. Having a running software is one thing, not having your emails be blocked by everyone because you’re not a trusted host is another. That another is a deal breaker and a huge pain in the ass, even though it helps fighting spam

optimal ,
@optimal@lemmy.blahaj.zone avatar

These days you can spin up a docker container with all the email trust stuff preconfigured

Nalivai ,

And the emails from your custom server will be rejected and/or marked as spam by every major corporation, and you will spend countless days writing appeals and appeal rejects

amju_wolf ,
@amju_wolf@pawb.social avatar

It’s not that bad but definitely not a solution for everyone. And you probably still don’t want to do it for your primary mail unless you’re otherwise extremely well versed in doing so, up to and including running multiple servers for redundancy.

sin_free_for_00_days ,

It’s so fucking easy to do so. Even run it off a rented host.

neardeaf ,

You do realize the vast majority of people would need you to explain what a “rented host” is, then they still wouldn’t comprehend it.

masterspace ,

And how the fuck is a phone app an alternative for avoiding attestation??? A phone app is inherently attested by being distributed through the app store.

blindsight ,

On a rooted phone, they can still fail attestation, apparently. That’s why Magisk Hide (or whatever it’s called) became a thing, to hide that the device is rooted. Google Pay also apparently needs Magisk Hide to function.

I don’t trust my phone to store my payment details, so I don’t care about Google Pay, and my bank’s app works fine while rooted, so I don’t have any personal experience with it, just what I’ve seen in every single root guide I’ve used in at least the last 4 years (if not longer; I don’t remember how I rooted my previous phone.)

amju_wolf ,
@amju_wolf@pawb.social avatar

Yeah, joke’s on the commenter; Google had had device attestation for phones for ages now and it’s also terrible. Many apps will outright refuse to work if you have a non-typical phone (rooted, some obscure hardware or custom OS).

President_Pyrus ,
@President_Pyrus@feddit.dk avatar

or, oh I don’t know, fucking go in?

Good luck with that in Denmark.

sin_free_for_00_days ,

www.google.com/maps/search/…/data=!4m2!2m1!6e2?en…

President_Pyrus ,
@President_Pyrus@feddit.dk avatar

For most services you will be referred to the web or app. Also you pretty much can’t insert cash to your account anymore

tuhriel ,

Also, most banks (and other service provider) add additional fees for counter service, since you can do it online…

Not talking about the “opening hours”…

rambaroo ,

How do you “fucking go in” to an online bank? And why are you being so aggressive about a simple question? Getting tired of people still acting like redditors here.

ReversalHatchery ,

Use the phone app

Jokes on you. It refuses to work as my phone configuration is not approved by our corporate overlords. And yeah, obviously you can go to the bank at any moment, there are no times whatsoever when you need to do something right now, without lets say leaving the cash register at the shop

Paradoxvoid ,
@Paradoxvoid@aussie.zone avatar

And that’s not even getting into how banks worldwide have been cutting down on staff numbers for years, and directing people to just their apps instead.

SemioticStandard Mod ,
@SemioticStandard@beehaw.org avatar

There’s no need to be so nasty, friend. I’m removing your comment because this isn’t the in line with our community value of ‘be(e) nice’

Zoop ,

Thank you. I was just thinking about that!

argv_minus_one ,

We’re not allowing it. We don’t have a choice.

amju_wolf ,
@amju_wolf@pawb.social avatar

Well you can protest, inform others, switch browsers, make your family switch…

It’s not easy and might not accomplish much but at least you’re trying.

argv_minus_one ,

We won’t be allowed to switch browsers any more. That’s the whole problem.

ReallyKinda ,

I had to stop using my car insurance app because it started requiring location information to open.

esaru ,

To see how your approach works, try using the Internet with Javascript turned off for reading text. You will realize you can’t organize your life nowadays without bowing to what websites do technically.

peter ,
@peter@feddit.uk avatar

You can’t use websites when you disable a major piece of functionality? Shocker

esaru , (edited )

Why would Javascript be a major piece of functionality for a website that is based on text articles?

kent_eh ,

If a website doesn’t want me to see their shit, then I guess i won’t see their shit

That’s how I react to Twitter and Facebook requiring login to even view most things.

Whatever you’re showing isn’t important enough to be worth me making an account.

scrubbles ,
@scrubbles@poptalk.scrubbles.tech avatar

“Sorry, your device appears to be running Linux, please only use approved Apple or Windows devices to log in, with our required surveillance system pro installed. Thanks.”

floofloof ,

Unfair. Google, Amazon and Facebook devices will also be allowed.

aperson ,

Should you chose not to continue, you agree to kick yourself in the balls.

peter ,
@peter@feddit.uk avatar

Companies can already do that

teawrecks ,

Yeah, but so far you can just spoof your user agent. Not sure how easy cracking private access tokens will be. I assume they’ll be pretty proactive about keeping it locked down.

Fed ,

Just use a vm

DzikiMarian ,

That’s easily detectable. Try beating Google Safety Net that way.

TheOakTree ,

…do you really think the devs of these systems don’t understand how to distinguish VMs from authentic devices in their device authenticating platform?

teawrecks ,

Again, not an expert on Private Access Tokens, but I assumed the entire point is that it’s a proprietary black box piece of hardware that’s authenticating your device. If it’s just passing a token generated in software, it would be trivial to bypass even without a VM.

Could you explain to me better what the VM would accomplish in this situation?

DzikiMarian ,

“Can” and “have a reason” are different things. With attestation they actually have a reason.

gigachad ,

Google already does that with Android and SafetyNet

  • All
  • Subscribed
  • Moderated
  • Favorites
  • technology@beehaw.org
  • random
  • All magazines
    •