• Sonotsugipaa@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    13
    ·
    1 year ago

    You’ve already got some answers, but the recent drama is specifically about a Chromium-centered API, called Web Environment Integrity.

    It has been found on a Google engineer’s Github account, and iirc it’s being tested on Chrome.

    It’s basically web DRM.

    The idea is that the API allows websites to require browsers to guarantee they are unmodified through a “third-party” attester, like Google SafetyNet (or whatever the fuck it got rebranded as) does.

    Imagine if you were trying to access a mobile-only website on your PC, by changing your HTTP user agent string;
    the website would refuse to serve you the page, and tell you “I don’t trust you, are you really a Google Pixel?”.
    A real Pixel’s browser would ask Google Play to vouch for it, and the website would trust Google Play (due to cryptographic shenanigans and whatnot); your browser, however, would not have an attester that:

    • is (claiming to be) universally accepted as trustworthy;
    • answers “yes, I’m a Google Pixel” on a PC;
    • has the necessary cryptographic secrets to work.

    That doesn’t sound too bad.
    But, what if the attester can check your browser’s extensions, and tell the website that you’re running an adblocker (which is WEI’s explicit goal)?
    What if it also checks your system’s running processes or applications?
    What if you ran a debloater script for Windows, and the attester decided that a lack of ads in the start menu was sus?

    What if it detected VPN usage? I know some governments that wouldn’t like that, I bet they would like it if VPN users would be denied access to half the web…

    • Blerenes@lemm.ee
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      If the comment about VPNs is true, I will lose touch of half of my friends and families that live in Iran. This is truly evil…

      • Sonotsugipaa@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        It’s “true” in the sense that it could happen in theory, Google is (allegedly?) planning to use WEI for forcing people to see ads rather than China-firewalling the web; also, WEI was still under development last time I checked.

        Whether the attesters that end up being universally trusted will poke around to check for VPNs is up for speculation, for now.

        Even then, this is just an API for websites. If you use other means of communication, you’ll be fine.