This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2023-07-27
Channels
- # announcements (16)
- # architecture (19)
- # beginners (31)
- # calva (2)
- # cider (1)
- # clerk (4)
- # clj-yaml (58)
- # cljdoc (2)
- # cljs-dev (10)
- # clojure (77)
- # clojure-europe (108)
- # clojure-norway (26)
- # clojure-sanfrancisco (2)
- # conjure (1)
- # cursive (2)
- # datahike (5)
- # datomic (13)
- # emacs (7)
- # etaoin (3)
- # hyperfiddle (15)
- # introduce-yourself (3)
- # kaocha (1)
- # off-topic (21)
- # reagent (4)
- # releases (1)
- # shadow-cljs (41)
- # spacemacs (28)
- # specter (8)
- # squint (30)
- # yamlscript (2)
Anyone still using chromium based Browsers? https://vivaldi.com/blog/googles-new-dangerous-web-environment-integrity-spec/
> The spec hints heavily that one aim is to ensure that real people are interacting with the website. It does not clarify in any way how it aims to do that, so we are left with some big questions about how it will achieve this. Of course it's the presence of your google account
I'll come up with a hot take that nobody likes - I don't think attestation is bad in and of itself. You want a privacy preserving method of maybe running your own attestation service.
It's always in the policy. It depends what we're attesting here because it's not you who wants to check the integrity but google. You didn't request this. Your own attestation service could produce a result which you would sign with your private key... but if google would request signature with their own key then you'll have to run their service. So attestation is not bad in itself but this kind of attestation is bad. Request for this kind of attestation means that your browser no longer trusts HTTPS and the webpage's content AND the browser itself. Wait, what? All that this means for me is that the new attestation idea is about removing something that happens after rendering of the webpage: adblockers and other CSS extensions. Because IMO HTTPS was not compromised and browser is what you wanted it to be. So extensions is the only thing... except that browser vendor also controls the extensions too and can scan them for threats.
i expect running your own attestation service will be as useless as running your own CA -- possible in theory, but nobody will trust you
> Anyone still using chromium based Browsers? Btw I think it's a good idea to mention that Firefox mobile allows to have uBlock and other extensions (although only small subset). Something that Chrome forgot to include on phones.
> or a similar org
What is the goal of this kind of solution?
I know! Let's allow every website to audit the user's extensions so they would send user tokens to know if there was adblocker present in the system and whether anybody was tampering with DOM.
Then I'd make my main endpoint to expect a bunch of parameters like this:
So now from a basic GET request we moved on onto a very fat request that will respond in 403 if the hash doesn't match.
And then the attester service could be deployed for each webpage separately like this:
So hey. You don't need to host anything centrally on EFF level. It will be running on your laptop and it will just collect data about whether you run harmful extensions or processes. It's like an anticheat, but this time it's not Valve anti-cheat but Google anti-cheat 😄
And you'll simply be sending what this anticheat produces. Only the signed payloads.
Another name for a web browser is a “user agent” - the “user agent” belongs to the user and fetches content from the web and renders it as the user sees fit on the user’s device (hardware that the user owns). It possible that in future many of us will be using AI assistants to fetch information for us from the web and I’d rather not have those AI assistants hampered in their tasks for “not being human” or not rendering the content exactly as the website provider chooses to.
Firefox mobile will have all extensions: https://blog.mozilla.org/addons/2023/08/10/prepare-your-firefox-desktop-extension-for-the-upcoming-android-release/
@ingy In another time, I ever so slightly contributed to https://metacpan.org/release/GAAS/perl-lisp-0.06/source
Crazy! I used to sit next to gaas when we both worked at ActiveState in 2001! (The year YAML was born).
Never saw his perl-lisp
before...
I was very much into Perl at the time. Then Java and Perl6 coincided for me (well not really, since Perl6 never really coincided with anything I guess)
In .no?
I might be in Oslo end of Nov. 🙂
Some small tech conf some perl friends are doing.
Please join #C05GUFQQLSK if you have any interest. Would be awesome to have your opinions.
Firefox mobile will have all extensions: https://blog.mozilla.org/addons/2023/08/10/prepare-your-firefox-desktop-extension-for-the-upcoming-android-release/