Fork me on GitHub
#off-topic
<
2023-07-27
>
Martynas Maciulevičius05:07:05

> The spec hints heavily that one aim is to ensure that real people are interacting with the website. It does not clarify in any way how it aims to do that, so we are left with some big questions about how it will achieve this. Of course it's the presence of your google account crying-laughing-joy-blood

Ben Sless06:07:20

I'll come up with a hot take that nobody likes - I don't think attestation is bad in and of itself. You want a privacy preserving method of maybe running your own attestation service.

Martynas Maciulevičius06:07:16

It's always in the policy. It depends what we're attesting here because it's not you who wants to check the integrity but google. You didn't request this. Your own attestation service could produce a result which you would sign with your private key... but if google would request signature with their own key then you'll have to run their service. So attestation is not bad in itself but this kind of attestation is bad. Request for this kind of attestation means that your browser no longer trusts HTTPS and the webpage's content AND the browser itself. Wait, what? All that this means for me is that the new attestation idea is about removing something that happens after rendering of the webpage: adblockers and other CSS extensions. Because IMO HTTPS was not compromised and browser is what you wanted it to be. So extensions is the only thing... except that browser vendor also controls the extensions too and can scan them for threats.

2
hifumi12306:07:20

i expect running your own attestation service will be as useless as running your own CA -- possible in theory, but nobody will trust you

🙌 2
6
Martynas Maciulevičius06:07:10

> Anyone still using chromium based Browsers? Btw I think it's a good idea to mention that Firefox mobile allows to have uBlock and other extensions (although only small subset). Something that Chrome forgot to include on phones.

❤️ 12
Martynas Maciulevičius21:07:25

> or a similar org What is the goal of this kind of solution? I know! Let's allow every website to audit the user's extensions so they would send user tokens to know if there was adblocker present in the system and whether anybody was tampering with DOM. Then I'd make my main endpoint to expect a bunch of parameters like this: So now from a basic GET request we moved on onto a very fat request that will respond in 403 if the hash doesn't match. And then the attester service could be deployed for each webpage separately like this: ..... So hey. You don't need to host anything centrally on EFF level. It will be running on your laptop and it will just collect data about whether you run harmful extensions or processes. It's like an anticheat, but this time it's not Valve anti-cheat but Google anti-cheat 😄 And you'll simply be sending what this anticheat produces. Only the signed payloads.

Rupert (All Street)12:07:18

Another name for a web browser is a “user agent” - the “user agent” belongs to the user and fetches content from the web and renders it as the user sees fit on the user’s device (hardware that the user owns). It possible that in future many of us will be using AI assistants to fetch information for us from the web and I’d rather not have those AI assistants hampered in their tasks for “not being human” or not rendering the content exactly as the website provider chooses to.

slipset14:07:58

@ingy In another time, I ever so slightly contributed to https://metacpan.org/release/GAAS/perl-lisp-0.06/source

Ingy döt Net15:07:14

Crazy! I used to sit next to gaas when we both worked at ActiveState in 2001! (The year YAML was born). Never saw his perl-lisp before...

slipset16:07:31

Cool! I used to work in the same company as gaas back in 95 or so.

slipset16:07:27

I was very much into Perl at the time. Then Java and Perl6 coincided for me (well not really, since Perl6 never really coincided with anything I guess)

Ingy döt Net16:07:09

I might be in Oslo end of Nov. 🙂

slipset16:07:45

Oh, cool! We’ll organize an Honorary Clojure Lunch 🙂

❤️ 2
slipset16:07:53

(not a very big deal, but still nice 🙂

Ingy döt Net16:07:03

Some small tech conf some perl friends are doing.

Ingy döt Net16:07:16

Please join #C05GUFQQLSK if you have any interest. Would be awesome to have your opinions.