Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
DRM The Internet Technology

Google's Nightmare 'Web Integrity API' Wants a DRM Gatekeeper For the Web 163

Google's newest proposed web standard is... DRM? Over the weekend the Internet got wind of this proposal for a "Web Environment Integrity API. " From a report: The explainer is authored by four Googlers, including at least one person on Chrome's "Privacy Sandbox" team, which is responding to the death of tracking cookies by building a user-tracking ad platform right into the browser. The intro to the Web Integrity API starts out: "Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it."

The goal of the project is to learn more about the person on the other side of the web browser, ensuring they aren't a robot and that the browser hasn't been modified or tampered with in any unapproved ways. The intro says this data would be useful to advertisers to better count ad impressions, stop social network bots, enforce intellectual property rights, stop cheating in web games, and help financial transactions be more secure. Perhaps the most telling line of the explainer is that it "takes inspiration from existing native attestation signals such as [Apple's] App Attest and the [Android] Play Integrity API." Play Integrity (formerly called "SafetyNet") is an Android API that lets apps find out if your device has been rooted.

Root access allows you full control over the device that you purchased, and a lot of app developers don't like that. So if you root an Android phone and get flagged by the Android Integrity API, several types of apps will just refuse to run. You'll generally be locked out of banking apps, Google Wallet, online games, Snapchat, and some media apps like Netflix. [...] Google wants the same thing for the web. Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data. At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. If you passed, you would get a signed "IntegrityToken" that verifies your environment is unmodified and points to the content you wanted unlocked. You bring this back to the web server, and if the server trusts the attestation company, you get the content unlocked and finally get a response with the data you wanted.
This discussion has been archived. No new comments can be posted.

Google's Nightmare 'Web Integrity API' Wants a DRM Gatekeeper For the Web

Comments Filter:
  • by Baron_Yam ( 643147 ) on Tuesday July 25, 2023 @09:49AM (#63713402)

    How dare poor people try to own things that mega corps want to control for profit?

    • by AmiMoJo ( 196126 ) on Tuesday July 25, 2023 @10:03AM (#63713434) Homepage Journal

      I read the proposal yesterday. It specifically says that the goal is to not enable any additional tracking or locking down of the browser, and indeed it would have to do that if they want Apple and Mozilla to adopt it.

      It might be useful for getting rid of captchas, by offering a better way to authenticate that the browser is genuine and not a bot.

      But mostly it will be used for stuff like banking, which I think is a problem. If banks start mandating it, people who don't want or have access to a "secure" OS might not be able to access their services. It's bad enough with banking apps that won't work on rooted devices.

      • Banking (Score:4, Informative)

        by PPH ( 736903 ) on Tuesday July 25, 2023 @10:07AM (#63713446)

        My checkbook still works.

      • It's bad enough with banking apps that won't work on rooted devices.

        This irritates the heck out of me - one particular bank I deal with has an app that does this.

        • So...you chose to irritate yourself?

      • by ArmoredDragon ( 3450605 ) on Tuesday July 25, 2023 @10:16AM (#63713470)

        IMO sounds like a sneaky way to force people off of ad blockers. Apple really wouldn't give a shit about that. Mozilla would, but their numbers have fallen enough that a lot of websites have begun to ignore them anyways. Slashdot, as of a few weeks ago, no longer seems to work with Firefox for Android unless you request the desktop version of the site, otherwise you just get an empty page.

        • Re: (Score:2, Informative)

          by AmiMoJo ( 196126 )

          One of the stated goals is not to interfere with extensions like ad blockers. The proposal specifically mentions that the extensions the user has installed should not be considered for the security determination.

          • by mysidia ( 191772 ) on Tuesday July 25, 2023 @11:04AM (#63713626)

            The proposal specifically mentions that the extensions the user has installed should not be considered for the security determination.

            This is Not logical.. IMO someone has either Not considered this fully, or it must be a statement designed to quell concerns which can be quietly removed later with a minor amendment.

            If Extensions the user installed are Not to be considered, then why have the spec? The system/browser modifications can equally be User-installed, whereas Evil people who want to run bots will then wrap their functionality or mods that break integrity into an extension..

            • by AmiMoJo ( 196126 )

              The idea is that extensions are limited to what the browser API allows, so either you trust the browser or you don't.

          • That's gone well for manifest v3 hasn't it?

            • by AmiMoJo ( 196126 )

              Indeed it has. It's been delayed because it doesn't work well enough with uBlock and the like. V2 was supposed to be dead by now.

          • Among other things, Firefox has a much better extension API, which allows extension developers to do things that Google considers evil. Things like ad blocking. So what happens when whatever governing body decides these things can't be permitted, so Firefox has to remove them or else suffer even worse market share as punishment?

            I personally don't give one ounce of a fuck if people cheat in web games, they're mostly just freemium shit anyways. If the developers don't like that, they picked the wrong platform

          • For now that is. Once this mechanism is in place, it doesn't take much tweaking to kill ad blockers under the name of, "protecting the integrity of the Web experience" or "guarding copyrighted Web content as per the DMCA".

            Because there are so relatively few web browsers, pushing a "you will have this in your browser, or else nobody can access banks" is something that companies would do, if only to go after the pesky people who block the full page video takeover garbage.

        • Firefox on iOS doesn't give me any issues browsing Slashdot. Maybe something is screwed up in your cache?

          I switched back to Firefox from Chrome because of the shit that Google has been more openly pulling lately, and I assume it's just a matter of time before they start blocking out ad blockers and other extensions that they don't like. So far Firefox has been great. The extensions are great, and the developer tools are every bit as good as what Chrome offers. The Firefox Developer Edition comes standard wi

        • by slack_justyb ( 862874 ) on Tuesday July 25, 2023 @11:49AM (#63713738)

          IMO sounds like a sneaky way to force people off of ad blockers

          Absolutely. Considering the history here. Manifest-v3, FloC, and now this WEI there's a pretty clear pattern and those pointing at the words on that github as otherwise are completely ignoring THE VERY DEMONSTRABLE PATTERN that Google has become known for.

          Like yes, they say they "promise with sugar on top" that they won't do that. I have every expectation based on of Google's history that they are absolutely GOING TO BLOCK AD-BLOCKERS. So when they say on their little github page:

          NON-GOAL: Enforce or interfere with browser functionality, including plugins and extensions

          All I can say is BULLSHIT. Google has burned every single ounce of goodwill and trust that the community gave them. They burned all of that in the name of profits. They can go fuck themselves at this point, literally NO ONE is taking that "non-goal" at face value. Everyone who works for Google, like it or not, is suspect by association with a company that will take every single "good idea" and turn it into something that drives their profit. Like this guy who owns this github page, sure he may have every single good intention on this planet. His idea might be salvation. BUT HE WORKS FOR GOOGLE. So all the trust anyone could give, we cannot give to him. Because his employer will take his idea and use it to destroy the last shreds of things we enjoy in our browsers. It's not him, it's his company he works for. They cannot be trusted. Dude's probably an outstanding guy, he's just working for absolute shitheads that look to drive nothing but profit at the destruction of everything else. So the only thing we can do is look at this idea and know that it basically boils down to how his employer will steal it from him and use it to lock the browser down even further. Anyone arguing otherwise, is totally ignoring how Google has been running for the last ten to fifteen years.

          So yeah. It absolutely is a sneaky way to force people off ad-blockers and even if the CEO of Google swore a blood oath saying otherwise, I wouldn't believe it. There is literally no goodwill left for that shithole of a company. They have fucking trashed every single ounce of respect for pennies. You are damn straight this is to lock the browser down even more, there are zero ways anyone can convince me otherwise. Fuck Google and every idea that spews from that company.

          • NON-GOAL: Enforce or interfere with browser functionality, including plugins and extensions

            REVISION ONE: Remove the word "non-goal" and everything that follows it.

            REVISION TWO: Move the previous "non-goal" to the "goals" list.

          • ...what goodwill?

            Anyway, the only way to fight this is to make web sites incompatible with the new standard. In other words implement Web Environment Integrity to display an anti-Web Environment Integrity banner that disables the web site.

        • by Sloppy ( 14984 )

          Slashdot, as of a few weeks ago, no longer seems to work with Firefox for Android unless you request the desktop version of the site, otherwise you just get an empty page.

          After reading this, I tried loading Slashdot in Firefox 115.2.1 on Android 12 and it worked just fine.

          Are there any other particular conditions that you know of, for recreating the failure?

      • by I've Got Three Cats ( 4794043 ) on Tuesday July 25, 2023 @10:24AM (#63713512)

        Yes, it has lots of good constructive uses. But like any technology it also has potential for significant abuse.

        Creating a secure way for people to access important services like banking is great. However, it's also a great way to create a system to utterly dis-empower and control people. Since the latter has a much greater positive correlation with corporate profit motive, which one do you think is more likely to be preferred by corporations?

        • Yes, it has lots of good constructive uses. But like any technology it also has potential for significant abuse.

          Creating a secure way for people to access important services like banking is great. However, it's also a great way to create a system to utterly dis-empower and control people. Since the latter has a much greater positive correlation with corporate profit motive, which one do you think is more likely to be preferred by corporations?

          Yup. No matter what the stated goal is, if this proposal takes off in any significant way, it's guaranteed to make some corporate fat-cat's mouth start watering when they think of the control it could give them over the end-users. And it absolutely *WILL* be used that way once it's up and running, no matter how pure the original developer's ideals may have been. Though it's hard to see a proposal like this as anything other than a control mechanism with some flowery promises laid over the top that will som

          • Remember how we were promised that animated ads would just take up a bar on the screen back in the 00s? You can see those fat-cat people using this and go for ad blockers or require even more privacy invasive measures, perhaps having the web browser pull up unique machine IDs and BIOS serial numbers as a further technique to fingerprint. Give them the possiblity, they will run with it.

            • Remember how we were promised that animated ads would just take up a bar on the screen back in the 00s? You can see those fat-cat people using this and go for ad blockers or require even more privacy invasive measures, perhaps having the web browser pull up unique machine IDs and BIOS serial numbers as a further technique to fingerprint. Give them the possiblity, they will run with it.

              Absolutely. Given the big push the giant tech conglomerates have been making into every aspect of our lives, and the fact they were dumb enough to slip up and speak openly about how they wanted to get tied up with your bank too, they'll probably devise some way to force bank account numbers to be stored locally so they can "verify every time" or some such nonsense, when really all they'll be doing is using the info to track every transaction for better ad serving.

      • by DarkOx ( 621550 ) on Tuesday July 25, 2023 @10:52AM (#63713600) Journal

        If banks start mandating it, people who don't want or have access to a "secure" OS might not be able to access their services.

        You act as if Google is 100% aware and counting on this exact thing to happen. Firstly a few institutions, banks, higher ed, k-12s, whatever WILL require it. That will twist the arms of a few people still outside the Chromium or in the "ungoogled" branches to spend at least part of their time on Google's full platform. Which we all know means they will likely get some telemetry that enables them to make more observations about those people when they are not on Google's branded platform at least in most cases.

        Once a few big orgs do it becomes somewhat normalized to require x.y.z, others will do the same, because 'security' or whatever excuse.

        Apple not wanting to sacrifice market share will fall into line and work with Google on it, same with Microsoft, and likely Meta.

        Sites not using Google's latest scheme will start adopting it increasingly because the consultants and developers available out there will be most familiar with it and doing it any other way and not shooting yourself in the foot will increasingly become a lost art.

        Mozilla to the degree they are not already irrelevant and already in Google's pocket will be faced with near total exclusion or will have to just get on board reluctantly or otherwise.

        That is how these stories play out on the web or at least how they have since the middle 2010s. Its the same story over and over. On the other hand though Google's increasingly iron grip on the client end of Internet technology is probably been the only thing that has deterred Amazon from trying to insert themselves into that space and levering there influence of so much of the hosting resources to close the net.

        • So far as I can see, there is only one way to fight this: have web sites implement Web Environment Integrity in order to disable browsers which support Web Environment Integrity. If Web Environment Integrity browsers can't access 10% of the web sites then we will have bifurcated the free web from the Google web. Anything else is pissing in the wind.

      • You've never used Selenium, have you?

      • I do think that even though the proposal may not have locking down explicitly stated, it will be present. Be it a "browser integrity check", a "trusted root", or other stuff which means a hardware based DRM stack.

        It is understandable why Google and a lot of well-heeled interests would want it. A DRM-encumbered browser would ensure those pesky adblock utilities would not be an issue, and that they could do their information gathering unfettered by people wanting to know what telemetry data is being slurped

        • by AmiMoJo ( 196126 )

          I can't see Apple going for no ad blocking, after they added and blocking plugins to Safari.

          • If the banking industry rallies behind this DRM tier, I can expect Apple to knuckle under, especially presented with the choice of DRM or banks not allowing Apple users to use their products. Hopefully not, as Apple has generally done the right thing for privacy.

          • I can't see Apple going for no ad blocking, after they added and blocking plugins to Safari.

            Depending on how this proposal unfolds, sites might be able to tell browsers what categories of addons are forbidden for the environment to be considered secure, and the browser might elect to fulfill the request or not. While Chrome might accept all "please no ad-blocking, kthnks!?" because of course they would, Apple might be more selective and only fulfill it for select sites, so they'd bow to banks but not to, say, social media ones.

      • It's bad enough with banking apps that won't work on rooted devices.

        I gave up trying to deal with banking apps root-checking and purchased a second, cheap Android phone I leave at home and use exclusively for banking (no chip either, just Wi-Fi). This works for me because I don't need to access my banks that frequently. Once a day, after I'm back home or early in the morning, is more than enough, and generally not even that. But for people who need to access their bank accounts all the time, yeah.

        • That's what I do as well. I have a phone that stays locked up at home, that I use for those banking tasks that I can't do on a proper laptop. For me that is mostly cashing checks. That's still 100 times more handy than banking has been for me in my entire life.

          In fact, I can't imagine why any sane person would put their banking information on something that they carried around in their pocket (the fact that it is controlled by Apple or Google is another problem as well). My credit card allows me to sa

      • <quote><p>I read the proposal yesterday. It specifically says that the goal is to not enable any additional tracking or locking down of the browser, and indeed it would have to do that if they want Apple and Mozilla to adopt it.</p></quote>

        Are people really this naive? Don't listen to what they say, look at what the technology enables.
      • I read the proposal yesterday. It specifically says that the goal is to not enable any additional tracking or locking down of the browser, and indeed it would have to do that if they want Apple and Mozilla to adopt it.

        And the goal of the 18th Amendment wasn't to empower and legitimize organized crime, and indeed it would have to not do those things if they wanted the states to adopt it.

        Didn't really matter.

      • by allo ( 1728082 ) on Tuesday July 25, 2023 @03:47PM (#63714408)

        Trusted computing is about companies not trusting the user. The steps will be that websites can verify official browser builds. Then a website can demand a certain browser, e.g., official Chrome or official Firefox, but no Chromium, no Firefox builds by Linux distributions or yourself. Next the browsers offer APIs like "detect if adblock is installed" (Chrome much more likely than Firefox) and you cannot modify the browser to lie to websites.

        Also trusted computing needs a whole chain of "We don't trust you" technology. Have a look at widevine at the highest trust level. You need secure boot, a recent CPU with an integrated TPM and at least Windows 10. No chance with Linux. Android only works if it is not rooted because when safetynet fails, apps like netflix will not show you videos.

        Trusted Computing is the way to close down computer ecosystems and let vendors dictatate what you can do and prevent you from tampering with (parts of) the system. It takes away our freedom.

      • Re: (Score:3, Insightful)

        by fafalone ( 633739 )
        Remember when Microsoft and other claimed the TPM wasn't for and wouldn't be used for DRM? LOL.
      • What idiot upvoted a post which repeats the stated goals of a proposal? Next we're supposed to believe the USA PATRIOT Act is patriotic.

      • There is a reason both Android and iOS only do this for native apps with hardened runtimes, and only if there is a secure element available to facilitate the checks. If this is not done, it is easy to bypass. Connections to/from the third-party attestation service can be left as-is, with connections to the rest of the web manipulated as usual. The browser itself is unmodified and will pass the checks, all the while you have your SSL MiTM provide all your userscripts/extensions in a browser-agnostic way.
    • How dare poor people try to own things that mega corps want to control for profit?

      Is that a computer in your pocket or are you just happy to be tracked?

  • by Roogna ( 9643 ) on Tuesday July 25, 2023 @09:57AM (#63713422)

    I could happily switch back to it.

    • by Pieroxy ( 222434 )

      The real problem will start once banks and other services starts mandating a "trust". Then gopher will fall flat on its face.

    • by alexgieg ( 948359 ) <alexgieg@gmail.com> on Tuesday July 25, 2023 @01:47PM (#63714108) Homepage

      I could happily switch back to [Gopher].

      There's an upgraded Gopher-like protocol called Gemini [wikipedia.org].

      It removes some odd early choices Gopher did that didn't really work well, adds TLS 1.2 and 1.3, and is made such the protocol itself is tightly locked and cannot be extended without breaking things, to force implementations to always be exactly this. For example, the header is fixed size and binary, so any attempt at extending it breaks clients, and there's no information on the requested file size, the spin keeps spinning until the file arrives with an EOF signal, which makes it cumbersome to use for downloading large files.

      The default hypertext format is a stripped-down version of Markdown because even full Markdown has too many unneeded features, with full Markdown as an optional second place (that downgrades cleanly into the stripped version if the client doesn't support it), and other formats, such as HTML, at a distant, emphatically discouraged third place.

      As things are moving Gemini's pure-text focus well might start attracting IT users tired of all the nonsense, or at least nostalgic for the 1990s experience.

  • Open source (Score:5, Insightful)

    by Mononymous ( 6156676 ) on Tuesday July 25, 2023 @10:01AM (#63713428)

    ensuring...that the browser hasn't been modified or tampered with in any unapproved ways

    Wikipedia tells me Chromium is released under a BSD license. No one has to give approval for any modifications.

    • Re:Open source (Score:5, Insightful)

      by GameboyRMH ( 1153867 ) <gameboyrmh@@@gmail...com> on Tuesday July 25, 2023 @10:18AM (#63713482) Journal

      Except the DRM components won't engage (or probably even be included in the browser) if you're running anything but an official Chrome build, which can contain closed-source components a Chromium build would not. Presumably this would also detect such "unapproved browser tampering" as ad-blocking extensions.

      Google will roll this out and then require it for web-based YouTube playback to close the side-doors into the YouTube ecosystem that allowed watching videos with less ads than cable TV and the use of downloader scripts. Mark my words. They've been sitting on the worst browser monopoly the world has ever known for years now, how long did you expect them to not do something incredibly evil with such terrible power?

    • But to render a google-approved web-page, you will need a certificate from google that confirms you haven't blocked ads.

      The start of this was googles DRM^h^h^h, let's encrypted every where. This was to stop users from caching content-- so users be forced to download "fresh" ads for each page refresh.

    • >"Wikipedia tells me Chromium is released under a BSD license. No one has to give approval for any modifications."

      And worse, nobody can actually fork the Chromium base because it would be impossible to maintain. Plus Google will fight it- they have complete control over what goes in it now. Anything not "official" would drift and then lose all the de-facto compatibility. That is why we can't base standards on what a single company like Google wants. We must have open, community-driven standards, and m

  • by thegarbz ( 1787294 ) on Tuesday July 25, 2023 @10:02AM (#63713430)

    It would be a dream to be on an Internet where toxic websites automatically reject my computer rather than me having to go through and micromanage a process of identifying and rejecting the toxic websites instead.

    Imagine a world where Facebook refuses to send you a tracking cookie because your device can't be trusted!

    Yeah I know I'm dreaming.

  • by byronivs ( 1626319 ) on Tuesday July 25, 2023 @10:03AM (#63713436) Journal
    Just yuck. Can we go back to dialing in numbers, and no one else listens? Here's my new thing, I dial in your IP and I reach your "thing." If you, the other party want 50 other people to listen in, well you're a douchebag, but at least I know what I'm dealing with. Also, my browser doesn't says, "do ya really really want?" I'm not grandma and I don't want a browser that caters only to grandma, or worse, because even grandmas need help, consumers. This is the most disgustingly you-are-the-product approach I've seen yet. Seems like google is washing the consumers now and serving them up like agriculture. Also, I'm sure this will and could be gamed or bought. Time to shower.
  • Anyone who cares about their privacy isn't using Google's web browser in the first place; so maybe there's some general benefit to the people who've already decided to bend over for Google.

    • by Pieroxy ( 222434 ) on Tuesday July 25, 2023 @10:26AM (#63713520) Homepage

      The danger is all the same. The problem being that Google is dominating the browser space, and once and if banks are convinced this is more secure, they will start mandating it. Then you will be out of luck with your open source browser that cannot issue a trust token to your banking server. No more online banking for you unless you can produce a "trusworthy" chrome. Probably won't happen on Linux either if M$ check is big enough.

    • The real problem is that you will be forced to use Chrome (or similar binary releases) to access certain sites, and all of the baggage that comes with it. It's like how Chrome was required to watch video services like Netflix in the past due to the DRM tech on those sites not being supported by Firefox. You likely won't be able to use a browser you compiled yourself, you won't be able to use browser versions too old or new, etc., simply because the fingerprinting won't match. If the fingerprinting extends t
      • Even better, we'll end up needing to have a specific version of Chrome (or other supported browser).
        And probably different one for different websites.

        Anyone that relies on Selenium for their web testing harness has already gotten a taste of this sort of mess.
      • by jonadab ( 583620 )
        > The real problem is that you will be forced to use Chrome (or similar
        > binary releases) to access certain sites

        The thing is, there are more websites in the world than there are people, so if I can't or don't want to use a particular one, it's not a big problem. I can just go find a different site, with less ridiculous requirements.

        There have always been and will always be websites that I don't want to use or can't use, for whatever reason. Way back in early 1994, I ran into a "sorry, this site is
        • there are more websites in the world than there are people, so if I can't or don't want to use a particular one, it's not a big problem. I can just go find a different site, with less ridiculous requirements.

          "I want to use the web application of a bank that has ATMs in my city." In this case, switching sites means switching banks. And if all banks and credit unions in your city require this crap, then good luck getting cash in and out of an account.

          "I want to pay my balance due at the public utilities in my city." In this case, switching sites means switching public utilities. And because of the natural monopoly associated with public utilities' rights of way, this typically involves moving to another city.

          Javascript, notably, enables things that would really not be possible to do in pure HTML.

          Scri

  • Thank goodness there is more than one.

    • If you read the standard, you will notice that this is about checking if you rooted your phone. This is not about choosing another standard compliant browser, this is about checking if the browser deviates enough from the standards and allows enough intrusions into your OS.
      • Re:"The web browser" (Score:4, Interesting)

        by PPH ( 736903 ) on Tuesday July 25, 2023 @12:06PM (#63713784)

        checking if you rooted your phone

        Phone? Who uses a phone to access critical secure services?

        On a PC, I can sandbox your integrity API along with a browser in a VM. You may think you are running on a "clean" OS*, but you can never tell if you are one layer below the system running the 'bots that are scraping the screen and generating keyboard/mouse inputs.

        I'm not sure where phones are compared to laptops or beige boxes. But I suspect that they are becoming powerful enough to virtualize systems just like real computers.

        *So your API try to talk directly to hardware to make sure you are hosted on bare metal? Congratulations. You just broke all the security that OSes are responsible for providing. Just so you can run a few ads on my system.

        • checking if you rooted your phone

          Phone? Who uses a phone to access critical secure services?

          People in TV commercials/shows and movies, I guess.

          Pro Tip: If you're in a store and have to use your phone to check your bank balance to see if you can afford a new TV, you can't.

          • by PPH ( 736903 )

            Phone? Who uses a phone to access critical secure services?

            People in TV commercials/shows and movies, I guess.

            I remember back when Big Tobacco paid people to smoke on TV shows and in ads.

        • by sinij ( 911942 )
          Sure, but spinning a VM is a solution that only some techies would use and almost nobody in a general population. So you will still stand out unless you also generate plausible chaff usage, which is hard.
        • Phone? Who uses a phone to access critical secure services?

          In my country banks require you to install a rootkit if you want to access your account from a desktop PC. And some have moved away from the desktop entirely, only allowing unrooted iOS and Android phones. It got so bad I got a second, cheap phone I keep at home for my banking applications.

  • Remember folks (Score:4, Interesting)

    by DarkOx ( 621550 ) on Tuesday July 25, 2023 @10:18AM (#63713484) Journal

    The internet was fun while it lasted but what everyone needs to understand is the ad boys have never wanted anything other than to turn it into cable-tv.

    EVERYTHING Alphabet/Google has EVER done has been with that ultimate aim in mind.

    Adwords being the oldest thing - harder to separate text from a page than filter image tags that are ad shaped etc.

    Gmail - get the mail off you PC and onto their server

    HTTPSeverywhere - made it 1000x harder for joe public to use things like junk buster etc.

    reCAPTCH/google account sso - set themseleves up as the global gatekeepers for everyhing - know what you are doing where and when even when its not one of their properties.

    android - get access to all sort of mobile telemetry for ad targeting, oh sure you can un-google it - but your banking app won't work... oh and gain all sorts of eyeballs to sell more ads to because we all know free-as-in-beer always chases out pay for the product models ultimately.

    Chrome - malware or PUP only real way to describe it if you are honest -

    Not that Google/Alphabet is the only actor out there doing this, but they are the most successful.

    https://www.gnu.org/proprietar... [gnu.org]

    • by caseih ( 160668 )

      I'm waiting with bated breath for Google to end IMAPS service for Gmail. I've been using IMAP with Gmail for decades and it's worked pretty and is ad free. So far Google hasn't screwed up IMAP too much, since it's pretty firmly defined in the RFC. So that can't last too many more years.

      It's really sad how companies are doing everything they can to abandon well-defined standards and take us back to the bad old days of proprietary, siloed mainfraim services. It's gotten quite bad in the last few years. An

    • by MobyDisk ( 75490 )

      And now every site except Slasdot displays the "Sign in with Google" pop-up. We need a boycott on any site that displays that thing.

  • by mustafap ( 452510 ) on Tuesday July 25, 2023 @10:20AM (#63713490) Homepage

    "Don't be evil" just left the room. Again.

    • by Kazymyr ( 190114 )

      I seriously doubt that the "don't be evil" bit was ever more than a tongue-in-cheek slogan to appeal to suckers.

  • This seems like a cat and mouse game, where the only loser is the end user. Even if you only allow âoeapprovedâ browsers, you can still play with web sites programmatically via browser addons, user scripts, or something Selenium-like. It seems this would only work against wget or raw HTTP libraries that donâ(TM)t involve a real browser. Plus Iâ(TM)m not sure how youâ(TM)re supposed to be able to do this while keeping things FOSS.
  • You'll generally be locked out of banking apps, Google Wallet, online games, Snapchat, and some media apps like Netflix. [...] Google wants the same thing for the web.

    I've decided I'm not going to give in to that on the phone. Every company that won't let me run their advertising app on my phone (which isn't even rooted, just a third party firmware) gets pestered about that, repeatedly. I demand the same benefits that app users get and leave the merchandise at the checkout if not. I hold up the line. Because your app refuses service to me. If this comes to the web, I'm off the web. I've built web sites before most people knew what a web site was. I'll dedicate time to te

  • by Gilmoure ( 18428 ) on Tuesday July 25, 2023 @10:21AM (#63713500) Journal

    Guess it's time to spin up a 'corp-o-rat' secure container for their mandated BS.

  • by Luckyo ( 1726890 ) on Tuesday July 25, 2023 @10:27AM (#63713526)

    I'll start by reciting my post from the thread from a couple of days ago on topic of google introducing in browser lockdown to prevent people from visiting parts of the web under the guise of "safety, security".

    >It's going to get much worse. Google's long term project has for quite a while been the sort of "official, validated, advertiser-friendly web" which became very visible with google's search engine shift from actual search to being a pitch engine. Pitching you on things that google thinks you should get from your query that is maximally monetized and controlled by google.

    One third of google's current big projects taking web in this direction is DRM in browser for chromium. Basically make it so that browser asks for validation from OS that it is indeed the user that is controlling the machine. This is being sold as "bot protection for websites". This is also likely in part riding on the coat tails of microsoft pushing for mandatory TPM in windows 11, which means that all major consumer operating systems now have a form of hardware DRM built in. The idea is that every device will allow full hardware DRM mechanism for every website to validate that:

    "This is the intended user".
    "User is using only allowed and validated software packages".

    All via the mainline web browser family that is used by almost everyone.

    Other third is the slow strangling of ad blocking with things like manifest v3. This ensures that add-ons are less and less useful, especially on ad blocking front, while validated premade "you don't need anything but this" browser being basically the only available option to overwhelming majority of users.

    And last third is what is described in the OP. Just strangle the rest with lack of financing due to being inaccessible by most with the mechanism described in OP, "this is a malicious, not validated site because it doesn't require DRM validation from you, so you should not use it".

    The obvious end goal is to go to fully closed web that every major corporation uses, which means that overwhelming majority of users will have to join it. A web that is controlled by the corporations, and where users have to validate themselves to it that they are who they are and that they are not running any unsanctioned software connecting to said websites.

    It's going to be IE6 on steroids, where not only will websites be allowed to basically require that you only use validated software, but you won't be able to spoof this due to hardware DRM built into your computer subverting your attempts to do so.

    ---

    Beyond this, you'll see a lot of political far leftists defending this in this thread with their usual obfuscation tactics. This is because politically google is currently fully captured by the neo maoist movement (aka woke), and they see this as a chance of locking in the political power for decades from position of extreme dominance at the time when dissenters have begun to organize without getting sniped by organised mass harassment campaigns aiming to render dissenters and their supporters destitute. It may be neo-maoism, but tactics of forced struggle sessions against dissenters remain the same, just moved to digital age.

  • by nightflameauto ( 6607976 ) on Tuesday July 25, 2023 @10:27AM (#63713530)

    Does anybody remember when the Internet seemed an exciting opportunity to exchange information with people you'd never meet in real life? Now it's morphing into a corporate controlled nightmare. And this proposal sounds like it could be the nail in the coffin.

    Ah well. It was fun for a little bit there. And we can't have that. Can we?

  • by HnT ( 306652 ) on Tuesday July 25, 2023 @10:50AM (#63713594)

    Between this and the crypto-scam-bros idea of Web 3.0, I really do miss the late 90s / early 00s web when we all proudly posted Strict XHTML 1.0 banners and a webpage was just a web page, and not a new form of centralized mainframe with watering hole distributed binaries.

  • block screen readers and endup with ADA lawsuits

  • You can easily hazard a guess as to which government agencies will be gleefully clapping their hands at the prospect of this kind of intel in their hands--not to mention advertisers. Can everyone standup and JUST SAY NO!
  • by MobyDisk ( 75490 ) on Tuesday July 25, 2023 @12:30PM (#63713880) Homepage

    This is worse than it appears on the surface.

    This looks to me like a back-door way to make Google the unofficial authentication provider for the entire world wide web. Google runs an "attestation server" which provides tokens to the browser. Browsers send those tokens and servers verify them. That's basically OpenID! Notice how almost every public web site now displays a "Sign in with Google" pop-up? Notice how when you login to Google using Chrome, Chrome knows about the login and now you are magically logged-in to other sites? That's because, from Google's standpoint, you aren't logged-in to a web site via a cookie -- you are logged-in *to the web itself* and Chrome isn't a standards-compliant HTML renderer, it is your "gateway to the web."

    Google wants to replace the words "browser" and "web" with "Chrome" so that people think in terms like "I'm using my chrome to access my bank." And they want people to forget that they are logging-in to their bank's web site, and make people think they are logging-in "to the web." This is basically Google: Endgame. The entire point of making a browser was so that they could do this. It's better than running a social media web site, because they don't just own one piece of social media - they control it all.

    Ironically, the protectors we have against this are Apple and Microsoft. And sorry to sound totally tinfoil-hat here, but every geek who uses Chrome instead of Firefox contributes to this nightmare scenario.

    Once Google has this level of control, they don't need HTTPS or HTML: the web is theirs. Those old protocols will be used by hackers and Linux geeks. This is the what Microsoft wanted to do in 1996 by integrating IE + ActiveX + Windows and they failed. Google has found a brilliant way to achieve it from a totally different direction.

    • I don't know what era you come from, but Chrome already won the browser wars.

    • ... it is your "gateway to the web."

      A gateway they can close because you uploaded a dis-allowed image, or criticized Google's all-seeing eye, or didn't use a woke pronoun: This is worse than a Social Credit rating. The entire internet becomes a company town that you can never leave, because there is nowhere to go.

  • " At this point your browser would contact a "third-party" attestation server, and you would need to pass some kind of test. "

    Like being on a whitelist or have a positive social credit score. It's *way* worse than DRM.

  • >"Google's Nightmare 'Web Integrity API' Wants a DRM Gatekeeper For the Web" "Google's newest proposed web standard is... DRM?"

    Yep. I keep saying this over and over again. All multiplatform browsers that are not Firefox are now "Chrom*". The masses keep piling on more and more and more power on Google by using Chromium-based browsers. And with that power, Google will wield control over the web like we have never seen before, and it won't be good. We need to use browsers that are in no way under Goo

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...