I’m happy to see this being noticed more and more. Google wants to destroy the open web, so it’s a lot at stake.
Google basically says “Trust us”. What a joke.
I’m glad the reaction all around seems to be “That’s sus as fuck”
Me too, there is hope!
I think we need to start being very realistic here.
Google has ad buying customers who want their ads served, and it’s those customers that would probably opt into the SDK and API in the first place. Scope matters.
Next there’s a plethora of freeloaders on the Internet who consume mountains of content but who scoff at paying for or contributing to the Internet.
Lastly I’m not seeing anything here that says it will block a site like Lemmy for example.the one thing I do find problematic is this potentially limiting competing browsers
deleted by creator
Don’t mistake me for excusing their behavior. It’s the contrary. But I do think a grounded conversation starts with understanding what people’s motivations are.
deleted by creator
I actually posted an article about their opening of a data center being detrimental to another countries water supply. Link should be in my profiles recent posts, worth a read.
I think there is a fair lot of people who think it’s absurd to pay for what they consume. And if you asked them what the alternative is to them paying they’d say nothing, it should be free.
Each service they run is binned and probably billed and generates revenue separate ways, but enough of that Im not trying to argue for pro google. The DRM they’re trying to push is bullshit.
deleted by creator
deleted by creator
I guess you missed the part about being able to “validate” plugins, entire operating systems, dns resolving etc.
I don’t care about Googles financial problems. I don’t use their services. They can close down YouTube if they don’t have enough paying customers. Same with Google search. Bye Google. And the internet is suddenly a much better place.
I’m going to guess half of the proposal is to waste time and distract from the minimum requirement they’re hoping to actually pass. We saw this a lot in general politics in the US: you make a bold overshooting statement while passing legislature on the side.
We do not decide what is right and what is wrong.
But you don’t accept our drm do you’re wrong.
Would WEI stop Adblock by DNS? Like pihole or similar ?
No that should still work. The server will send a page to your browser, and when the browser renders it, it will request the ad. And your pihole will block the request.
Unless WEI somehow changes how page rendering works but I don’t think so.
Not really. The environment could easily include resolution of an ad server. If a site uses two ad servers and neither resolves, the attestor could decide to fail the environment. The problem is the attestation is left open for the attestor to create. It could check web browser, extensions, operating system, etc. I fail to see how this is at all privacy protecting to begin with.
That’s absolutely horrible.
Stop WEI.
All of that can be easily checked via JavaScript, but now if you world use extensions to disable those checks you would not pass the attestation.
So yeah, essentially you no longer have control over your computer, and need to bend over and accept everything the site owner wishes to do.
bend over and accept everything the site owner wishes to do.
Including a malicious site owner’s wishes.
Yes and no. They can freely enforce a specific DNS server and reject any browser with a custom one as “tampered with”. Just like they can freely enforce any part of your system being like they want it to be “or else”.
Does blocking ads by DNS still work? Current ads are AFAIK more sophisticated
Yes, it works well. There are some ads, like those built in to apps and pages for self-promotion (Microsoft having an ad for office on their own website, for example), that cant be blocked without disabling the service itself because the ad dns is the same as the content dns, but otherwise it works well.
No, but that only works if the ads are being served by known ad hosts, so you should expect that adtech will get hip to that and proxy their traffic through the same hosts as the content.
That being said, it’s pretty easy to check if a user has network blackholing going on in clientside JavaScript, you just do a test request to a popular ad network and see if it resolves, no special browser support needed.
From my very basic understanding of it yes. It in effect checks what’s loaded against what was served and if there’s a discrepancy it does its thing.
Note. If I have misunderstood please someone correct me.
Is there anything that would prevent some kind of proxy stripper? I’m thinking something that loads the page with a clean agent, strips out the shit and serves a nice clean page?
Definitely beyond pihole as it stands, but doable.
It would need something that would trick the checker into reporting an all good when local extensions fiddle with the rendered page. Not impossible IMHO but I’m wayyy to dumb for that shit. I was a sre not a developer.
Basically it’s a way for a “third party” that’s chosen by the web server to verify the environment where the front end code is running meets its standards. Those standards would be up to the third party. So I’d imagine if an assessor said “hey, we can verify ads load properly” or even “we verify this extension isn’t running” then many sites would possibly choose those assessors. It also is blatantly deceitful because of all the issues it suggests it can fix, it doesn’t actually fix any of them. And many of them aren’t even that big of a problem.
Google: Do
noALL evil.It won’t block browsers that spoof their identity? Yeah, sure.
Trust me, I’m Google.
Hey kid, I’m a computer. Stop all the downloading.
Help computer.
Who wants a body massage?
You’re not cooking…
Pork chop sammiches!
G I Joooee.
it says something about “spoofing identity” which raises a good question. If this does happen, how difficult would it be to just lie about your client environment with a spoofer of some sort?
That’s exactly what it is trying to prevent. Basically you, as an user is not to be trusted, so the website and your own computer work together to prevent you from doing anything the site deems inappropriate, like spoofing things, blocking ads etc.
It would be difficult. Your operating system, the browser, and the website’s code would have to be compliant to pass the WEI check
Let’s say you use a non-compliant OS (linux), or a non-chromium browser, or use userscripts, in all three cases you are locked out of the website.
There is no defense of the move. It’s bad for the internet. Pure and simple!
“But it’ll make us lots of money…”
Well… in that case…
this reads like a script of a Pitch meeting.
and is it going to be hard for people to accept this WEI?
No, it’s gonna be super easy, barely an inconvenience .
Oh, really?
yea, you see, majority of people don’t give a fuck and have no idea what it is about.
Oh wow, wow wow wow
I stopped trusting google when they decided to remove the “Do not be evil” clause
guess money and having a (near to) monopoly changes any company
They claim it’s to prevent bots, but we all know it’ll soon become standard in every WAF out there (Cloudflare, Akamai, etc) to just blanket block browsers failing attestation.
All you need to know what will happen is to root an Android phone. You’d expect Netflix and bank apps and other highly sensitive apps to stop working. Okay, I can accept that, it kind of make sense. But the more you use the phone the more you realize a ton of apps also refuse to work. Zoom complains and marks your session as insecure, the Speedtest app refuses to test your speed, even the fucking weather app won’t give you weather anymore. Jira/Confluence/Outlook/Teams also complain about it. It’s ridiculous.
Even if it’d trust Google to not misuse the feature and genuinely use it to reduce ad fraud, the problem is the rest of the developers and companies. Those, they absolutely cannot be trusted to not abuse the feature to block everyone. Security “consultants” will start mandating its use to pass security audits, government websites will absolute use it, and before you know it, half the web refuses to work unless you use Chrome, Edge or Safari.
Yup I noticed this also. I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background which means Google finds out about literally everything we do on our phones. They already own the entire operating system but we can’t even run apps without them being in the middle.
This is all similar to using Microsoft Windows or Mac OS so I guess people are so used to this behavior that it’s somehow ok.
But I’m a long term Linux user and I’m used to the OS not calling home and not reporting what apps I use. And this is how it should be. I’m so over big tech it’s not even funny anymore.
It’s even worse without Google apps, but I was talking about SatetyNet/PlayIntegrity specifically.
The mere act of unlocking the bootloader, without even modifying anything, will cause all the problems I outlined, and it’s the same API that Google is proposing to use by browsers to check for device integrity.
Stuff depending on Google libraries, eh, that annoying but people can and will reimplement those, be it microG or Wine/Proton. Not being able to see the weather I literally could get just looking out the window because my bootloader is unlocked? That’s insane.
I used a rooted phone without Google apps on it and so many apps simply refused to work. They use Googles api in the background
This has nothing to do with being rooted but with Google encouraging people to build apps using its proprietary libraries to make Google Android more valuable than Android Open Source Project. There may be a connection to the EU’s attempts to stop Google from forcibly bundling several of its other apps with the Play Store.
For most use cases, good alternatives are available and it’s just a matter of developers being lazy, but I’m not sure there’s another good option for chat apps to get timely notifications without high battery consumption. MicroG provides an open source alternative to Google’s libraries and works for most apps, including chat notifications.
It’s a bit worse than just Google libraries, apps can use Play Integrity which uses hardware attestation to validate it’s bootloader lock status and that it’s running a vendor signed and Google approved ROM.
Current bypasses emulate older devices without the necessary hardware, but those will eventually stop working and there won’t be bypasses unless someone leaks some master keys or finds TPM exploits to trick it into signing the integrity request. It’s very bad.
Yes, but they’re two separate issues. Many apps that don’t care whether you have root or a third-party Android build use Google’s libraries.
Patching apps is another workaround. It won’t beat server-side checks, but I think those are still fairly rare. ReVanced makes it easy to do, though I’m not sure there are patches related to SafetyNet yet.
This is all similar to using Microsoft Windows or Mac OS so I guess people are so used to this behavior that it’s somehow ok.
Not so much used to it, but just kinda sigh and accept it because I like my apps to work. I’m a long time Linux user as well, and I still have to keep a Windows box around for random shit that just refuses to work on Linux for various bogus reasons.
I have a rooted LineageOS running Android and besides Kostum widgest everything is working fine. Yea I had to fiddle around with the banking app, but other than some popups and ingame stores not working everything is fine.
I use e os and no problems here
I heard spoofing safety net is possible with magisk so banking apps should work with it
Unfortunately some apps don’t check only for SafetyNet
What other ways are there? At least my banking app worked with spoofed safetynet
Checking whether the bootloader is locked or not, checking for abnormal system properties like whether the ROM is using release keys or test keys, and other methods that idk of, you can test momo which is an app that checks the environment and tells you if there is anything abnormal about it, some use it to check if they were successful at hiding root and anything abnormal
I ain’t trusting nobody
WEI can potentially be used to impose restrictions on unlawful activities on the internet, such as downloading YouTube videos and other content, ad blocking, web scraping, etc.
Not one of those things is illegal.
Some are against a site’s TOS and some are outright fine.
This is the most disturbing “boring dystopia” thing yet.
deleted by creator
Yeah that’s bullsh*t by the author of the article.
Well ai scrapping is against copyright.
Scraping itself is not illegal. It’s not until an AI generates a copyrighted IP that it becomes an issue.
It’s like if I were trying to start an art business. You come to me and ask me to draw a princess. I’ve never seen a princess before, so I go online and look up images of princesses to get an idea what to draw. I go back to the studio and draw you a picture of Snow White.
Me looking up princess images is fine. It’s only when I sell a Disney® IP without their permission that it becomes illegal. And, even then, it’s a civil matter, not criminal.
It’s time to use web integrity against them, by blocking access to your site if they “pass” integrity checks, and telling them to use a freedom respecting browser instead.
I would support this
This is actually already implemented, see here.
Redoing several sites I have ,this will be included
Lmao this would be hilarious
Absolutely. And build web sites where all browsers and operating systems are welcome.
Not that I find idea bad but doesn’t this statement contradict the one you’re commenting?
Yes you are right actually. :P
Can’t get that past a programmer can I… :)
Well passed time to do some monopoly busting.
Monopoly busting. Ecosystem lock-in. Right to repair. Software patent reform. Privacy and AI regulation.
What do lawmakers even do these days anyway?
Screw the proletariat, mostly
What do lawmakers even do these days anyway?
Accept bribes. Insider trading. Forment outrage.
The fraud-fighting project has fired up quite a controversy
fraud-fighting? Even Google’s initial pitch was explicitly describing it as a way to sell more ads.
I wish they’d have grown a pair and outright said “we’re forbidding ad blockers in Chrome, come at us”. I bet there’d be less controversy. This WEI thing just makes them look like sniveling weasels.
