this post was submitted on 03 Sep 2023
284 points (95.5% liked)

Technology

58157 readers
3575 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
284
Apple already shipped attestation on the web, and we barely noticed (httptoolkit.com)
submitted 1 year ago by lautan@lemmy.ca to c/technology@lemmy.world
42 comments fedilink hide all child comments
all 43 comments
sorted by: hot top controversial new old
[–] deweydecibel@lemmy.world 108 points 1 year ago* (last edited 1 year ago) (5 children)

I'm getting here too late for this to be visible, but fuck it.

The difference is Apple doesn't pass any information on to the website. It just tells the website whether or not it passes their integrity check. Your web environment gets the Apple stamp of approval or it doesn't, that's all the sites will know.

Googles shit is going pass actual information about the browser state, add-ons, and the device to the site so they can restrict access based on any criteria they choose. That creates endless more avenues for abuse by giving the websites the ability to judge you for themselves and micromanage how you are allowed to visit their site.

Apple's is the equivalent of a metal detector before walking into a building. It will go off but it doesn't violate your privacy or enable targeted screening by telling anyone what it detected.

Google's is the equivalent of a strip search, where it will drop your clothes and pictures of your junk onto the property managers desk so they can decide if you're worthy to enter. Maybe they don't like your brand of underwear, or a tattoo you have, and refuse to let you in.

[–] realharo@lemm.ee 18 points 1 year ago

Can you post any source at all that would back your claims? Or any technical details at all?

Neither the actual proposal https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md#what-information-is-in-the-signed-attestation, nor the article itself seem to show that there would be a difference when it comes to privacy.

The entire problem with this proposal is that it limits client choice, similar to how Google Play integrity API on Android restricts some apps from running on rooted/unlocked phones.

That same problem obviously also exists in Apple's implementation.

[–] Rentlar@lemmy.world 18 points 1 year ago

Your comment was on the top for me, Lemmy's default "hot" sorting brings fresh takes to the front, so don't worry too much about your answers always getting buried.

[–] _number8_@lemmy.world 7 points 1 year ago

i love seeing comments like this at the top for some reason on here

[–] Serinus@lemmy.world 5 points 1 year ago

Transmitting that info to Apple is still a problem. Why do you trust Apple, but not Google?

Google's version will likely ask you first, and you'll know which sites are asking for it. Apple's won't.

[–] 1984@lemmy.today 3 points 1 year ago* (last edited 1 year ago) (1 children)

Big tech tries hard to act like the Internet Government, don't they... Who elected them?

[–] sekhethsis@lemmy.world 0 points 1 year ago

We did by giving them billions and billions of consumer dollars.

[–] SaintFlow@lemmy.world 49 points 1 year ago* (last edited 1 year ago)

Somehow, I am not surprised. Both, that Apple already did it and that there was no public outcry about it.

[–] elbarto777@lemmy.world 44 points 1 year ago (3 children)

The solution would be not to visit those sites that require this, right?

[–] Earthwormjim91@lemmy.world 29 points 1 year ago (1 children)

Well it’s already integrated into cloudfare and fastly. So good luck with that.

Pretty much all major sites use one of those two as a CDN.

[–] bobs_monkey@lemm.ee 6 points 1 year ago (1 children)

Wouldn't cloudflare's client (the website you're trying to visit) be the one to implement this, while cloudflare simply does the verification?

[–] Earthwormjim91@lemmy.world 9 points 1 year ago

No it would be cloudfare. That’s their whole business.

So, for example, right now if you visit a website using cloudfare as their CDN, and your browser looks “suspicious”, cloudfare will grab you and redirect you to a verification page to put a captcha in to verify that you’re human before they will direct you back to the website you’re trying to go to. That’s why people use cloudfare in the first place instead of trying to implement some verification themselves. It’s easier and cheaper to outsource to a specialist.

Attestation would just be a “fast pass” for users. If your browser looks “suspicious” then you would be redirected to cloudfare for verification. Instead of a captcha though, it would automatically negotiate with your browser that would present a token generated on device to cloudfare. Cloudfare would reach out to the attestor for that browser with that token to validate it. For safari it would be Apple, for edge it would be Microsoft, for other chromium browsers it would be Google. The attestor would look at the token and be able to say “yes this is a valid, unmodified version of macOS/Windows/ChromeOS/etc and likely to be a normal human” and you would be directed back to the website you want to go to instead of having to put a captcha in.

The danger is when these companies start to control attestation. If you have a modified OS? Sorry we don’t know if they’re human. And you’ll have to enter a captcha. Potentially, if your phone/machine is not the latest version? Sorry don’t know, enter a captcha. Using lineage instead of a licensed version of Android (like Samsungs skin, etc), sorry not validated, enter a captcha.

If attestation becomes mainstream, then it will be the default because it’s cheaper for the CDNs and everyone to do. But it puts the power in the hands of like 3 companies for attestation. And it’s very very likely they will start limiting attestation as a “feature”. Have a galaxy phone? Well if you haven’t upgraded in a few years and are no longer in recurrent supported devices list, sorry no attestation. And they only offer like 3-4 years of official support. So if you don’t want to enter a captcha every time you change webpages, better upgrade homie.

So naturally it will push your average consumer to just upgrading a perfectly fine device instead of keeping it. And it will discourage a ton of FOSS stuff because that will all be “unvalidated modifications” or won’t implement it. If Google implements it, that will be the nail because chrome has like a 70% market share and pretty much everyone will develop for that. So they’ll all develop with Google’s attestation in mind. If you’re using Firefox which won’t implement it, you’ll be entering a captcha every time. And that will push people over to the big companies.

Attestation is a MUCH bigger thing than people think. You don’t need to worry about every website implementing it. You only need to worry about like 3. Cloudfare and Fastly are two huge ones, which have already implemented it on an as available basis. Right now it’s just Safari but they have it available if Google and Microsoft implement it.

Google themselves are the third one since the way operate their own CDN for themselves and clients. If they implement attestation there will be immediately a huge chunk of the web using it. Like 70%+. Cloudfare has 20%+ of the market and Fastly is like 18%. Google makes up another huge chunk but I couldn’t find any figures.

That would be such a huge immediate usage that it would very rapidly become the default and would lock people into only the big companies.

[–] spokenlollipop@lemmynsfw.com 24 points 1 year ago (1 children)

Hard when those sites are things like your bank, your government official stuff pages, etc.

This attestation stuff is a "not such a bad idea in its basic principle" thing that will actually absolutely get abused everywhere in every way including being used to kill off browser competitors, enhance monopoly positions, etc.

It needs to be stopped now.

[–] _number8_@lemmy.world 2 points 1 year ago

what good does it do? why should the server see or care about anything on this side? spit out the damn content

what worries me is that 'web environment integrity' is the perfect bullshit smarmy business school name for it

[–] otter@lemmy.ca 11 points 1 year ago (1 children)

Getting a list together would be step 1

[–] elbarto777@lemmy.world 1 points 1 year ago

Would a list of "offenders" be necessary? I'd say a list of alternative sites that don't implement this BS would be better.

[–] mwalimu@baraza.africa 41 points 1 year ago (1 children)

your treatment on the web depends on whether Apple says your device, OS & browser configuration are legitimate & acceptable.

[–] elbarto777@lemmy.world 19 points 1 year ago

Well, fuck that.

[–] phx@lemmy.ca 26 points 1 year ago (2 children)

It's not a problem until more sites start REQUIRING it, and then it's too late. Even if some Apple already provides it, it's more dangerous as use grows

[–] Petter1@lemm.ee 9 points 1 year ago

It makes it even more easy to adjust online prices for apple users, lol

[–] _number8_@lemmy.world 3 points 1 year ago (2 children)

is there any positive use case for it for the user at all?

[–] HelloHotel@lemmy.world 11 points 1 year ago

No, its an alternate evil scheme to uniquely identify users and not bots. Replacing the phone number.

[–] Serinus@lemmy.world 3 points 1 year ago (1 children)

For sites that support it, you don't have to fill out a captcha.

Instead it transmits a list of running processes (or other, formerly private info).

[–] SirQuackTheDuck@lemmy.world 1 points 1 year ago (1 children)

^Instead it transmits a list of running processes (or other, formerly private info).

No it doesn't. Attestation is simply a cryptographicly signed "we trust this user is human" message.

[–] Serinus@lemmy.world 1 points 1 year ago (1 children)

Based on what?

[–] SirQuackTheDuck@lemmy.world 1 points 1 year ago

Based on the spec. The token is simply a signature that can be checked at the issuing party (Apple for this news item).

[–] redditReallySucks@lemmy.dbzer0.com 7 points 1 year ago (1 children)

What I don't understand is how does the attester check the device is not modified? Anything client side is just a matter of time until its get bypassed.

[–] Natanael@slrpnk.net 8 points 1 year ago

It needs integration with the TPM/secure element chip in the CPU and a device key issued by the manufacturer to sign an attestation that nothing in the software chain from kernel to browser has been modified .

These schemes tends to get regularly broken, just look at SGX

[–] yoz@aussie.zone 6 points 1 year ago (1 children)

What does this mean? Do they now own the internet ? Can someone please TLDR it?

[–] SirQuackTheDuck@lemmy.world 16 points 1 year ago (1 children)

A very short TLDR would be:

Apple (in this case) decides if your device should be trusted as a human, or if it's suspicious / a robot, which could break parts of the Internet for those not joining this "attestation", or using software that doesn't support it.

A more ELI5 version would be that Apple has implemented a controversial API (The Web Environment Integrity API) that indicates if a combination of OS + Browser + User behaviour is to be trusted as being human.

Attestation before used to mean "is this device who it says it is", and one can check that in some ways as part of WebAuthN (aka "Passwordless login"), where it would be useful to know if an Android device a site knows you have (as you've logged in before) is that same device. It's a system to trust devices. The WEI-API expands this to look at your OS, your browser and your environment, like installed applications.

Problem with this, is that the requirements don't have to be public. Apple can decide what makes a "trustworthy device" and what can be considered "suspicious".

Bad examples like these are to "fail" attestation if you have torrent clients installed, of if you're connected via a VPN, or if you're not using Bing + Edge on Windows.

Browsers and OS'es refusing to support attestation are likely to become a minority (most users use Chrome, and Google seems to be in favour). Should sites start blindly trusting this "attestation" - in replacement of captcha's -, we could start seeing more privacy-prone combinations being locked out of these kind of sites.

[–] yoz@aussie.zone -2 points 1 year ago (1 children)

Thanks mate. I'll tell everyone to stop buying apple products but people are really ignorant and would not careless. Their $2000 phone is more imp. to showoff than fucking Internet.

[–] SirQuackTheDuck@lemmy.world 0 points 1 year ago

Ehh, way to miss the point. This article is about Apple, but Google is doing the same with Android and Chrome.

Parties that have issues with this are Linux distros and browsers like Firefox, that leave control and "humanness indicators" more in the hands of the users, instead of in the hands of big, influential companies.

[–] Lemmylaugh@lemmy.ml 4 points 1 year ago (1 children)

Didn’t notice yet

[–] SmashingSquid@notyour.rodeo 1 points 1 year ago (1 children)

The only thing I've seen it used for is skipping captchas on cloudflare.

[–] LifeInMultipleChoice@lemmy.world 1 points 1 year ago (1 children)

How would I notice it, for example I noticed cloudflare was listed, and lemmy.world is currently using it until they can move off it I believe. Does that mean I could see it somewhere while accessing that instance?

[–] SmashingSquid@notyour.rodeo 1 points 1 year ago

If you go to a cloudflare hosted site and it thinks you might be a bot if your browser supports it it'll skip the captcha. The point of it is that you don't notice it. Here's a blog article on it from them: https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/

[–] kitonthenet@kbin.social 1 points 1 year ago (2 children)

These schemes all have the same problem that reddit and Twitter have: they need me more than I need them. If your website or app or whatever won’t work if I’m not on the right device I won’t visit it, and that’s not a bad thing

[–] Zoidberg@lemm.ee 3 points 1 year ago (1 children)

It's a bit more complicated than that, unfortunately.

What happens when Microsoft adds something to their web building tools that forces all visitors to websites using these tools to use IE? Or when your bank (or even worse, utilities) start requiring Windows and IE?

[–] kitonthenet@kbin.social 0 points 1 year ago

I'd be very surprised for one thing, because IE is no longer a product Microsoft supports in any capacity. I'd also be confused as to which tools the web hosting market just shifted to that they're using Microsoft tools, there are monopolists out there I'm worried about but Microsoft isn't my main one right now

[–] cy_narrator@discuss.tchncs.de 1 points 1 year ago

Till one day your government will require it.

[–] elouboub@kbin.social 1 points 1 year ago (1 children)

The danger would be important entities like governments and banks using attestation. Then you'd be limited to using only Chrome, Safari and Edge, and Firefox could kiss its ass goodbye.

[–] kitonthenet@kbin.social 0 points 1 year ago

Bank: my bank is too boomercore to ever implement something like this, we only recently got 2fa

Government: my government still makes me file my taxes on paper and mail it to them so I’m ok for now