I’m happy to see this being noticed more and more. Google wants to destroy the open web, so it’s a lot at stake.

Google basically says “Trust us”. What a joke.

  • lobster_teapot@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    As other have pointed out, it goes way beyond ad-blocking. It’s a complete reversal of the trust model, and is basically DRM for your OS:
    Right now, websites assume rightfully that clients can’t be trusted. Any security measure happens on the server side, with the rationale that the user has control over the client and you as a dev control the server. If your security is worth two cents, you secure server side. This change propose to extend vendor power, by defining a set of rule about what they deem acceptable as a client app, and enforcing it through a token system. It gives way too much power to the vendor, who gets to dictate what you can do on your machine.
    We actually have a live experience of how that could go down with safetynet on android. Instead of doubling down on the biggest security issue there (OEM that refuses to support their software for more than 1 or 2 year after release which, quite frankly, should be universally considered as unacceptable), google decided that OEMs should be allowed way more trust than the user. Therefore modifying your own OS in any way, even if it’s ripe with security flaws to begin with and you’re just trying to fix that, breaks safetynet. If you break safetynet, “critical apps” like banking apps stop working altogether.
    The worst part is that there are ways to circonvent safetynet breakage, because in the end, if DRM taught us anything, it is that if you control the client and know your way around, with enough work you can do pretty much anything you want with it. So bad actors are certainly not kept at bay, you just unjustly annoy people with legitmate usecases or even just experimenting with their hardware because in the end, you consider that your user are at best dumb security flaws, at worst huge cash machine, often both at the same time.

      • lobster_teapot@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        10
        ·
        1 year ago

        Yeah, moreover you give server admins the illusion that they CAN control what happens client side, which is bonkers.
        Honestly the most infuriating thing in this whole controversy is that the proposed approach fix almost none of the issues that the authors say their proposal should fix.
        What it does however is break the open web principles in major ways.

    • vvvvv@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      We actually have a live experience of how that could go down

      Another example: latest iteration of Google Captcha. Released with promises to end manually inputting text captchas, the main thing it turned out to check for is whatever you are logged into your google account. If so, you get through automatically, or, at worst have to press a checkbox. If you are not logged in, enjoy selecting fire hydrants and crosswalks.