this post was submitted on 25 Jul 2023
275 points (100.0% liked)

Technology

37712 readers
154 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

Apple has deployed a system called Private Access Tokens that allows web servers to verify if a device is legitimate before granting access. This works by having the browser request a signed token from Apple proving the device is approved. While this currently has limited impact due to Safari's market share, there are concerns that attestation systems restrict competition, user control, and innovation by only approving certain devices and software. Attestation could lead to approved providers tightening rules over time, blocking modified operating systems and browsers. While proponents argue for holdbacks to limit blocking, business pressures may make that infeasible and Google's existing attestation does not do holdbacks. Fundamentally, attestation is seen as anti-competitive by potentially blocking competition between browsers and operating systems on the web.

top 37 comments
sorted by: hot top controversial new old
[–] scrubbles@poptalk.scrubbles.tech 195 points 1 year ago (3 children)

"Sorry, your device appears to be running Linux, please only use approved Apple or Windows devices to log in, with our required surveillance system pro installed. Thanks."

[–] floofloof@lemmy.ca 43 points 1 year ago

Unfair. Google, Amazon and Facebook devices will also be allowed.

[–] aperson@beehaw.org 19 points 1 year ago

Should you chose not to continue, you agree to kick yourself in the balls.

[–] peter@feddit.uk 14 points 1 year ago (3 children)

Companies can already do that

[–] teawrecks@sopuli.xyz 8 points 1 year ago (1 children)

Yeah, but so far you can just spoof your user agent. Not sure how easy cracking private access tokens will be. I assume they'll be pretty proactive about keeping it locked down.

[–] Fed@lemdro.id 4 points 1 year ago (3 children)
[–] DzikiMarian@lemmy.sdf.org 4 points 1 year ago

That's easily detectable. Try beating Google Safety Net that way.

[–] TheOakTree@beehaw.org 2 points 1 year ago

...do you really think the devs of these systems don't understand how to distinguish VMs from authentic devices in their device authenticating platform?

[–] teawrecks@sopuli.xyz 2 points 1 year ago

Again, not an expert on Private Access Tokens, but I assumed the entire point is that it's a proprietary black box piece of hardware that's authenticating your device. If it's just passing a token generated in software, it would be trivial to bypass even without a VM.

Could you explain to me better what the VM would accomplish in this situation?

[–] DzikiMarian@lemmy.sdf.org 4 points 1 year ago

"Can" and "have a reason" are different things. With attestation they actually have a reason.

[–] gigachad@feddit.de 3 points 1 year ago

Google already does that with Android and SafetyNet

[–] sin_free_for_00_days@lemmy.one 86 points 1 year ago (4 children)

If a website doesn't want me to see their shit, then I guess i won't see their shit. I already have some sites that don't work because of my aggressive use of lists on my pihole, in addition to the usual browser plugins. If a site doesn't work now, I just move on. I don't give a shit about any site enough to put up with this type of bullshit.

[–] pineapplelover@lemm.ee 22 points 1 year ago (2 children)

We need to fight against this and stop this from happening before it's too late.

[–] shootwhatsmyname@lemm.ee 10 points 1 year ago

Seriously—the consequences are going to be very extreme very quickly if we don’t actively fight against this

[–] argv_minus_one@beehaw.org 6 points 1 year ago
[–] kent_eh@lemmy.ca 19 points 1 year ago

If a website doesn't want me to see their shit, then I guess i won't see their shit

That's how I react to Twitter and Facebook requiring login to even view most things.

Whatever you're showing isn't important enough to be worth me making an account.

[–] esaru@beehaw.org 12 points 1 year ago* (last edited 1 year ago) (1 children)

To see how your approach works, try using the Internet with Javascript turned off for reading text. You will realize you can't organize your life nowadays without bowing to what websites do technically.

[–] peter@feddit.uk 7 points 1 year ago (1 children)

You can't use websites when you disable a major piece of functionality? Shocker

[–] esaru@beehaw.org 7 points 1 year ago* (last edited 1 year ago)

Why would Javascript be a major piece of functionality for a website that is based on text articles?

[–] ReallyKinda@kbin.social 11 points 1 year ago

I had to stop using my car insurance app because it started requiring location information to open.

[–] Neato@kbin.social 60 points 1 year ago (2 children)

Expect corporations to be lazy. Just look at how every website handles cookies now. They could do it smartly, limit their cookie exposure, or only send the messages to IPs in the EU. But they just put an "accept all cookies or get out" OK box on your screen. And that's what they're going to do once attestation gets popular.

Sites will just require an attestation token and likely only accept ones from Safari and Chromium browsers since those are the ones pushing it. That will effectively make Firefox, Opera and other browsers incompatible with those websites. And once it catches on or becomes law somewhere, it'll be the entire internet. It's an extremely anticompetitive measure and it's internet-wide DRM. Fuck. that.

[–] HeartyBeast@kbin.social 24 points 1 year ago (1 children)

But they just put an "accept all cookies or get out" OK box on your screen.

Which doesn’t comply with GDPR

[–] blindsight@beehaw.org 18 points 1 year ago

Which only affects companies doing business in the EU. Granted, that's most of the big players.

Very grateful for the EU to unfuck most of the world from a lot of American regulatory capture.

[–] BubblyMango@lemmy.wtf 7 points 1 year ago

Opera is chromium based though.

You dont even need this DRM bullshit to become law. Chrome will simply put a warning before entering websites without it that goes "this website doesnt use name of a technology the user doesnt understand and therefore might be dangerous". Thats it. Every and all websites will immediatly implement this DRM bullshit or die.

[–] nan@lemmy.blahaj.zone 34 points 1 year ago* (last edited 1 year ago) (1 children)

Google mentioned these in their explainer (they don’t like that they’re fully masked): https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md#privacy-pass--private-access-tokens

Cloudflare explains them more too: https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/

They are currently going through an IETF standardization: https://datatracker.ietf.org/wg/privacypass/about/

You can also read the architecture. In general I do trust Cloudflare more than Google. I have no doubt shitty sites won’t fall back to a captcha and will instead block access though, with either solution.

[–] dan@upvote.au 30 points 1 year ago (1 children)

In general I do trust Cloudflare more than Google.

A large portion of the internet runs through Cloudflare's network though, so IMO they're just as much of a risk as Google.

[–] fonix232@kbin.social 13 points 1 year ago (4 children)

However unlike Google, CloudFlare doesn't have a history of killing off products just as users begin to adapt to them.

[–] Atemu@lemmy.ml 19 points 1 year ago (1 children)

CF has only been public for a few years. Give it a decade and I'm sure they'll be just as evil as Google.

[–] peter@feddit.uk 16 points 1 year ago

Public companies will always screw you in the end. It's part of their fundemental design

[–] pemmykins@beehaw.org 18 points 1 year ago (1 children)

That’s not why Google is harmful though - they’re harmful because almost all of their revenue comes from advertising - everything else they offer is just a funnel to gain data on the worlds population in order to better target advertising.

As for cloudflare - they showed their true colours last year with kiwifarms. They’ll happily host the worst websites in the world as long as they don’t get bad press.

[–] andrew@radiation.party 19 points 1 year ago

Slight correction, generally cloudflare doesn’t host any sites (this is untrue in specific circumstances, but in your example they certainly didn’t host the site) - they just sit in front of existing sites and store some static assets, otherwise acting like a transparent reverse proxy.

[–] dan@upvote.au 12 points 1 year ago* (last edited 1 year ago)

The main risk with Cloudflare is that if they think your device is malicious, it gets very hard to browse the internet, as every site hosted behind Cloudflare starts showing CAPTCHAs or rate limiting you. This could get worse if new APIs that determine if you're legit don't like you for whatever reason.

[–] itsAllDigital@feddit.de 8 points 1 year ago

That still however doesn't relieve them. Whether they've killed of less products, IMHO still leaves them at the position that they route MASSIVE amounts of the entire internet.

One point of failure or control is still a big risk, no matter how you turn it

[–] qwertyqwertyqwerty@lemmy.one 20 points 1 year ago (1 children)

Back to the days of using a different web browser for each website. I remember the acid test, IE 5.5, etc. Not fun as a user or web developer.

[–] astra@lemmy.deepspace.gay 4 points 1 year ago

if you use Safari or Firefox as your main browser it's already been this way for a while. websites are only tested against Chrome and often times when something doesn't work switching browsers temporarily alleviates the issue. it's a sad state of affairs in browser land.

[–] vacuumflower@lemmy.sdf.org 6 points 1 year ago

Actually I like this.

All those people who've been trying to keep corporate technologies "open" were, in fact, working for the corporations to make people come to them. Most unknowingly, maybe. It's just, well, litany of Gendlin case. You rely on corporate power, even if you are trying to hide it and talk about "open Web".

The most important thing is that we take ideologically corporate technology where it's not needed (there's been plenty of hypertext systems in history, some kinda successful, and all that JS and AJAX stuff and various frameworks on top are so complex not because of any usefulness, but because of the corporate goal of backward compatibility, lumping everything together and even intentional complexity to cut off competition, and a single space).

We'd be just fine with a bunch of incompatible between themselves Hypercard-like things working over network. That's what I think.

I really dislike Apple for what they've been in my somehow conscious years (born 1996), but things like Hypercard and Hotline (or KDX) from their older time seem to be just the right way to use personal computers.

Any single space with propaganda of "fragmentation being bad" is either not immune to what has happened to the Web, or already compromised.

[–] azalty@jlai.lu 5 points 1 year ago

Damn, didn’t know that, thanks for sharing!

load more comments
view more: next ›