- cross-posted to:
- technology@beehaw.org
- cross-posted to:
- technology@beehaw.org
You must log in or register to comment.
Wow they moved incredibly fast, even considering the repository was first committed to in April 2023. I wonder why the outrage only started a few days ago? There was also a discussion, started in May.
It’s a shame that no matter the amount of outrage, no matter what the pitfalls of this change may be, it’s going to happen no matter what because money.
Well, I don’t know about now, but this Microsoft employee says some time ago an outrage worked.
From what I read in the related links they only claim to have applied pressure, they didn’t cave because of that pressure though. Again it seemed to be about money.
“The only saving grace was Vista’s very painful and long development period where Palladium was eventually killed so Vista could actually ship.”
We also cannot say it wasn’t a factor in their decision.
but we also have no reason to either
Right, so outrage that they couldn’t get enough money.
Luckily we have choices. From WebKit browsers to Mozilla browsers. This will make me quit chrome. (Way overdue anyways)
If you switch to a browser that cannot be remotely attested, eventually commercial websites will just stop serving you. So switch now and tell everyone you know to switch to something that is not Chrome or Safari.
Safari already does this in the form of Personal Access Tokens, and the reason the web hasn’t taken it and ran with it yet is because their market share is ~20%. Chrome is 70%. This is about to be a systemic problem that you cannot fix by switching to software that respects your freedom.
i’ve been using a samsung chromebook plus since it launched until now… and it’s end-of-support next month. being a typical human with low funds for new gear, i WAS considering a new chromebook of some kind. The chrome drm bullshit doesn’t effect me too much as I use this mostly within the linux container, or firefox android version… however, I realize i need to take a stand and not financially support these tyrants.
so, what are my options? a pinebook running debian? are there any good netbooks out there? I don’t use this thing for games or streaming media at all - mostly ssh, some browsing, etc. it’s about time I take the final steps to de-goog my life.
Install Linux on your current chromebook. If the hardware is still good that’s a no-brainer in my book.
i’m in the middle of this process now, and just frustrating myself. i’ve forgotten too much of the inner workings of the kernel - that is, my old knowledge doesn’t apply anymore. I’ve got a dualboot working, but can’t for the life of me get the wifi module to load. not relevant to this thread, so i won’t dirty it up. but, thank you for getting my head in the right space!
i will, somehow, get some flavor working
Used thinkpads (like the T480) are a great choice.
I use Manjaro Cinnamon on mine.
Get a used Thinkpad. They run Debian well!
If you’re thinking about Linux and low on funds maybe your chromebook is supported by https://mrchromebox.tech/#home
I’ve been using it on a 2017 pixelbook with Fedora. No ragrets even after this thing turned me into a kernel contributor over audio regressions. I replaced ChromeOS on my partners as well. We decided to do it now since updates are ending relatively soon so she could go back while we look for a replacement, though she’s been relatively happy and I think what’s done is done now.
And this is the consequence of browser vendors relying on Chromium.
To be honest - easy to pull a Microsoft a fork a branch without the crap.
this is a userbase killer right here
If manifest 3 didn’t change egoogke chrome share I doubt this will.
Manifest 3 didn’t create noticable chnages for the average user. Not yet anyway.
The idea is these changes are never a full at first. The internet will not break tomorrow because of integrity checking.
But it will in a few years. And people will be upset then. When it’s far too late.
Why is this bad? On first read, it seems like it could replace personally identifiable advertiser cookies with a trusted assertion that I am a human. Feels like a win
So…I don’t use chrome anymore, but I use Vivaldi. Guess this’ll fuck that up too or will they remove it?
Edit: looks like they’re concerned about it but also are worried stripping it out will f up theye browser being accepted
Hey, fellow Vivaldi user👋 . Yep, one of the Vivaldi devs already said if it was added upstream, they’d strip it out of the Chromium code, but they acknowledge that this would cause problems if WEI became standard. Websites would start to expect it, and not having that functionality would be a death-sentence for any browser (Chromium or otherwise).
That’s great to hear. I like it and would like to continue
As an aside, I know we’re not supposed to care about Reddit, but the lack of this news getting any attention over there is just depressing. Hell the Firefox sub hasn’t had any posts in days apparently.
That’s because the firefox sub moved to Lemmy…
People that care about this stuff are probably already jumped ship.
I wonder how many people will be ok with this, considering that there’s a large portion of folks who does not know what’s AdBlock
Yup. The vast majority of internet users NEVER:
-
Customizes their web experience
-
Uses apps almost exclusively
-
Navigates beyond the first page/screen
How will they react to this?
“Shut the hell up, fucking nerd and your fucking idiotic, stupid ass ‘privacy’ bullshit. God WHO THE FUCK CARES!? I was literally - LITERALLY - never inconvenienced by any of that stuff, so SHUT UP!”
That’s how.
We’re doomed. We were always doomed.
Would be kinda cool to go back to irc or usenet, because the average internet user does not and will not give a shit about privacy, and definitely won’t get a complicated chat thing setup.
We’re doomed. We were always doomed.
I’m afraid that’s always been the case because the mass majority just don’t a give a shit. They’ll happily conform to whatever the monopolies tell them to.
-
deleted by creator
NOOOOOOO
I guess I won that bet. :/
Fuck this is trash. DRM for the web. I wish people would understand websites like kbin are not free and that if you use a website you need to pay to keep it alive. But no one wants to pay for anything on the internet, and so we have ads. Ads will for sure kill the internet.
The fact that people feel entitled to free content online really activates my almonds. They’ll whine and moan about enshittification and how eg. news is just clickbait now, and then promptly shit their pants when someone suggests they actually pay for things since they clearly don’t want ads either
Surely you can reverse that and point out corporations whining and moaning about people expecting free content when they’re barely paying their employees enough to afford to pay their bills.
The problem starts with corporate greed, hoarding revenue by keeping employee’s salaries to the minimum acceptable, providing as little functionality as possible to reduce overheads, double dipping by selling a product/subscription and then selling their customer’s data, and then complaining they aren’t getting more money for what little they are doing.
Then inevitably a little guy like Kbin comes along and suffers because the internet is filled with soulless, ultra-capitalist corpo scumbags.
Surely you can reverse that and point out corporations whining and moaning about people expecting free content when they’re barely paying their employees enough to afford to pay their bills.
Those are separate issues
They are absolutely not separate issues. How can I be expected to shell out $15 per month for 10 different content subscriptions if I can only just afford to put food on my table?
Doesn’t mean that content producers and the people running services don’t need to eat too. Sure, many if not all big corporations are terrible, but not all online content is provided by them.
But a massive amount of them are. Small and solo creators on Youtube or Twitch need to conform to the rules of Google and Amazon, and even medium size creators are influenced and coerced by the precedents and market trends set by the much larger corporations.
And it doesn’t matter if not all content is provided by large corporations, those large corporations employ the most people, and dictate in a lot of ways, the rules of the employment market. It’s due to their habits and practices that wages are artificially low and expenses are inflated for record profits.
Until corporate greed is managed properly, consumers will always struggle to have enough expendable income to pay content creators, and therefore will always be searching for free content.
Oh yeah, no disagreement there; the source of all these problems is ultimately an economic system designed by and for sociopaths. But, be that as it may, the fact that even the people who could afford to pay for services simply don’t, and many run adblockers too and rarely turn them off for eg. news sites even if the ads they run aren’t extremely distracting. For example when ABP introduced a whitelist for “non-annoying” ads, it didn’t exactly go down well and people said they had “sold out.”
Big corporations can get fucked for all I care, but as I said, the ones not working for them and running services or news media or whatever also need to eat, and peoples’ reticience to pay for things in one way or another has directly led to those big companies taking over more and more of the field and WEI is an outgrowth of that.
Can someone ELI5 how this could prevent a fork of Chromium from just not playing nice and telling the website “yeah yeah, it’s all untempered *wink wink*” and then still remove/alter stuff as it pleases?
Edit: ok I think I got it … it’s basically the server that decides if it trusts the judgment of the client or not. Can’t wait to see that cat-and-mouse game going on 🙄
it’s basically the server that decides if it trusts the judgment of the client or not. Can’t wait to see that cat-and-mouse game going on
This is partially correct. The server will check that you have a valid token issued by a trusted third party, who will almost certainly be Google, Microsoft, or Apple. When you connect to the web page, your browser will give this token to the server and say “hey look I’m legit.” The token will have enough information on it to identify that it is relevant (being provided by a client that matches the hardware it is meant to verify) as well as a cryptographic signature that verifies it is in fact from the trusted third party. So it’s less the server trusting the judgement of the client than it is the server trusting the judgement of whatever third party is attesting to your system.
Yeah, I can imagine a fork of chromium existing that takes all the data and does the rendering pipeline “”“normally”“”, but then on the side does something completely different and shows THAT to the user, while giving the server an idea that nothing is wrong and what it is doing is just normal chromium stuff.
But such an idea will be done entirely by enthusiasts, slowly, on an obscure basis. For the majority of users, that will never even be a conceivable notion of something they can do with the internet. Itll never be something you see on a top, mainstream browser.
In other words, Google wins.
I don’t understand. Isn’t someone just going to fork Chromium, take out this stuff, put in something that spoofs the DRM to the sites so that adblocking still works?
Part of the point is that you may not be able to spoof it.
On code I write on hardware I run locally, how is it ever possible to not be able to remove an element from the UI?
If you don’t use a client with certain signature, the web request will end in different response, i. E. an empty response, as if your client had a certain signature. Please correct me if I am wrong, though.
Why can’t my modded client just give it that signature?
Because you don’t have Google’s private key. Same reason you can’t watch Netflix episodes without Widevine.
Bro I’m watching a Netflix show right now and don’t have a subscription
Widevine has been hacked multiple times, it’s the usual arms race.
I watch Netflix shows in high definition without widevine every day.
🏴☠️🚢
Drink up, me hearties, yo ho!
A private key to do what?
I only have the most cursory understanding of what Widevine is, but a quick Google reveals github projects claiming to spoof it.
Where I fail to understand is this. Whatever authentication the open source browser I modify needs to do, I can let it keep doing, because at some point it has to provide my browser C++ code with a clear text DOM before it renders it to an image to be displayed by my window manager. I can write that browser to simply remove DOM elements it deems to be ads - just like ublock does - before it renders it graphically.
The only way around this would be to turn browsers in to a completely dumb terminal that accepts an octet stream of pixel data so it can display bitmaps, which is completely unfeasible (every webserver would become a graphics card for each of it’s users), and even if it did that, a simple neural net would identify the ads and remove them.
What am I missing?
The attester will then sign a token containing the attestation and content binding (referred to as the payload) with a private key. The attester then returns the token and signature to the web page. The attester’s public key is available to everyone to request.
— The explainer, section How it works.
Websites will ultimately decide if they trust the verdict returned from the attester. It is expected that the attesters will typically come from the operating system (platform) as a matter of practicality, however this explainer does not prescribe that. For example, multiple operating systems may choose to use the same attester. This explainer takes inspiration from existing native attestation signals such as App Attest and the Play Integrity API.
— The explainer, section Web environment integrity.
Now Julien Picalausa of Vivaldi browser theorizes as follows:
To make matters worse, the primary example given of an attester is Google Play on Android. This means Google decides which browser is trustworthy on its own platform. I do not see how they can be expected to be impartial.
On Windows, they would probably defer to Microsoft via the Windows Store, and on Mac, they would defer to Apple. So, we can expect that at least Edge and Safari are going to be trusted. Any other browser will be left to the good graces of those three companies.
Of course, you can note one glaring omission in the previous paragraph. What of Linux? Well, that is the big question. Will Linux be completely excluded from browsing the web? Or will Canonical become the decider by virtue of controlling the snaps package repositories? Who knows. But it’s not looking good for Linux.
So, AFAIU, if worst comes to worst you won’t be able to run an unsigned browser and browse the web.
Isn’t someone just going to fork Chromium, take out this stuff,
Yes, upstream Chromium forks will likely try to remove this functionality, but
put in something that spoofs the DRM to the sites so that adblocking still works?
This is the part that is not possible. The browser is not doing the attestation; it’s a third party who serves as Attestor. All the browser does is makes the request to the attestor, and passes the attestor’s results to the server you’re talking to. There is no way a change in the browser could thwart this if the server you’re talking to expects attestation.
This violates just about every single open web principal that allowed Google to gain so much power. When they changed their motto from Don’t Be Evil, to Do No Harm, they obviously chose deception. Their new motto should be Do Whatever is Profitable, or more succinctly Be Evil.
I don’t really understand how that’s possible. The browser gets a token from the third party, and passes that token to the server to “prove” it’s running the DRM. The server then passes code back to the browser. At that point, why can’t the browser just cut out the DOM elements which are ads?
I don’t understand how code I write on hardware I run locally can ever have it’s hands tied like this.
I see what you’re saying. I read it as implying the browser would fake the attestation token. I don’t know the answer, but if their (stated) goal is to stop bots and scrapers, I have to assume it wouldn’t be so simple. After all, a lot of bots and scrapers are literally running an instance of Chrome.
It won’t be your hardware in a few years if this goes through. The code will run in a secure enclave and you won’t be able to access your bank or log in to government websites if you control the hardware.
Android phones are starting to do this, and it’s a nightmare for people like me who actually want to own the device they purchased.
Needing root access on Android to regain basic functionality (such as the ability to backup installed apps) is a sad indicator of where we’re headed ☹️… As much as I dislike iOS’s walled garden, they make backups dirt easy for the end user - and they do complete backups too - app data, homescreen layout and all.
Feels so good to see Google getting called out for this in the GitHub comments
Does it? It’s making me depressed.
Because every last single thing said in those comments will be ignored. I sincerely doubt they’re even reading them.
They know what they’re doing. They know what people will say. They’re going to do it anyway.
