Google's next big idea for browser security looks like another freedom grab to some Googlers have proposed a way to determine whether browsers can be trusted, as a defense against criminal fraud and other bad behavior. Some in the internet community fear this is the end of the web as we know it. The proposal, dubbed Web Environment Integrity (WEI), showed up as code in April and was announced in May. It …
Does it have to be Google? My limited reading is that anyone can validate accounts, but the site would have to decide which validators to trust. This would end up being the big boys because it would involve a level of infrastructure and maintenance but I don't think that they would want to force their customers to get/use Google accounts.
This should be built the other way around, or not at all.
Got to any of the commercial sites supposedly whining for this garbage. You will see a toilet bowl full of trackers, third party scripts, crypto-miners and other garbage, all from untrustworthy domains.
You want trust in browsers? You effing first mate.
I agree. Fixed value fines don't seem to me much of a detterent. Google could take a lot of $50k fines before they even notice. Even if they did, it may well be worth their while to pay the fines rather than pay whatever is required to solve the problem that caused the fines. Yes, companies do this calculation, even for things that *might* be dangerous. If the solution to a problem will cost more than they are likely to pay out in punishments, they may opt for the punishments.
A set percentage of their gross turnover, even one percent, is a *lot* more likely to get them to solve any problems.
Quite. When GDPR came in the US tech company I used to work for shit themselves, and MANDATED everybody to take a training course (online, obviously) and to commit to complete it before the GDPR deadline. I had to get a certificate from them to say I'd done the training and understood my responsibilities. It was very clear if the shit hit the fan they would stand me in front of them.
The EU's influence is global, and 'a percentage of your global earnings' is very powerful. I wonder what the EU's take on this will be? And I wonder what 'lil ol' England's response will be.
It is all about control. Control the system and you control everything. Google wants to control everything. This proposal makes it abundantly clear if it wasn't clear from past behaviour.
Monopolists will always propose to improve their hold on the the monopoly. It will always be proposed as your benefit, but only serves the monopolist's benefit. See history...
Here's the deal: You worry about the code running on your systems, and I'll worry about the code running on mine.
That's how the Internet works. You worry bout your end and link, and I worry about my end and link, and ElReg worries about their end (and pays somebody else to worry about their link). What ElReg and I choose to do with our ends and links are none of your fucking business, period.
So again, I invite you to fuck off. Nobody wants your vision of a nanny state, especially not where you are the nanny. Have I mentioned you should fuck off? Now would be a good time. Just do it. Put yourself out of our misery. We don't want you. At all. Go away.
Probably the most upset and irritated I've ever seen your writing here Jake. And you've been around here about as long as I have so that says quite a bit.
Regardless, I agree that trying to rewrite the rules to enforce a monopoly and browser monoculture is foolish. I don't think it's going to work, as soon as Google gets distracted you'll never hear another word about it. What worries me is a more focused company that doesn't kill its projects like it's going out of style doubling down on this.
"Regardless, I agree that trying to rewrite the rules to enforce a monopoly and browser monoculture is foolish. I don't think it's going to work,..."
Sadly, I think it might ($DEITY protect us all).
You see, the potential reward is much too great for Google to just drop it. I would love for You to be right, but I have my worries.... If the Chrome engine wasn't so popular, it would be easy. As it stands, this atrocity has a real chance to go forward.
Have I already said "$DEITY protect us all"?
That's how the Internet works.
Hallelujah. That's how any comms channel should work.
Anything coming from a source or through a comms channel that isn't completely under your control needs to be treated as potentially hostile and validated and sanitised to death. You can never assume otherwise or you end up with the Morris Worm, SQL injection, JSON-as-JavaScript injection, buffer overflow exploitation (worm again) or whatever.
As a bonus, your systems will be more reliable and robust.
If you can't design your end to detect when the other is 'cheating' then you've done it wrong.
My father taught me this important principle before there even WAS an internet. In order to assure harmonious social functioning, everybody needs to be responsible for their own end (that wasn't the word he used) and keep their nose out of other peoples' ends. Those individuals or organizations who choose not to follow this golden rule, must occasionally forcibly be reminded that there is a cost to this behavior. In his world, if people wouldn't listen to reason, violence was not out of the question. And a poke in the nose could reasonably be expected.
"This therefore starts to slide the web toward a time in which only authorized, officially released browsers will be accepted by websites."
Tell that to the bloody BBC.
Just lately every time I go to iPlayer the BBC demands that I "...update your browser" or come the end of the month nasty things will start happening.
I use Pale Moon, and when I contacted the BBC complaining about them taking away my choice of browser, I was told that because the BBC has only limited resources they can only certify a restricted number of browsers such as Chrome based ones, Safari or Firefox.
How much effort does it take to check that a certain browser meets all applicable modern standards, and what about the open nature of the internet anyway? It's not as if I am using Lynx, now is it?
I'm old enough to remember the warning that came up saying "This site is best viewed in IE 6." No, enough of that nonsense.
Oh, in the end I just edited my user agent string to Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Bollocks to the lot of them.
Have we got to the stage when the governance of the internet is by the advertisers, for the advertisers? If so, how long will it be before these advertisers declare that choice and control of your computer are no longer allowed and lobby for penalties against anyone foolish enough to defy them?
The Barclays Bank website also whines about an "outdated browser version". It at least let's you continue to sign in though. In my case it displays this warning despite me using the current extended support version of Firefox on Debian 12, and "helpfully" offers links to download Chrome for Windows...
to a Linux User? That would be more than enough for me to use a switching service and move to a more friendly bank.
Going to Radbook Hall was always an experience. Two mainframe teams sitting 10ft from each other who have never been in the same meeting! Shakes head in amazement.
And for Barclays, they are already testing that your phone is "acceptable" to run their banking app. None of the other banks do.
Here's a fun thing to try if you use the Barclays app on an Android: Create an empty file called "Magisk-v19.1.zip" in your Downloads folder. I am sure many of you know what the real file is used for. You don't need to have installed it - the file just has to be there. Now try to open the Barclays banking up. Won't work, with a vague error message. If you contact Barclays, you will get nowhere - I didn't. So Barclays scan you phone for files it believes would compromise their app - which seems very much like this Google concept. I wish I could switch to another bank, but sadly, it isn't possible for me right now.
My bank here (Canada) doesn't bother me about browsers. I wouldn't exactly try to go there with some minimalist thing (e.g. something silly that can't actually handle the site) but there's no problem with Firefox, Safari, Chrome, Edge, other Chrom(ium) based browsers like Vivaldi, etc. They don't dictate, they just tell you to make sure your browser is up to date.
However, they do fingerprint and I resent that. Same browser (same local BUILD) on two Linux OSes on the same computer. (my Arch gaming setup and my custom from-scratch setup) yet if I log in from the other it will flag my login attempt and make me verify by phone (not email like they used to). They shouldn't be knowing anything about my browser or environment outside of the cookies that they place. (I sign out of the bank site and clear them after use)
"the BBC has only limited resources they can only certify a restricted number of browsers such as Chrome based ones, Safari or Firefox"
In that case they should have stuck with the earlier version that worked on all browsers instead of employing kiddies who want to fix what wasn't broken. Breaking it cost them salaries. Unfortunately BBC management has never been known to be wrong. You can take their word for that.
"If you make your customer your enemy, you have profoundly screwed the pooch." ... but that's exactly what they want to do. The pooch is there to be screwed out of as much money as possible. That's why they see nothing wrong with what they're doing.
The problem is those who offer up what they do, who don't want money in return, will be impacted because those who want the pooch to bend over and take it, are in the vast majority; and lets face it, nothing comes for free these days. Every web renewal I have to weigh up the cost of my personal web domains and wonder if I can afford to keep them running in these cash strapped times.
Don't worry, this only another way for the industry to cut it's own throat.
As the article says, making your users your enemies is a losing prospect. They say customers, but for most of these sites that relationship is pointing the other way. The "customer" is an ad network, or an ad agency. That's where most of the money flow they are protecting is from.
Sure in the case of subscription content like games or streaming the user and the customer may be the same person, but both of those have alternatives to browser based deployments that are less of a contentious mess.
So. this (as it always is with Google) about ad revenue. The problem is customers access a site, and the site monetizes that traffic with ads. Most of those sites aren't providing irreplaceable content, and their customers will vote with their feet. The scammers will just bypass the protected environment, by any of a thousand means. It is literally impossible to accomplish using existing web standards and home computer hardware. So you are expecting your customers to ignore you screwing them over publicly, and insult piled on insult, you also expect them to roll over for a one way trust relationship where any shady ad slinger places restrictions on and monitoring of their machine, while providing no control or transparency to the users the system depends on.
This is against the law in large parts of the world, so it should automatically be rejected as a global web standard. Even if it isn't it will fail, like every other hostile piece of DRM based on open computing hardware. And convincing the whole world to buy a whole new set of devices just so ad networks can screw them over? Nope don't thinks so.
Do you want mass piracy? Cause that's how you get mass piracy.
For all of the BS passed around by the Google Devs on this 'trusted browser' tech, its clear that Alphabet have one goal for it, to make themselves more ad revenue by blocking bots, stopping ad blockers and to eliminate alternative browsers and force people to use Chrome.
The question will be whether Apple implements this in Safari or not if Google does push it through on Chrome? Hopefully they won't and that will allow a way around it. As devs will not want to lock out Apple users from their websites as they are a large customer base, so will have to have some way of displaying it without this 'trusted browser' BS.
But the best solution is if people just stop using Chrome, as the only reason Google are able to pull this sort of BS is because they have such as large share of the browser market. Chrome has become the IE of the modern age in which devs just assume your either using Chrome or your an Apple user.
FYI Linux and Firefox on my devices, that why i am worried about this getting implemented.
My thoughts also; the first use of this will be to detect ad blockers.
However, I do question the real need for this given today without it:
Websites can block access from browsers running ad blocker etc. or running in a sandbox.
With movies and tv advertisers are able to inhibit the playing of content due to use of Airplay, HDMI etc.
So it would seem to be just a standard API that will make such detections even easier:
The malware writers will use it to enhance their detection of target PCs and enhance their social engineering to get users to turn off protections.
MS willl use this to block access to MS because you aren’t running the last version of Windows and the updates released under an hour ago…
Since the actual github issue tracker is (as mentioned in the article) locked. I figured I would post a comment on the top article on why this API is not needed, this is taken from my tweet thread on the same topic.
Many of the use-cases are bad use cases, that is to say there are already ways to solve for them. Point's here are counterpoints to many of the explainer points.
RE: Checking for humans vs bots: 1 there are already this thing called Captcha's, also you could probably implement something like this using WebAuthn already.
Re: Only human interactions, Same verse same as the first, but to add, you could also require a WebAuthn sign-in. Depending on the platform you can even weed out most multi-account users since every account would require another TPM / Authenticator Key.
RE: Trusted Game Environments: 1. it's already known no to trust the client in games. 2. VERIFICATION SHOULD BE DONE ON THE SERVER!
And, again, bans would be done vs the hardware ID, so if you want to avoid a ban, you would need a new device.
RE: Malware: 1. People already don't check for SSL, how would this help? 2. Malware already gets into kernel & firmware, how would this prevent it? 3. this only helps the bank to know the user's browser is fine, not the user to know they are actually viewing the bank.
RE: Improving privacy: You are implementing a way to fingerprint / verify users. None of this prevents the fingerprinting already possible. It just adds a new factor to it.
RE: Goals and non-goals: It's admitted that "client javascript may be modified to alter the validation result" so it wouldn't fix games.
Not in the tweet thread but, how can you not impact browser extensions and prevent ad-blockers?
RE: Use-Cases A: Detection of webview phishing< Does anyone do this? Also, it would be easer & faster to just add a header to webviews (and everything else) stating the app sending the request.
RE: Use-Cased B: Mass Acct. Creation & Hijacking? WebAuthn. Cheating? See, previous. Compromised devices? This won't fix. Password guessing? **WebAuthn Physical Authenticator Exsists.**
RE: Google Play Verification: See https://iana.org/assignments/webauthn/webauthn.xhtml#webauthn-attestation-statement-format-ids
(WebAuthn can already ask for it with `android-safetynet`)
Tl;Dr: Much of this can already be accomplished with WebAuthn, that which can't, almost certainly won't be fixed with this API. Which brings to mind the question of why it exists?
I wouldn't mind seeing a certification chain for browsers and whatnot added to the webauthn spec, but that would be a function added to the pre-existing authentication providers. Not a brand new verification API.
I agree with you in principle, but WebAuthn just means that the client has a public/private key pair. Chrome has an emulator for this built in for testing, someone making a fake browser can make fake WebAuthn accounts no problem. "Guaranteeing that the user is real" isn't WebAuthn's purpose - it's making sure it was the same user as last time.
The claim that somehow verifying the browser is legit would stop bots or other automation from cheating on games or doing other nefarious deeds on an automated basis doesn't really stack up.
Selenium makes it relatively easy to build automation that can control chrome and firefox via an API, those would surely show up as legit, unmodded browsers. Although Selenium is oriented towards automated testing of web systems, I've worked on projects where clients needed to scrape data from various sites (with permission) that did not have APIs and tried to frustrate scraping by having javascript and fingerprints etc. and so needed real browsers to get at the data, rather than just calling the form targets and parsing the response. Selenium has been around for a long time too, and the browser makers specifically put support for it in, so they certainly know this too.
The proposal looks more like trying to crack down on all the webkit/blink clones to keep control of the market and stop smaller start-ups getting a slice. It solves a problem that I am not sure exists, with a solution that doesn't actually solve the problem.
It solves a problem that I am not sure exists, with a solution that doesn't actually solve the problem.
The problem certainly exists, and this is almost certainly a way to solve it. It's just that the problem isn't a problem for the end user. The problem is that Google doesn't yet have enough control over "everything" (including people using ad-blockers), and this is indeed a way to solve that problem.
See also, UIPath, will use an unmodified browser quite happily thanks, I’ve used this where selenium didn’t work as it doesn’t require (though supports) using the DOM. You can just record the layout of the website and click in exact locations with conditions etc :: is this my bullshit ad? Yes, click
This post has been deleted by its author
This post has been deleted by its author
...that there are far too many people who cannot be persuaded into voting with their feet because this issue is simply too technical and esoteric for them to give a toss about. They just want to go home from their shitty job and watch Netflix until they pass out on the couch.
If it's just another hoop for them to jump through in order for them to consume content, they'll jump through it.
This post has been deleted by its author
but in reality, most people follow content, and if you float a reasonably robust replacement to HTML and browser shite, if you can deliver regular a stream of good content you can grow it organically pretty easily. You don't need to kill the garbage that exists, just give people an alternate path and they will start taking it.
The problem is developers either fall into the "field of dreams pit" where they build the protocol and expect a horde of content creators to show up at their doorstep and start churning out high quality content for free, or they shoot themselves in the foot by trying to build off HTMLs worst mistakes, the lie that everything can or should be run through a browser.
Burn HTML to the ground. It's neither good nor clever, and nothing compatible with it will ever be good. That ship sailed, and web monkeys screwed it up. As to what to replace it with? We already did with tools like BitTorrent and popcorn time. With lightweight web deployed apps. Apps which no one uses anymore because Google and Apple want to lock you into their app stores, and 90% of what is left is on Steam.
Just build something like WebStart (you know, like Java?) for Rust and your 75% of the way there. Put a user controlled permissions framework on it, like the one that was under the hood in earlier android builds until Google found out users discovered it and started disabling auto-start on Googles spyware.
(yes Google, we remember, and the AlphaGooglebet name change didn't trick us either.)
"Vote With Our Feet"
Yes, indeed. Home page has long been DDG. Because Google, email login suddenly decided my preferred client wasn't good enough for them I switched the use (which was simply to receive the Contact us messages from a web site elsewhere). In fact almost the only email I see from gmail addresses is spam.
Gemini is the protocol you're looking for. It's too basic for the advertisers, it's like the Web was in the early days and it's going to stay there. Only thing it's missing is lots of content: so far just a few hobbyist bloggers are posting on it, and it's like the internet equivalent of amateur radio (if you say "why bother with amateur radio when you can just listen to the BBC" you're missing the point). But if we can get organizations that are not interested in directly monetizing their content, such as (some parts of) the BBC and academics and governments and public services and charities (and maybe even companies who just want to talk about themselves) to cross-post things to Gemini, it could be made a much more useful environment. I tried to do my bit by creating a Gemini version of my home page although it's more or less an exact mirror of the web version....
Alex Russell, partner product manager on Microsoft Edge " API design requires a journey through a problem space, and ... extrapolate to worst-case scenarios"
And now you know why Microsoft products are so bad - they just keep the worst-case scenario APIs!
==> I'll get my coat as it was an intentional misquote for fun
The absolute cheek of it - if anyone ever needed a Code of Conduct document and a reminder to be civil, it's these control freak super snoopers, wanting to destroy anything on the web that doesn't earn them an ad payment.
Here's a code of conduct for Googlers :
1. Stop trying to monopolise the web using your browser market share
2. Stop trying to snoop on everything everyone ever does on the web
3. Stop ruining the free and open web because of your obsessive desire to make money by forcing adverts on people
4. Stop monopolising the web ad market
5. Don't ever try and limit criticism of your terrible proposals as part of a strategy to try and force them through
6. "Civil" doesn't just mean use of language. It also has to do with how you behave
7. Just stop. Go away and leave the web to W3C and users
go ogle dropped their "don't be evil" motto as of October of 2015, when Alphabet decided "Do the right thing" was more appropriate. Following that, "don't be evil" was vestigial, at best, a footnote in the CoC, before eventually being quietly removed entirely.
They don't mention what 'the right thing" is (making a profit?). Nor to whom they are supposed to do it (the shareholders?).
But at least they admit that being evil is OK in pursuit of "the right thing". Nice to know where they stand.
Some of us have been shunning go ogle since the year dot ... not paranoid, pragmatic.
"API design requires a journey through a problem space, and the best way to redirect this sort of thing isn't to extrapolate to worst-case scenarios, it's to ask that folks show their work and demonstrate value."
Clearly a middle manager rather than an engineer; engineers don't spew such gibberish. "Journey", "problem space", "show their work", and "demonstrate value" definitely give it away.
Part of me thinks this is just the usual overreaction by some. I remember when TPM was brand new and everyone in Linux world was doing their chicken little routine about how this would allow Microsoft to block any third-party OS from computers. Yet, here we are all these years later, and far from being relegated only to systems lacking TPM chips, Linux is thriving probably more than ever before.
Not to say that they aren't right to be worried, but I think the MS engineer has the correct approach here. This is just an early draft, so offer up constructive criticism and concerns by all means, but let's see how it fleshes out a little before predicting the end times are nigh.
This post has been deleted by its author
You seem to have conflated an example the Reg Hack used in the article for what was actually in the proposal given by Google.
The idea isn't necessarily a bad one, it could help cut down on a lot of spam and other shit we all collectively hate, but there are a number of potential use cases where if it's not very carefully thought out, it could end up being very bad. Which is why I say give them enough rope to hang themselves with if that's what they intend to do.
Of course at the end of the day, it's their program. They control the code and can do whatever they want with it and there's fuck all we can do about it. If they want to try to force this idea on everyone, our options are either to drop trou and take it or switch to Firefox or Safari. Someone might be able to fork Chromium from before these changes were merged in, or just disable them at compile time, but who knows how long that'll last before the number of people with the right combination of skills, free time, and willingness to contribute burn out. The number of people who meet all the criteria are quite few after all.
This post has been deleted by its author
Yet, here we are all these years later, and far from being relegated only to systems lacking TPM chips, Linux is thriving probably more than ever before.
I would say "thriving" is a bit of an overstatement. Yes, it;s popular in the server market; and it's popular in a niche consumer market (the likes of you and I); but it's definitely not "the year of the Linux desktop" (still).
We already have a situation where some computers (MS's tablets) cannot run a non-approved OS. With most common desktops/laptops/servers you now have an extra hoop to jump through to run anything not MS. By default you can't just toss an installer image in and run Linux, you need to do one of a number of options :
- Turn off secure-boot, after which Windows won't run which is a problem for those who do need to run it and would like a dual-boot system.
- Run a bootloader that's signed by MS, which puts you at the mercy of MS as to what their bootloader will do when they decide to tighten the controls a bit.
- Sign your own bootloader and install a new licence key in the system, which is technically beyond the abilities of the majority of users, and also relies on the ability to install a new key remaining.
But secure boot means that for a normal user, "Linux is broken because the systems says so" and it's not possible for them to "just run it".
The thin end of the wedge is now irretrievably inserted, time will tell how long it takes, but sooner or later I can see that "for our own protection" one or more of the routes to running Linux must be removed.
Compared to pre-TPM, Linux has only increased in overall popularity. But the point is, everyone was doing their chicken little dance when TPM was proposed by Microsoft claiming it would be the death of Linux and it was an attempt by Microsoft to lock in Windows as the only OS on x86 and all these other draconian DRM ideas. Yet, you can still boot Linux, Microsoft hasn't used TPM to implement a bunch of DRM into Windows. It's a little bit more annoying, sure, but it's offset in large part by the improvements in Linux hardware support. Damn kids these days don't know the "joys" of manually entering modeline values into their XF86Config file to get their LCD monitor to work back in the day, fighting to get your soundcard to work, being brought to tears if you could get your cheap inkjet printer to just print basic text, or having to scour forum posts or FAQs trying to find answers to questions. For the most part, Linux just works out of the box these days. The major concerns now are how FOSS developers love to tear everything down and rebuild it from scratch just when they get tantalizingly close to functional parity with the leading commercial competitor.
For better or worse, Linux is used by a lot of Libertarian types. The group that straddles the edge of the mainstream and the fringe on the political right. They always think that everything is some kind of threat to their freedom. Usually they make things out to be a lot worse than they are in their head, and, especially these days, they're prone to inhabit echo chambers where they only hear voices from other people who agree with them. Strange ideas start to develop in those kinds of scenarios as we've seen with the Qanon bullshit.
Simple fact is, right now all we have is an early draft proposal from Google that they couldn't even really be arsed to flesh out very much. Maybe it'll get better, maybe it'll get worse, maybe they'll get bored with the idea in a week and abandon it. If it gets worse then you can get out the pitchforks and torches and storm the Chocolate Factory gates.
>” But the point is, everyone was doing their chicken little dance when TPM was proposed by Microsoft claiming it would be the death of Linux and it was an attempt by Microsoft to lock in Windows as the only OS on x86 and all these other draconian DRM ideas.”
Linux thrives because everyone did make a song and dance and so forced MS to adapt their x86 platform locks so that OS’s other than those approved by MS could be installed.
Strange that you are connecting Linux users with Libertarianism. Not long ago Linux was "communist". If you haven't noticed some libertarians would argue unrestricted freedom to Big tech and other corps without government getting in their way to violate labour rights, the environment and establishing monopolies and lock-ins, while most Linux users are likely just concerned about the freedom to run the software they wish on their devices and does not want to feel that they are being watched and tracked every second. Meanwhile the qanon types are the ones who spout baseless crap that is a distraction from real issues like what Google is proposing now that the qanon types probably are blissfully unaware of. A lot of bad conflating, associating and generalizing in your comment.
I think a part of the Linux community finds TPM to be a good thing, in that it allows secure storage of cryptographic keys and secure boot assuming TPM can be implemented with 'open source ' hardware. The problem begins when a remote party is able to attest the boot process, and especially if this remote party is a big tech corporation. It looks very likely that the Web integrity API will need to use TPM to do browser attestation and make the attestation meaningful.
I believe the earlier panic was about Palladium/TCPA which has reincarnated itself as Microsoft Pluton nowadays, but TPM I believe was a small subset of that. To the extent there was a panic about TPM, it does look like that was justified given what Google is proposing now. True it won't kill Linux as such, but it would reduce the merit of Linux as 'your own OS that you can modify and use in your own way:
Given the fact that they have squeezed the possibilities of open standards to implement tracking and fingerprinting for serving ads, it's reasonable to think that something that has a lot more muscle and expressly stated supporting advertising as one of its intentions will be squeezed to the maximum. Why wait until that happens and the frog is boiled? Banks don't already work on non stock android OSes even verifiably secure ones like GrapheneOS. Vivaldi has to disguise its user agent string to pass some sites. It's bad enough as it is already. So what should make me optimistic that Google (and eventually Microsoft) won't have us all browse their way, and are not trying to weed out competition from smaller vendors?
Quote: "Google's next big idea for browser security"
....and Google provided a "a reminder to be civil"....
Try reading this, and tell me how this behaviour by Google/Deepmind can EVEN REMOTELY be called "civil"?
- Link: https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act
Yup......Google wants EVERYONE ELSE to be "civil"......while slurping 1.6 million medical record IN SECRET!!
More hypocrisy........I need to be "civil".....but Google is fine with slurping 1.6 million private medical records!!
Pass the sick bag, Alice!!
We no more need be civil towards Google stealing turf online than we need be civil towards Putin stealing turf offline.
This gives Google (and those who can pull the strings of Google) too much power. We need alternatives, or we get an online dictatorship.
Health and safety is the new way to leverage dictatorial control, offline and online. Users should have rights and if we want to do something with the data we receive, and how we receive it, we should not have to be licensed by Google to do that.
TL;DR: Google's online fascism needs to be opposed.
Accessibility by its very nature alters the workings of the browser. Will adopting this proposal hobble accessibility by only allowing "official" accessibility functionality? Will the web become less useful to those who have accessibility issues such as poor vision? What incentive will third parties have to innovate when their work will be disallowed by the Ministry of Truth's new browser validator?
That has monopoly written all over it, I'm afraid.
Though MS are in Cahoots with Edge being a derivative of Chromium so I fully expect such an initiative to have at least been inferred from that side of the fence.
Says me posting this from Chrome as the only browsers we have in our package manager are Chrome and Edge.
"This therefore starts to slide the web toward a time in which only authorized, officially released browsers will be accepted by websites."
I don't believe this to be correct. In the end it's in the websites' self-interest to have as many people visit as possible. Throwing up artificial barriers would quickly undermine their business model. I've seen this happen already where websites block users with ad-blockers. This often leads to an exodus of users and eventually the shutting of the website.
In addition. the web browsers used are open-source and could easily be forged to give out a valid token whilst not playing by the rules.
This post has been deleted by its author
This post has been deleted by its author
I totally agree that there is no real need to be civil with Google. It has shown time and time again that it is willing to breach ethical boundaries to get its way and it’s long overdue to a split up.
However, as long as everybody votes with their feet and uses Gmail and Chrome and Android and their search engine, nothing will change.
I hope that at least everybody here uses Firefox, has their mail with Proton, searches on DDG (just naming some potential alternatives), and so on. Because market share speaks and so far, they can get away with murder because the market rewards them for it.
... Google's attempt to become the broker between web sites and the users. Want to reach your bank? Where's your (paid up) Google official certificate of identity?
This is where I think the federal trust busters need to step in. If electronic credentials are so critical for the operation of a modern economy, then our government needs to step in and provide them (the Aadhaar card in India comes to mind). And that organization should also be responsible for ensuring that the path over which this identity info travels is incorruptible. So, break up Google and place Chrome and supporting web development kits under this new department's control.
Yeah. Like that is ever going to happen. But the threat may be enough to scare off Google and show them their place in the world.
Elon Musk latest brainfart with Twitter (sorry X) is a threat to Google. He wants 'X' to become the world version of We-Chat and THE ONLY place where payments are made.
If you think that Google has oodles of data on you, that would soon be dwarfed by SKUM's (Anagram of Musk) cunning plan for world domination.
You will have an certified 'X' account. Only £25.00/month. You know it makes sense. (not)
So if/when they implement this, what publishers are going to
1. trust Google enough to actually use their verification and believe that they have no overlapping competitive interests that would make that a bad idea and
2. think that customers are going to put in actual effort to comply, instead of immediately moving on to any available alternative that doesn't make them do extra steps for the same thing?
And given issue 1, how many competing verification providers are going to be necessary for any of this to work? There's no way MS is going to use Google's internal verification, much less Apple.
It sounds like phone-home DRM for web pages, and in the smaller markets where publishers have moved to phone-home DRM verification for computer applications (music software is a very good example, which went hard for subscription-based virtual instruments about 10 years ago) it has frustrated users to such a degree that companies are losing long-term customers due to the background overhead of running a dozen different DRM verification schemes. A similar situation would probably happen to anyone who tries to do online gambling on multiple platforms, with their location verification background apps.
This post has been deleted by its author
Alex Russell ... took to Mastodon to urge people to withhold their judgment until WEI is more fully developed.
"Particularly in the early design phase, lots of ideas are bad!" Russell said.
That seems to be just the time to not withhold judgement. If bad ideas aren't stamped on PDQ they tend to stack around.
I get it but "profoundly?"
I think I first heard the phrase in "The Right Stuff" (I vaguely recall the movie was a consequence of firmer Astronaut John Glenn trying to get elected to the US house (or senate?)) but I am guessing its Top Gun speak from long before.
Does profoundly mean the bitches have an even bigger smile afterwards or that you respect them in the morning?
Acusing Google of conceptual bestiality rather amuses me.
The plug-in that randomly clicks ad elements everywhere you go, making targeting and ad history effectively useless looks like they are just talking about it and then tried to claim their proposal would actually stop cheating in games etc etc.
Moral of story, it’s just about making sure you can’t block ads or “misuse” them. Get Ad Nauseam now and let’s see if we can make Google go bust before Christmas.
Because LLM will be or are already able to read a screen, guess passwords or make an account, upvote, comment, etc., all from 100% honest Chrome or Microsoft Edge browsers.
They can operate in normal human reaction time, but there could be 100's of processes each with an LLM+browser running from a single machine.
This seems like a massive grab of rights for little or no gain (at least from the consumer side). At the moment, I use Vivaldi or Safari, but I like the fact I can use whatever browser I want. I could even write one from scratch (assuming I had the time and inclination), or I've no doubt there is source code for a number of browsers on Github I could compile and use. I like the fact I am free to do that. Websites requiring a specific browser is a step back, IMO.
OK, so this could stop bots. Fair enough, that is a laudable goal. The bot writers could bypass it by changing tactics though. All they need is to write the bot in such a way that it reads the browser window, and sends keypresses/mouse movements to it. There are a number of legitimate applications that can do this. They can even attempt to bypass the robot checks built into some systems by moving the mouse randomly, or not taking the direct route to a link., like a human may do if browsing. In this cause, other checks may catch the bot, but WEI wouldn't because it would be communicating with an unaltered browser.
Hackers will also probably find a way to bypass it. All they need do is find out how Google are generating whatever signature is sent to google, and fake it.. That way the pile of scripts your bot is using to access a website could appear to be a legit copy of Chrome.
While I don't game online, so am not affected by online cheating, I can understand it is frustrating for players to be dealing with someone who cheats..
But, this thing requires we sign in to Google. I'll come clean, and admit, I do surf the web signed in to Google. Google provide services I use (such as Youtube) and it's more convenient for me. I am aware of the tracking they do, and, TBH, it doesn't bother me that much. But, I like the idea I am free to browse the web while not signed in to any company. Sometimes, I do this. I know that a lot of the web is behind paywalls (even if they are free, some websites require registration to use), but I don't like the idea that potentially a *lot* of websites could be inaccessible if I don't sign in to Google (or any web ID provider).
It's hard enough already with CAPTCHAs, and CloudFlare blocking out any browser that doesn't fully support JavaScript (which to be fair they are doing as protection against DDoS's but it does have the side effect of stopping us from using blind-friendly tools like edbrowse; I don't know if the DDoS guys realise they are basically making more and more sites get CloudFlare protection and consequently become less accessible to the blind). Authenticated browsers is going to make it worse. If somebody brings up the subject with Google, they will probably say "oh, we'll make sure you'll still be able to use our authenticated browser with the top selling commercial screen reader for the blind", only the top selling one not any other one mind. The top selling one is called Jaws which I believe stands for just about works, it is often sold to companies because of accessibility legislation and such but it's not the one I actually want to use.
"Have you noticed how many websites are putting up giant “Log in with Google” banners all of a sudden?"
Google has obviously put a lot of money into that program to incentivize everybody. I'm seeing it everywhere as well and I don't have a Google account and there isn't a chance I'll sign up for one. I can't think of a more stupid way to put one's self at risk than to use an online service with one password for everything.
Inconvenience = Security. If somebody is hawking something to make your life easier, chances are high that it's going to erode security and privacy. I save money by NOT having auto-pay. If just one time charges hit your account before the bank clears a check or your pay, you will know how fast those fees and penalties add up when they send everything bouncing back. To add some insult to the injury, the vendors you have set up on auto-pay will put the charges back through again right away triggering another round of fees, this time at a higher rate.
Do proxies have to be attested too? If not then the proxy can filter out of otherwise manipulate the content in just the same way.
What about wget and curl and the like? If they're in the clear then nothing stops me implementing a proxy which curls the document, does it's sanitising thing than serves the cleaned up version to my browser of choice.
Here's hoping.
-A.
I don't use other people's binaries... I always do custom builds. If I can't compile it, I"m not using it and if I can't access a site with my browser, I'll hit the contact form and tell them to blow it out their asses.
There's nothing I really need from anybody. I'll cancel a subscription on the spot if they introduce something that so much as irks me. I don't even care about commitments, one phone call to Visa and payments stop. They've never denied me (Canada, here). As far as I'm concerned (I don't care what your TOS or EULA says), if you change something out from under foot, my previous agreement with you is void.
If someone like Amazon won't let me buy from their store with my browser, then I guess I don't need to shop there, for example.
This is about Google controlling the Web. They know they can't force other browsers to disallow altering streams, so they come up with this. It'll be used for anti-adblocking too.
Fat chance with a complacent, mostly stupid populace, but if you could get enough people to loudly say no, this would stop. When it causes traffic and commerce to go down. It's the only language they understand.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
