• grallo@feddit.de
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        If you don’t use a client with certain signature, the web request will end in different response, i. E. an empty response, as if your client had a certain signature. Please correct me if I am wrong, though.

          • jmcs@discuss.tchncs.de
            link
            fedilink
            arrow-up
            4
            arrow-down
            1
            ·
            1 year ago

            Because you don’t have Google’s private key. Same reason you can’t watch Netflix episodes without Widevine.

            • FreeloadingSponger@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              A private key to do what?

              I only have the most cursory understanding of what Widevine is, but a quick Google reveals github projects claiming to spoof it.

              Where I fail to understand is this. Whatever authentication the open source browser I modify needs to do, I can let it keep doing, because at some point it has to provide my browser C++ code with a clear text DOM before it renders it to an image to be displayed by my window manager. I can write that browser to simply remove DOM elements it deems to be ads - just like ublock does - before it renders it graphically.

              The only way around this would be to turn browsers in to a completely dumb terminal that accepts an octet stream of pixel data so it can display bitmaps, which is completely unfeasible (every webserver would become a graphics card for each of it’s users), and even if it did that, a simple neural net would identify the ads and remove them.

              What am I missing?

              • salient_one@lemmy.villa-straylight.social
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                1 year ago

                The attester will then sign a token containing the attestation and content binding (referred to as the payload) with a private key. The attester then returns the token and signature to the web page. The attester’s public key is available to everyone to request.

                — The explainer, section How it works.

                Websites will ultimately decide if they trust the verdict returned from the attester. It is expected that the attesters will typically come from the operating system (platform) as a matter of practicality, however this explainer does not prescribe that. For example, multiple operating systems may choose to use the same attester. This explainer takes inspiration from existing native attestation signals such as App Attest and the Play Integrity API.

                — The explainer, section Web environment integrity.

                Now Julien Picalausa of Vivaldi browser theorizes as follows:

                To make matters worse, the primary example given of an attester is Google Play on Android. This means Google decides which browser is trustworthy on its own platform. I do not see how they can be expected to be impartial.

                On Windows, they would probably defer to Microsoft via the Windows Store, and on Mac, they would defer to Apple. So, we can expect that at least Edge and Safari are going to be trusted. Any other browser will be left to the good graces of those three companies.

                ​Of course, you can note one glaring omission in the previous paragraph. What of Linux? Well, that is the big question. Will Linux be completely excluded from browsing the web? Or will Canonical become the decider by virtue of controlling the snaps package repositories? Who knows. But it’s not looking good for Linux.

                So, AFAIU, if worst comes to worst you won’t be able to run an unsigned browser and browse the web.

                • FreeloadingSponger@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  I still don’t see why my open source browser can’t just lie when it’s sending a description of itself to the third party. The only way I could see it working is if that description needs to be encrypted by a key that’s compiled in to a closed source browser, and then websites only accept requests from a few closed source browsers.

                  Is that what you’re saying? That unless I have one of a couple accepted clients which are proprietary and closed source, websites just won’t work?

                  • salient_one@lemmy.villa-straylight.social
                    link
                    fedilink
                    arrow-up
                    1
                    ·
                    edit-2
                    1 year ago

                    It seems logical to assume that there would be no point to the whole thing if it was so easily avoided just by modifying your browser. Someone who’s, for example, selling fake engagement (e.g., fake reviews), which is listed as one of the things Ben Wiser at al. want to prevent, will probably have enough technical expertise to use a modified browser that will circumvent WEI, so why would Google even bother?