this post was submitted on 26 Jul 2023
934 points (98.8% liked)

Technology

34987 readers
413 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 8 points 1 year ago (2 children)

I don't understand. Isn't someone just going to fork Chromium, take out this stuff, put in something that spoofs the DRM to the sites so that adblocking still works?

[–] [email protected] 17 points 1 year ago (1 children)

Part of the point is that you may not be able to spoof it.

[–] [email protected] 3 points 1 year ago (1 children)

On code I write on hardware I run locally, how is it ever possible to not be able to remove an element from the UI?

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

If you don't use a client with certain signature, the web request will end in different response, i. E. an empty response,, as if your client had a certain signature. Please correct me if I am wrong, though.

[–] [email protected] 3 points 1 year ago (1 children)

Why can't my modded client just give it that signature?

[–] [email protected] 3 points 1 year ago (4 children)

Because you don't have Google's private key. Same reason you can't watch Netflix episodes without Widevine.

[–] [email protected] 6 points 1 year ago (1 children)

I watch Netflix shows in high definition without widevine every day.

[–] [email protected] 1 points 1 year ago

🏴‍☠️🚢

[–] [email protected] 2 points 1 year ago (1 children)

A private key to do what?

I only have the most cursory understanding of what Widevine is, but a quick Google reveals github projects claiming to spoof it.

Where I fail to understand is this. Whatever authentication the open source browser I modify needs to do, I can let it keep doing, because at some point it has to provide my browser C++ code with a clear text DOM before it renders it to an image to be displayed by my window manager. I can write that browser to simply remove DOM elements it deems to be ads - just like ublock does - before it renders it graphically.

The only way around this would be to turn browsers in to a completely dumb terminal that accepts an octet stream of pixel data so it can display bitmaps, which is completely unfeasible (every webserver would become a graphics card for each of it's users), and even if it did that, a simple neural net would identify the ads and remove them.

What am I missing?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

The attester will then sign a token containing the attestation and content binding (referred to as the payload) with a private key. The attester then returns the token and signature to the web page. The attester’s public key is available to everyone to request.

— The explainer, section How it works.

Websites will ultimately decide if they trust the verdict returned from the attester. It is expected that the attesters will typically come from the operating system (platform) as a matter of practicality, however this explainer does not prescribe that. For example, multiple operating systems may choose to use the same attester. This explainer takes inspiration from existing native attestation signals such as App Attest and the Play Integrity API.

— The explainer, section Web environment integrity.

Now Julien Picalausa of Vivaldi browser theorizes as follows:

To make matters worse, the primary example given of an attester is Google Play on Android. This means Google decides which browser is trustworthy on its own platform. I do not see how they can be expected to be impartial.

On Windows, they would probably defer to Microsoft via the Windows Store, and on Mac, they would defer to Apple. So, we can expect that at least Edge and Safari are going to be trusted. Any other browser will be left to the good graces of those three companies.

​Of course, you can note one glaring omission in the previous paragraph. What of Linux? Well, that is the big question. Will Linux be completely excluded from browsing the web? Or will Canonical become the decider by virtue of controlling the snaps package repositories? Who knows. But it’s not looking good for Linux.

So, AFAIU, if worst comes to worst you won't be able to run an unsigned browser and browse the web.

[–] [email protected] 1 points 1 year ago (1 children)

I still don't see why my open source browser can't just lie when it's sending a description of itself to the third party. The only way I could see it working is if that description needs to be encrypted by a key that's compiled in to a closed source browser, and then websites only accept requests from a few closed source browsers.

Is that what you're saying? That unless I have one of a couple accepted clients which are proprietary and closed source, websites just won't work?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

It seems logical to assume that there would be no point to the whole thing if it was so easily avoided just by modifying your browser. Someone who's, for example, selling fake engagement (e.g., fake reviews), which is listed as one of the things Ben Wiser at al. want to prevent, will probably have enough technical expertise to use a modified browser that will circumvent WEI, so why would Google even bother?

[–] [email protected] 1 points 1 year ago (1 children)

To make it harder, even if not impossible, for the average user to ad block them.

Are you asking because you're not sure of the answer, or because you are, and you know that web integrity will require a pre-compiled closed source binary to browse the web?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

No, I'm not sure. It's possible that this is a benign technology, but many believe it's not, including people at Mozilla, people at Vivaldi, Cory Doctorow, Jay Freeman (aka "Saurik"), the developer of Cydia (via The Register), so I'm concerned.

This recent blog post also mentions the intent of disallowing unsigned software to browse the web. Perhaps you'll find it interesting.

[–] [email protected] 1 points 1 year ago
[–] [email protected] 1 points 1 year ago (1 children)

Bro I’m watching a Netflix show right now and don’t have a subscription

[–] [email protected] 1 points 1 year ago

Widevine has been hacked multiple times, it's the usual arms race.

[–] [email protected] 1 points 1 year ago

Drink up, me hearties, yo ho!

[–] [email protected] 9 points 1 year ago (2 children)

Isn’t someone just going to fork Chromium, take out this stuff,

Yes, upstream Chromium forks will likely try to remove this functionality, but

put in something that spoofs the DRM to the sites so that adblocking still works?

This is the part that is not possible. The browser is not doing the attestation; it's a third party who serves as Attestor. All the browser does is makes the request to the attestor, and passes the attestor's results to the server you're talking to. There is no way a change in the browser could thwart this if the server you're talking to expects attestation.

[–] [email protected] 14 points 1 year ago

This violates just about every single open web principal that allowed Google to gain so much power. When they changed their motto from Don't Be Evil, to Do No Harm, they obviously chose deception. Their new motto should be Do Whatever is Profitable, or more succinctly Be Evil.

[–] [email protected] 6 points 1 year ago (2 children)

I don't really understand how that's possible. The browser gets a token from the third party, and passes that token to the server to "prove" it's running the DRM. The server then passes code back to the browser. At that point, why can't the browser just cut out the DOM elements which are ads?

I don't understand how code I write on hardware I run locally can ever have it's hands tied like this.

[–] [email protected] 5 points 1 year ago (1 children)

It won't be your hardware in a few years if this goes through. The code will run in a secure enclave and you won't be able to access your bank or log in to government websites if you control the hardware.

[–] [email protected] 2 points 1 year ago

Android phones are starting to do this, and it's a nightmare for people like me who actually want to own the device they purchased.

Needing root access on Android to regain basic functionality (such as the ability to backup installed apps) is a sad indicator of where we're headed ☹️... As much as I dislike iOS's walled garden, they make backups dirt easy for the end user - and they do complete backups too - app data, homescreen layout and all.

[–] [email protected] 0 points 1 year ago

I see what you're saying. I read it as implying the browser would fake the attestation token. I don't know the answer, but if their (stated) goal is to stop bots and scrapers, I have to assume it wouldn't be so simple. After all, a lot of bots and scrapers are literally running an instance of Chrome.