[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Speculations about WEI

From: Yuchen Pei
Subject: Speculations about WEI
Date: Mon, 31 Jul 2023 00:05:19 +1000
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)


If you haven't heard about WEI, please take a look at [1], and the
explainer/proposal document[2].

I wonder what would be google's strategy to adopt it and how it will
play out. The more informed we are, the better prepared we are at
defending user freedom against it.

For example, if Google enforces WEI only on its services like gmail
and youtube, then it is not much of a regression for us, as these
services are already bad for user freedom and it is possible to go
about one's life without them.

OTOH, if we take the explainer at face-value, which describes the
process as follows:
- js on webpage request attester to attest
- attester responds
- js on webpage forwards the response to web server
- web server verifies the response, with or without the attester, and
  take actions accordingly.

Whether the web server decides to serve user requests with or without
attestation, with successful or failed attestation, is up to the web
server, not the attester (an powerful 3rd party). This is different from
delegating access to a third party like cloudflare which can deny tor
users by returning 406 Not Acceptable.

Assuming the incentive for the website owner to serve the user does
not change, a trivial way for the user to get around WEI without
missing out is simply to disable javascript or adding a rule to their
blocker to block all attestation calls
(`navigator.getEnvironmentIntegrity()` in the explainer), or to block
requests to attester IP/domains.

But will website owners be more incentivised to deny access to
js-blocking users after WEI? That is, will a website that previously
was happy to serve js-blocking users stop doing so after WEI is rolled
out? I don't see how that could be the case, as long as it is up to
the website owner to decide. Conversly, if a website wants to deny
js-blocking users, they can already do so, by not serving anything
unless the user enables javascript.

So it is the usecases where one does not completely block javascript
that can be affected. Again, it is only those sites that want to deny
some users (e.g. those using adblockers) but currently do not have
the means to do so efficiently, that will be able to do so after WEI
is rolled out.

So it seems to me that for people who care about their own user freedom
and already refuse to use sites that do not respect it, the negative
effects are limited. That is not to say WEI is not evil or should not be
opposed, of course.

BTW I see people say "switch to firefox", but if WEI proves to be
essential for firefox to retain users, I don't see why firefox would
not just add a toggle to enable it like it currently does with the
google widevine drm[3].

What do you think?



Timezone: UTC+10
PGP Key: 47F9 D050 1E11 8879 9040  4941 2126 7E93 EF86 DFD0

reply via email to

[Prev in Thread] Current Thread [Next in Thread]