[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Speculations about WEI

From: Ali Reza Hayati
Subject: Re: Speculations about WEI
Date: Sun, 30 Jul 2023 19:19:48 +0330
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0

On 7/30/23 17:35, Yuchen Pei wrote:

If you haven't heard about WEI, please take a look at [1], and the
explainer/proposal document[2].

I wonder what would be google's strategy to adopt it and how it will
play out. The more informed we are, the better prepared we are at
defending user freedom against it.

For example, if Google enforces WEI only on its services like gmail
and youtube, then it is not much of a regression for us, as these
services are already bad for user freedom and it is possible to go
about one's life without them.

OTOH, if we take the explainer at face-value, which describes the
process as follows:
- js on webpage request attester to attest
- attester responds
- js on webpage forwards the response to web server
- web server verifies the response, with or without the attester, and
   take actions accordingly.

Whether the web server decides to serve user requests with or without
attestation, with successful or failed attestation, is up to the web
server, not the attester (an powerful 3rd party). This is different from
delegating access to a third party like cloudflare which can deny tor
users by returning 406 Not Acceptable.

Assuming the incentive for the website owner to serve the user does
not change, a trivial way for the user to get around WEI without
missing out is simply to disable javascript or adding a rule to their
blocker to block all attestation calls
(`navigator.getEnvironmentIntegrity()` in the explainer), or to block
requests to attester IP/domains.

But will website owners be more incentivised to deny access to
js-blocking users after WEI? That is, will a website that previously
was happy to serve js-blocking users stop doing so after WEI is rolled
out? I don't see how that could be the case, as long as it is up to
the website owner to decide. Conversly, if a website wants to deny
js-blocking users, they can already do so, by not serving anything
unless the user enables javascript.

So it is the usecases where one does not completely block javascript
that can be affected. Again, it is only those sites that want to deny
some users (e.g. those using adblockers) but currently do not have
the means to do so efficiently, that will be able to do so after WEI
is rolled out.

So it seems to me that for people who care about their own user freedom
and already refuse to use sites that do not respect it, the negative
effects are limited. That is not to say WEI is not evil or should not be
opposed, of course.

BTW I see people say "switch to firefox", but if WEI proves to be
essential for firefox to retain users, I don't see why firefox would
not just add a toggle to enable it like it currently does with the
google widevine drm[3].

What do you think?


I wrote and deleted a lot. I wrote an entire article on this email and deleted it because whatever I say is useless to people at the moment. SO here's some stats:

Google has near-total power over the Web:

* 90.8% of all searches on the Web is done through Google (Google: 62.6, Google Images: 22.6, Youtube: 4.3, Google Maps: 1.3).

* Google collects the most revenue from online advertisements with over $32.4 billion ad revenue (in U.S.) while all other major advertisers not being close to it combined (Microsoft: $2.9B, Yahoo: $1B, Yelp: $0.9B, IAC: $0.5B, Amazon $0.5B; combined: $5.8B).

* Google has nearly total control over the flow of information. With its power, it can boycott almost any site or service and wipe them out. With its power over Android and Play Store app directory, which are proprietary, Google controls what can get published.

I also posted something on my blog:

Ali Reza Hayati (

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]