this post was submitted on 13 Oct 2023
1175 points (98.8% liked)
Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
54698 readers
433 users here now
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Rules • Full Version
1. Posts must be related to the discussion of digital piracy
2. Don't request invites, trade, sell, or self-promote
3. Don't request or link to specific pirated titles, including DMs
4. Don't submit low-quality posts, be entitled, or harass others
Loot, Pillage, & Plunder
📜 c/Piracy Wiki (Community Edition):
💰 Please help cover server costs.
Ko-fi | Liberapay |
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Unless people mass-migrate away from Chrome-based browsers (basically everything expect Firefox) Google will at one point enable their Web Environment Integrity thing, force all other browsers to enable it too because otherwise a lot of websites will stop working in them, and no alternative frontend will have access to the video streams anymore.
Web environment integrity is a non-starter because it offers avenues for bad actors to enforce "integrity" that forces malware to be loaded as well as legitimate page elements. However, that doesn't mean Google won't keep trying to stop ad blockers, alternative interfaces etc in the future.
Perhaps, but eventually there will probably ba a certificate authority alternative to Google. But I agree, we need regulation to determine to ensure that programs calling themselves web browsers will have to adhere to standards, and not be based on features that make certain websites work only on their browser. I think the backlash reaction to implementing "integrity" as a standard was really healthy. But there is still a lot of action to take on the regulatory front.
Which won't matter (for access from third-party apps), because to be accepted by websites they need to prove their trustworthiness, so you can't just use a different one to circumvent it.
It can be very similar to the TLS scheme we use today, where certificates are signed by regulated CA's. The only difference is that currently there is no regulation to ensure that Google will build chrimium to trust other authorities for browser integrity other than itself. That is definitely a major concern. Fortunately, I don't think that it is long term viable. First, Microsoft, Mozilla and Apple would be extremely unhappy with this scheme. That's right off the bat. So there will definitely be resistance on that front because eventually it would do something like break youtube compatibility with Firefox.
Now, I do think that it is plausible that these organizations could come to a agreement that is still ultimately bad for web browsers. There fore, this should be considered by government regulators as something to pay attention to. I'm not too pessimistic about them doing this. There us political will to preserve the open internet, especially in the EU. It looks like the US is also set to re-adopt net neutrality rules. So, im just not as pessimistic about it.
The only issue is that in the short-term, alot of these services that are free are going to degrade. This is what we are seeing with youtube. That is too bad, but I am hopeful and optimistic that it will lead to a more open internet. The fact that we are having this conversation on a decentralized social network is a positive sign.
It still doesn't matter. A website can choose which attestors to trust (if they had to trust all of them the whole thing would be useless), so Youtube can just deny access to the video streams to anything that isn't a trusted browser environment, and anything third party like Invidious, Piped, Newpipe, Freetube... won't be able to work anymore.
Well yeah. But those clients could ultimately just say they are firefox if Mozilla is open enough, which they tend to be. It ends when Google decides that stuff like YouTube should only work on chrome. That would be bad, and I think regulators would treat it as bad, especially the EU.
Just to be clear, I don't think forcing this standard down everyone's throats for naked commercial reasons is a good idea either.
IIRC the proposal includes some crypto-handshake verification to make sure the attestor is who it claims to be, so no, apps can't just fake it. Or, if some of those secret keys leak and apps use it, sites won't accept it anymore.
It's a question of trust. Google will select the certificates they trust for the services they provide, and the entities that own those certificates will decide what do to with them. If they trust a certificate from Mozilla, and Mozilla agrees to make that certificate open to everyone for instance, than Google's only choice is to stop trusting it. But if Mozilla decides that is the certificate Firefox will use, than Google has to choose kicking off Firefox as well as other third party apps. Same with Microsoft and Apple, but I think Mozilla is more likely to oppose this kind of standard rather than try to reach some kind of agreement with Google.
The other way that this could play out every browser dev makes some kind of arrangement. Very unstable when we are talking about competitors.
At the end of the day, it requires a level of co-operation with the browser developers and internet service providers that I don't think a lot of people will go for, for various reasons. Especially not regulators. I guess I am just more optimistic about the open internet.