this post was submitted on 03 Sep 2023
233 points (95.3% liked)

Technology

59346 readers
7625 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] kitonthenet@kbin.social 98 points 1 year ago (8 children)

These schemes all have the same problem that reddit and Twitter have: they need me more than I need them. If your website or app or whatever won’t work if I’m not on the right device I won’t visit it, and that’s not a bad thing

[–] Zoidberg@lemm.ee 36 points 1 year ago (11 children)

It's a bit more complicated than that, unfortunately.

What happens when Microsoft adds something to their web building tools that forces all visitors to websites using these tools to use IE? Or when your bank (or even worse, utilities) start requiring Windows and IE?

[–] toddestan@lemmy.world 26 points 1 year ago* (last edited 1 year ago) (1 children)

It'll probably end up worse than that. Turn off secure boot and Windows may still run, but it will no longer verify and all these sites will now refuse to work on your computer. So if you like to run Linux, even dual booting or running Windows in a VM for those things that absolutely require Windows won't be good enough anymore.

[–] deweydecibel@lemmy.world 11 points 1 year ago (2 children)

It's not just that.

Apples implementation of this doesn't tell the website anything about the device other than "Apples approves".

Google's implementation will give the website direct information about the browser and computer. Which permits them to get granular and targeted on restrictions.

[–] HelloHotel@lemmy.world 6 points 1 year ago* (last edited 1 year ago)

Its a fixed identifier, it can be a replacement for amythimg to forcably identify users:

  • super cookies
  • gpu profiling
  • unwanted cookies
  • IP adress recording (increseingly unusable)
  • phone numbers
  • ...
[–] HelloHotel@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

"Apples approves"

This reminds me: If you want to see what happens when a company implements this system where they approve your usage and then warps it into a punishment system later by revoking their approval when youve been naughty, see minecraft chat reporting.

load more comments (10 replies)
[–] Thorny_Thicket@sopuli.xyz 21 points 1 year ago (1 children)

If I as an adult still had my mom telling me that's enough internet for today, and taking away my laptop, I'd hate it but it would objectively be good for me. This is kind of a similar thing. I don't like that these companies fuck up services I like but there's no denying that me leaving reddit for example was overall quite positive thing to happen.

[–] kitonthenet@kbin.social 3 points 1 year ago (2 children)

Yep, that’s the bargain I’m making. I’m way happier now that I’m not yelling at nerds on Reddit/Twitter/etc. The nerds on the fediverse are much less time consuming

I think it also goes back to the fact that Twitter et al are meant to be addictive, the way I don’t like giving up Twitter is the same way I wouldn’t like giving up smoking, which both alarms me and makes me ok giving those things up

[–] Fades@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

Can totally relate.

I went back and visited leddit recently and it really does make me feel more angry/annoyed overall, it’s definitely changed but it’s also definitely not new either.

No doubt the lack of mod support is partly to blame but given that rage bait is essentially the most popular tool for engagement it wouldn’t surprise me if these social media companies try to play mind games in some way

The nerds on the fediverse are much less time consuming

That's because our Fight Club requires that the glasses stay ON.

[–] deweydecibel@lemmy.world 15 points 1 year ago (2 children)

These schemes all have the same problem that reddit and Twitter have: they need me more than I need them.

This sentiment comes off a lot like "it won't affect me, I don't care".

Like, it doesn't really matter whether you decide not to use these websites anymore. Nobody should have to put up with this shit. That's why we take a stand against it.

[–] kitonthenet@kbin.social 8 points 1 year ago

This sentiment comes off a lot like “it won’t affect me, I don’t care”.

Then you’ve severely misunderstood what I wrote

Nobody should have to put up with this shit. That’s why we take a stand against it.

That is exactly what I’m advocating for

[–] grue@lemmy.world 4 points 1 year ago

Exactly. There's a good reason why we don't, for example, allow people to sell themselves into slavery, even if they "consent" to it!

[–] cy_narrator@discuss.tchncs.de 11 points 1 year ago (1 children)

Till one day your government will require it.

[–] kionite231@lemmy.ca 3 points 1 year ago (1 children)
load more comments (1 replies)
load more comments (4 replies)
[–] deweydecibel@lemmy.world 93 points 1 year ago* (last edited 1 year ago) (5 children)

I'm getting here too late for this to be visible, but fuck it.

The difference is Apple doesn't pass any information on to the website. It just tells the website whether or not it passes their integrity check. Your web environment gets the Apple stamp of approval or it doesn't, that's all the sites will know.

Googles shit is going pass actual information about the browser state, add-ons, and the device to the site so they can restrict access based on any criteria they choose. That creates endless more avenues for abuse by giving the websites the ability to judge you for themselves and micromanage how you are allowed to visit their site.

Apple's is the equivalent of a metal detector before walking into a building. It will go off but it doesn't violate your privacy or enable targeted screening by telling anyone what it detected.

Google's is the equivalent of a strip search, where it will drop your clothes and pictures of your junk onto the property managers desk so they can decide if you're worthy to enter. Maybe they don't like your brand of underwear, or a tattoo you have, and refuse to let you in.

[–] grue@lemmy.world 32 points 1 year ago* (last edited 1 year ago)

It's hardly OK for Apple to be doing even that either, you know. Who the fuck does Apple think it is, to be entitled to "attest" to a goddamn thing?!

The notion that anyone can "attest" to users' caputured-by-DRM status is fundamentally toxic to the Internet as a whole and must be resisted at all costs and by any means necessary, legal or illegal.

[–] Rentlar@lemmy.world 14 points 1 year ago

Your comment was on the top for me, Lemmy's default "hot" sorting brings fresh takes to the front, so don't worry too much about your answers always getting buried.

[–] realharo@lemm.ee 13 points 1 year ago

Can you post any source at all that would back your claims? Or any technical details at all?

Neither the actual proposal https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md#what-information-is-in-the-signed-attestation, nor the article itself seem to show that there would be a difference when it comes to privacy.

The entire problem with this proposal is that it limits client choice, similar to how Google Play integrity API on Android restricts some apps from running on rooted/unlocked phones.

That same problem obviously also exists in Apple's implementation.

[–] Serinus@lemmy.world 5 points 1 year ago

Transmitting that info to Apple is still a problem. Why do you trust Apple, but not Google?

Google's version will likely ask you first, and you'll know which sites are asking for it. Apple's won't.

[–] 1984@lemmy.today 3 points 1 year ago* (last edited 1 year ago) (1 children)

Big tech tries hard to act like the Internet Government, don't they... Who elected them?

load more comments (1 replies)
[–] elouboub@kbin.social 40 points 1 year ago (3 children)

The danger would be important entities like governments and banks using attestation. Then you'd be limited to using only Chrome, Safari and Edge, and Firefox could kiss its ass goodbye.

[–] kitonthenet@kbin.social 26 points 1 year ago (1 children)

Bank: my bank is too boomercore to ever implement something like this, we only recently got 2fa

Government: my government still makes me file my taxes on paper and mail it to them so I’m ok for now

[–] Kbin_space_program@kbin.social 18 points 1 year ago (1 children)

Banks and governments could get trapped into this because a third party vendor implements a system for them that includes this.

Like Salesforce's "Lightning Experience sites" only supports the latest versions of iOS and Android, as well as only supporting chromium based browsers and Firefox.

A lot of banks and government services run on that platform, and not all of them are going to be smart enough to pay for a custom solution that increases device support.

[–] kitonthenet@kbin.social 2 points 1 year ago (1 children)

It’s less about what they implement, and more about what their users who have clout expect. My regional bank is far more responsive to customer feedback than, for example, Bank of America. As for governments there’s all sorts of bureaucracy I can push on with not a lot of resources. It’s not accessible to everyone but organizations don’t need all that much prodding to respond anyway

[–] Kbin_space_program@kbin.social 2 points 1 year ago* (last edited 1 year ago)

Salesforce dictates what they support now, not on what people want. If an entity implements it, they can use the put of the box functionality or pay to have it customized to increase accessibility, security and support.

[–] Edgelord_Of_Tomorrow@lemmy.world 5 points 1 year ago (2 children)

The EU wouldn't really stand for that.

[–] Zak@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

The EU lets them get away with requiring device attestation for their mobile apps. It's not exactly the same thing since system requirements for native apps are traditionally narrower than websites, but it's similar.

load more comments (1 replies)
[–] _pete_@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

In the UK at least, switching banks is super easy, I’ve done in twice in the last 2 months because they offered free cash to do so, there is enough competition that the banks have to make it easy to move or else they lose customers.

For government, generally most systems are built to be as accessible as they can be because there has been [https://www.gov.uk/guidance/accessibility-requirements-for-public-sector-websites-and-apps ](whole raft of legislation) written up to cover this.

I’m not saying it wouldn’t be a problem (power companies etc could prove to be sticky) but there are legal requirements that entities above a certain site have to meet.

[–] phx@lemmy.ca 28 points 1 year ago (2 children)

It's not a problem until more sites start REQUIRING it, and then it's too late. Even if some Apple already provides it, it's more dangerous as use grows

[–] Petter1@lemm.ee 9 points 1 year ago

It makes it even more easy to adjust online prices for apple users, lol

[–] _number8_@lemmy.world 4 points 1 year ago (2 children)

is there any positive use case for it for the user at all?

[–] HelloHotel@lemmy.world 11 points 1 year ago

No, its an alternate evil scheme to uniquely identify users and not bots. Replacing the phone number.

[–] Serinus@lemmy.world 3 points 1 year ago (3 children)

For sites that support it, you don't have to fill out a captcha.

Instead it transmits a list of running processes (or other, formerly private info).

load more comments (3 replies)
[–] mwalimu@baraza.africa 22 points 1 year ago (1 children)

your treatment on the web depends on whether Apple says your device, OS & browser configuration are legitimate & acceptable.

[–] elbarto777@lemmy.world 16 points 1 year ago

Well, fuck that.

[–] redditReallySucks@lemmy.dbzer0.com 6 points 1 year ago (1 children)

What I don't understand is how does the attester check the device is not modified? Anything client side is just a matter of time until its get bypassed.

[–] Natanael@slrpnk.net 6 points 1 year ago

It needs integration with the TPM/secure element chip in the CPU and a device key issued by the manufacturer to sign an attestation that nothing in the software chain from kernel to browser has been modified .

These schemes tends to get regularly broken, just look at SGX

[–] yoz@aussie.zone 5 points 1 year ago (1 children)

What does this mean? Do they now own the internet ? Can someone please TLDR it?

[–] SirQuackTheDuck@lemmy.world 16 points 1 year ago (2 children)

A very short TLDR would be:

Apple (in this case) decides if your device should be trusted as a human, or if it's suspicious / a robot, which could break parts of the Internet for those not joining this "attestation", or using software that doesn't support it.

A more ELI5 version would be that Apple has implemented a controversial API (The Web Environment Integrity API) that indicates if a combination of OS + Browser + User behaviour is to be trusted as being human.

Attestation before used to mean "is this device who it says it is", and one can check that in some ways as part of WebAuthN (aka "Passwordless login"), where it would be useful to know if an Android device a site knows you have (as you've logged in before) is that same device. It's a system to trust devices. The WEI-API expands this to look at your OS, your browser and your environment, like installed applications.

Problem with this, is that the requirements don't have to be public. Apple can decide what makes a "trustworthy device" and what can be considered "suspicious".

Bad examples like these are to "fail" attestation if you have torrent clients installed, of if you're connected via a VPN, or if you're not using Bing + Edge on Windows.

Browsers and OS'es refusing to support attestation are likely to become a minority (most users use Chrome, and Google seems to be in favour). Should sites start blindly trusting this "attestation" - in replacement of captcha's -, we could start seeing more privacy-prone combinations being locked out of these kind of sites.

load more comments (2 replies)
[–] Lemmylaugh@lemmy.ml 3 points 1 year ago (3 children)
load more comments (3 replies)
load more comments
view more: next ›