And since you won’t be able to modify web pages, it will also mean the end of customization, either for looks (ie. DarkReader, Stylus), conveniance (ie. Tampermonkey) or accessibility.

The community feedback is… interesting to say the least.

  • @vvvvv
    link
    English
    32
    edit-2
    1 year ago

    Basically, it would allow websites to only serve users who comply with website requirements (i.e., no extensions, no ad blockers, only Chrome-based, whatever) whatever these requirements are.

    You (your browser) go to a website, example.com, which requires attestation. So you must go to an attestation server and attest your device/browser combo (by telling the attestation server whatever information it requires). If the attestation server thinks you are trustworthy, it gives you an integrity token that you pass to example.com, and then you can see example.com. The website knows which attestation server issued your integrity token, so you can’t create your own.

    So no extra software means no attestation server would attest you; means you can’t see example.com. End of story. It’s the same as the current “your browser is not supported” window, only you can’t get around it by changing the user agent.

    As usual with these initiatives, bullshit is spread across different specs - this spec by itself implies that any number of attestation servers can exist, and they can check whatever they want, and no browser should be excluded, etc., etc., but practical implementation would probably check installed extensions, etc.

    • @Araozu
      link
      English
      91 year ago

      Wouldn’t spoofing work? Like, if the browser just sends “yes, no extensions, adblock, blah blah” then how would the attestation server know if that’s true? Or does it require signed binaries, or some special hardware?

      • @vvvvv
        link
        English
        141 year ago

        That is conveniently left out of the speck. Attestation server may require signed binary on a client system, it may require whatever it wants really, because why not? It’s a website who decides to trust attestation server or not.

      • @[email protected]
        link
        fedilink
        English
        71 year ago

        Depends on if they used cryptographic signatures. Those would be impossible to spoof because any change in the client would change the hash completely.

        • @Araozu
          link
          English
          161 year ago

          Google silently shipping signed chrome executables soon…

          And then people wonder why non chromium browsers are important