KoinuJul 19, 2023

This is a credible proposal for DRM for websites in general. It would enable unbeatable adblock-blocking. It would prevent user customization for not just convenience but also accessibility.

I do not say this lightly: Enabling the forfeiture of control over the browsing experience is a fundamentally evil idea that must be rejected now, as it has been in the past, and we must remain vigilant against its reemergence in the future.

https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md

Web-Environment-Integrity/explainer.md at main · RupertBenWiser/Web-Environment-Integrity

Contribute to RupertBenWiser/Web-Environment-Integrity development by creating an account on GitHub.

GitHub
Show threadNoxy 🐾🏳️‍🌈Jul 19, 2023
@gsderp Jeeez. And I was worried about DNS over HTTPS or TLS, this is a whole other level of horrific.
Show threadKoinuJul 19, 2023
@noxypaws DOH/DOT is dual-use, attestation is not. DOH/DOT is an unequivocal good when it enforces the free choice/consent of a device user-owner to control what resolver is used, and to enforce privacy in that use, (against/over the interests of a network-path interloper,) which is essential for further privacy improvements like ECH to be meaningful. In contrast, the fundamental purpose of attestation is to subvert a device owner-user’s ability to enforce their consent and exercise meaningful control over the what their device does, which is indefensibly evil.
Show threadlj·rk

@gsderp @noxypaws Only if device owner is the same person as holding the device physically. Which in many case is true, but it's not if my device is (temporarily) in somebody else's control. I see that attestation has a big potential to do evil, but attestation as done in e.g., GrapheneOS or on your own Linux laptop is quite a security benefit *if* (temproary) physical access by a non-owner is a realistic scenario.

You can say that physical access means automatically having lost of course, but that's just unrealistic.

The key is being able to control the attestation device and enroll your own keys. Or, as @mjg59 described it:

> _An aside: when I say "trustworthy", it is very easy to interpret this in a cynical manner and assume that "trust" means "trusted by someone I do not necessarily trust to act in my best interest". I want to be absolutely clear that when I say "trustworthy" I mean "trusted by the owner of the computer", and that as far as I'm concerned selling devices that do not allow the owner to define what's trusted is an extremely bad thing in the general case._

Jul 20, 2023 at 1:32pmWeb