@gsderp What I read from this:

> Authority over "good" browsers. Compiled it yourself with a fix? You're screwed.
> Kick out "modified" devices, granting Google, Apple and Microsoft a de-facto monopoly on computers and smartphones
> Adblockers shall die
> They want more (reliable) ad revenue
> Prevent fingerprint anonymization
> Bind every user to a specific traceable public key. Yet another surveillance factor

Sure they use fancy excuses but in the end it's always the same bullshit with them.

"For example, this API will show that a user is operating a web client on a secure Android device."

This whole approach can not work in an open source infrastructure (custom ROM, Linux desktop, ...). Instead, the approach requires the device to act against the interest of its owners. Any open source device can always be reprogrammed to stop doing that.

@Natanox @gsderp

@dj3ei @Natanox @gsderp the stupid games/stupid prizes part is the web scraping and astroturfing people have their whole livelihood on the line reverse engineering and defeating it whereas individual users are in the middle with less capability.

there's no doubt in my mind that if google rolls something like this out, the "trust" model will wind up relaxed for interactions that score high in attestation, meaning that someone who defeats attestation will have an easier time carrying out sim-swap and phishing attacks on the web. meanwhile the astroturfers, once compromised attestation keys and "verified" installs on server VMs exist will wind up with the same or greater capability as they have today.

The worst, and a potential outcome, is that attackers have a better understanding of the nuances of how this game is played than either the "users" (really website operators and ad networks in their paper) and us and wind up selling our access to the web back to us -- ironically selling us the tricks they use to bypass attestation roadblocks so we can "prove we're human".