Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!Jul 22, 2023

This is scary. It's (strong) SafetyNet for websites.

Every now and then I run into another Android app I can no longer run because someone decided my phone, running an official build of my choice of OS, that isn't even rooted, is "not trustable".

Now they want to start doing that for websites.

This kills open Linux on the desktop (including Asahi Linux). It kills alternative browsers. It is a backdoor to kill ad blockers.

No. Just no. Please.

https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md

Web-Environment-Integrity/explainer.md at main · RupertBenWiser/Web-Environment-Integrity

Contribute to RupertBenWiser/Web-Environment-Integrity development by creating an account on GitHub.

GitHub
Show threadNicolás Alvarez

@lina Attestation and DRM is one of the biggest roadblocks to implementing Apple server protocols (eg. iCloud) in free software clients. Some have DRM-grade obfuscated code (literally the same code obfuscation as FairPlay!), but there are already some services using strong cryptographic attestation instead, and those feel frustratingly "game over" to me.

...now Google wants that kind of crap on the *web*?!

Jul 22, 2023 at 2:15amWeb
Show threadSaagar JhaJul 23, 2023
@nicolas17 @lina Now imagine if Apple made it silicon-backed
Show threadNicolás AlvarezJul 23, 2023

@saagar @lina For some services they already did. AFAIK DeviceCheck / App Attest / BAA is silicon-backed, and AFAIK connections to iCloud Private Relay are authenticated with that. I don't personally care about Private Relay, but I do worry about that being expanded to other new services.

Third-party iOS apps can also use DCAppAttestService. Google wants that shit to be accessible to web apps.

Show threadSaagar JhaJul 23, 2023
@nicolas17 @lina Right, it’s just not used for Apple services yet