An experimental Android WebView Media Integrity API early next year

Okay, thanks. So then this truly doesn't affect websites at all, it's for apps which work like websites behind the scenes, but whose content no one is ever supposed to access from within a web browser anyway.

I can live with that!

what's a "status game"?

> If you think this is bad, then I regret to inform you that your war is probably lost.

There's an awful lot of gust in that sail, and yet no wind... Got anything to back it up or are we just being a corporate sycophant?

> Multiple companies (Apple included) have also built their own remote attestation services, and nobody cried bloody murder then.

HN, at the time, crying bloody murder about Apple's attestation system: https://news.ycombinator.com/item?id=31751203

This argument keeps getting brought out about Google, but in reality people are critical of iOS and Apple all the time. Yes, it is harder to get widespread reactions from people who are disengaged from web standards because Apple doesn't have Google's reputation. Yes, people tend to be more worried about Chrome than Safari in part because Safari is sitting at 20% market share.

But people do (and did) criticize Safari. It's not separate standards; if you pay attention to the people who are most engaged on these issues, Apple's DRM systems get criticism.

I am literally typing this on a LineageOS device; I don't see how that helps, if anything it just highlights the problem. The problem is that WEI, in any form, is most likely to be used in a way that results in websites blocking my device because I'm running my own operating system. And I'm pretty sure people did in fact cry bloody murder when Apple started doing it, but at least Apple was small enough percentage of the overall web browser share that nobody was going to try and mandate a feature that only they supported, unlike Chrome.

Edit: In short, the open web relies on being able to run any client you want; having KHTML doesn't do any good if sites block it.

People did complain about Apple; fewer because it's harder to get press attention about Apple on privacy issues, but it's pure revisionism to say that Apple's attestation systems weren't criticized.

This is how HN reacted to Apple's announcement: https://news.ycombinator.com/item?id=31751203

I have my own set of negative comments in that very thread where I literally call Apple's system DRM. So do I pass this ridiculous "hypocrisy" check well enough now that I'm allowed to complain about Google killing the Open web?

Crafting a fake login page in your app is a totally different problem than transparently proxying the web interface. First, if you copy the login page those assets are in the apk. This is easily detectable by bouncer and allows those apps to be denied (this happens today). Second, stealing the assets opens the app up to dmca takedown, which also happens today. Third, and most importantly, if you reverse proxy the page then the app will appear to users to actually work. This is crucial for the bad actor as it keeps the app from having a low rating in the App Store for not working. When they just steal the login page, the app gets downvoted quickly for being “broken”.

All of this adds up to making the bad actors have to work much harder, which is the goal.

My impression is that it's not people paying for Youtube Premium who are complaining about Google targeting people with ad blockers. I suppose Netflix used to offer only paid, ad free video streaming, so it isn't really out of the question for somebody to wish that were youtube's model; however, I can't help but imagine that if YouTube said they were switching to that most people on this site would be even more upset.

What is the basis for assuming that something like this was created in bad faith?

This is incorrect. If Chase uses attestation then only the Chase app can access their login site. It prevents DefinitelyChaseAndNotMalware from masquerading as Chase.

And if it drains people’s bank accounts because they aren’t savvy enough to know that their bank’s app is realbank not realbankofficial? Deal with it?

The stance that other people should have their savings stolen, when we could have easily stopped it, because of nebulous freedom reasons is pretty ghoulish.

Yeah an edge swipe could work. It would be difficult to introduce but Google doesn't seem to shy away from forcing app developers to make big changes so who knows.

Of course a malicious app could still just show a webview and make you type the password in. The above solution would only work if everyone uses a password manager and showing a webview becomes way more suspicious than it is now.

You have two types of webviews... "Webviews to the appmakers server", and "Webviews for the wider web".

Webviews to the appmakers server need to be authorized by some manifest file on the server whitelisting the app identifier.

Webviews for the wider web don't allow the app to know what's going on inside the webview, nor interact with it. So these are safe to type passwords into etc.

I'm sorry, I wrote embedded logins but was thinking embedded webviews in general. The only legitimate use of that in my mind is "a web browser app that's a usability skin over Chrome". Everything else is just a way of keeping you in a walled garden, and would be better if it just sent you to your default browser.

Those governments are mostly coming around as to why that’s a bad idea.

Back when EFI consortium wanted to make Secure Boot always on, it wasn't even clear if ARM is going to win in mobile market, let alone PC/server one.

Nowadays all non-mobile aarch64 devices I used, and even many mobile ones, let you boot your own unsigned kernel. Arm's SBBR only states that IF you implement Secure Boot and TPM support in your EFI firmware (you don't have to), it has to comply with certain rules. Nothing about preventing users from disabling it. (https://documentation-service.arm.com/static/5fb7e66fd77dd80...)

I’ve complained about this before, but I’ve been hearing “Microsoft is going to block you from installing Linux!” since like 2004, when it was a reliable way to get an easy “+5 Insightful” on Slashdot. It hasn’t happened, even on Microsoft’s own first-party computers.

At this point I think it’s firmly FUD and the people who say it’s coming any second now need to put up the evidence. Microsoft doesn’t seem to care, especially now that Windows is an afterthought to Azure, O365, etc.

This is a weird way to describe an open, transparent standard.

https://wiki.debian.org/SecureBoot#What_is_UEFI_Secure_Boot_...

What do you mean specifically?

You can:

  - set passwords on the key hierarchies
  - roll the seeds for the key hierarchies,
    thus invalidating *all* keys on the TPM

Also, once you change the seed for the Endorsement Key hierarchy you'll lose the ability to prove that the TPM is a legit TPM made by whatever legit TPM vendor.

So sure, this is only something you do if you know what you're doing, especially if the TPM is soldered onto the motherboard.

> One which you, as the owner, don't have the keys to.

One which nobody, not even the owner, can extract keys from. I don't understand why people don't like the fact that they can't pull keys out of the TPM. If you, the owner, can pull them so can anybody else. I know TPMs aren't invulnerable but you have to admit they significantly raise the bar of compromise.

If you use a mobile device maybe. My desktop machine has a TPM and AFAIK I do have access to load my own keys / replace the root keys. Of course, nothing says there isn't a backdoor within the TPM, but it's not this secret locked down thing.

For those that would appreciate context: Stallman did say this but the incident that he cites as justification happened _four decades ago_ and he wrote about it in 2002 [1]:

> Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

> However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

> I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

He was talking about a time-sharing system in an academic context. We have no idea what his thoughts are now, and it's logically fallacious to discount his feelings on what multinational corporations bake into their silicon on the basis of an experience that he had back when Van Halen was still topping the charts. It isn't exactly a secret that RMS is a bit "out there" - lots of historically-significant people are. Contextualizing their work and speech in a constructive way is preferable to writing them off wholesale.

[1] https://ftp.gnu.org/old-gnu/Manuals/coreutils-4.5.4/html_nod...

Given that RMS has a pretty good track record or predicting the kinds of abuses that we're seeing today, it seems like a good idea to at least pay attention to his ideas and not dismiss them out of hand.

Also, you know, GNU.

They can store that data, but they cannot retrieve that data. That's because the data it stores are cryptographic secrets (private keys). If they store a private key there and then delegate encryption/decryption to the TPM, you can also ask the TPM to perform said encryption/decryption using that key as the system owner.

The entire point of a TPM is ensuring that private keys intended for a specific device are never leakable off of that device.

Now that being said, there is an additional function of TPMs that is more controversial, and that's how it can be used by the CPU and firmware to refuse to execute code when a chain of attestation coming from a root key stored in the TPM is not satisfied. That controversy is very valid for TPMs or other "enclave" devices which do not allow the system owner to change those root keys. And of course there is the extended ability to leverage this attestation over a network, to allow a _server_ to be able to refuse service if the attestation is not valid.

When the user can change the root attestation keys, I think local attestation is a net positive for the security of the user. When they cannot, it means that only the "blessed" builds from the hardware manufacturer can run. This second case should be made illegal in my opinion.

Though there's nuance here, remote attestation however is a net negative for the user. Taken to it's logical conclusion where unattested access is 100% refused without exceptions, it means that the user effectively cannot run their own software on devices that they own, and that is not acceptable. It also ensures that the user can only use hardware devices that the service provider deems as allowed, which is the more practical and likely outcome at scale.

Remote attestation is what's at issue with WEI (and indeed things like Google Play Integrity and the equivalent feature of Apple's iOS stack), not the ability to ensure that private keys cannot be leaked.

The problem isn't the cryptography, who's using it and for what. There's nothing wrong with it if we're using it to empower and secure ourselves. There's everything wrong with it if it's some corporation using it to protect themselves from us, the owners of the machines. The former is just normal user activity. The latter means our computers are not really ours, they come pwned straight off the factory.

I'm not storing my fingerprint anywhere else.

I don't trust applications enough to have things like the encryption key for my hard drive outside a TPM.

Look, it's either "y'all", "vous", or bringing back "thou" for the singular, okay?

Uhhh, what?

I use y'all 'cus that's how all the kids in my school talked growing up.

I ditched a lot of the lexicon because after my family moved to the suburbs, I got made fun of by my new friends, literally calling me "less white". So no more finna', for example.

I will die on the hill of having a good second person plural pronoun though.

I certainly think that a lot but I sure as hell wouldn’t say it. It doesn’t help, that discussion never goes well.

Meh, it spreads a lot more broadly than the corporate snake people. And honestly I’ve never heard the corporate snakes use it myself (at least not before the example which you quoted), but I’m sure there are corporate snakes who do.

I don't think you know what clickbait is, because "accurate description of the main content" is not clickbait.

We just want the headlines to somehow reflect what we will see if we click on them.

In case this is all new to you: effectively WEI aimed to bring hardware-based remote attestation to the web for the purposes of allowing servers to refuse service when the device and its software was not approved by the authors of the server.

Now they just want to do it in WebViews, which is ineffectual at best, and still harmful at worst.