Comment on Apple already shipped attestation on the web, and we barely noticed

<- View Parent
SirQuackTheDuck@lemmy.world ⁨1⁩ ⁨year⁩ ago

A very short TLDR would be:

Apple (in this case) decides if your device should be trusted as a human, or if it’s suspicious / a robot, which could break parts of the Internet for those not joining this “attestation”, or using software that doesn’t support it.

A more ELI5 version would be that Apple has implemented a controversial API (The Web Environment Integrity API) that indicates if a combination of OS + Browser + User behaviour is to be trusted as being human.

Attestation before used to mean “is this device who it says it is”, and one can check that in some ways as part of WebAuthN (aka “Passwordless login”), where it would be useful to know if an Android device a site knows you have (as you’ve logged in before) is that same device. It’s a system to trust devices. The WEI-API expands this to look at your OS, your browser and your environment, like installed applications.

Problem with this, is that the requirements don’t have to be public. Apple can decide what makes a “trustworthy device” and what can be considered “suspicious”.

Bad examples like these are to “fail” attestation if you have torrent clients installed, of if you’re connected via a VPN, or if you’re not using Bing + Edge on Windows.

Browsers and OS’es refusing to support attestation are likely to become a minority (most users use Chrome, and Google seems to be in favour). Should sites start blindly trusting this “attestation” - in replacement of captcha’s -, we could start seeing more privacy-prone combinations being locked out of these kind of sites.

source
Sort:hotnewtop