VICTORY: Google WEI ‘Stealth DRM’ Plan is Dead (or is it?)
2023-11-3 23:17:46 Author: securityboulevard.com(查看原文) 阅读量:5 收藏

a ‘happy, neurodivergent and actually autistic’ womanGoogle backs down on Web Environment Integrity API, but its replacement is also problematic.

Under pressure from the “freedom to tinker” brigade, Chrome’s DRM-like WEI project has been canceled. You might remember when this all blew up in la GOOG’s face, back in July.

However, there’s a tiny asterisk in the announcement. In today’s SB Blogwatch, we scour the fine print.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Cats and dominoes.

WEI is Dead — Long Live WMI

What’s the craic? Abner Li breaks the story—“Chrome not proceeding with Web Integrity API”:

It can be abused
The Web Integrity API would let websites “request a token that attests key facts about the environment their client code is running in.” … People took issue with how [it] would bring DRM to the open web. Google “heard your feedback.”

However, it is piloting a new Android WebView Media Integrity API that’s “narrowly scoped, and only targets WebViews embedded in apps.” … WebViews can be used to embed streaming video and audio in Android apps with advanced configuration options and UI customization. However, it can be abused.

DevOps Unbound Podcast

It’s piloting a whatnow? Thomas Claburn goes deeper, saying WEI “looked more than a bit like horrible DRM for websites”:

Early access program
Amid rising community concern, Google says it … plans to work on a more limited version of the tech for Android WebViews, a version of its Chrome browser that can be embedded within Android apps. … Following the publication of a working draft specification in July, a flood of critical feedback … put Google on the defensive. The Googlers involved then limited who could post comments to the project repo.

The ability to have Android apps embed web pages that embed media files has advantages when developing mobile apps, but also affords an avenue for fraud. Unscrupulous devs can meddle with embedded content.

The Android WebView Media Integrity API aims to ensure that those embedding media in WebViews can have some assurance that their assets – such as streaming media – are being displayed in the app where they were embedded and not some unknown party’s untrusted app. Media providers interested in testing this process can sign up to … an early access program.

So what? Cory Doctorow and Jacob Hoffman-Andrews explain—“You are the boss of your computer”:

Completely foreseeable risk
We live in a wildly imperfect world. Laws that prevent you from reverse-engineering and reconfiguring your computer are bad enough, but when you combine that with a monopolized internet … things can get really bad. A handful of companies have established chokepoints. … When those companies refuse to deal with you, your digital life grinds to a halt.

These tools might have a place within distributed systems – for example, voting machine vendors might use [them]. Or at-risk human rights workers might … to help determine whether their devices have been compromised. … But these tools should not be added to the web.

Computer scientists don’t get to decide how a technology gets used. Adding attestation to the web carries the completely foreseeable risk that companies will use it to attack users’ right to configure their devices to suit their needs.

What’s Google up to? u/Goodie__ assumes a safe assumption:

Given Google’s pivot to ad blocking on YouTube, I think we can pretty safely assume what WEI was actually about: Getting more ad views—and being able to ensure that people actually watch them—and [that] our adblocks don’t mess with the web page.

Would you monopolists please give it a rest? zlg_codes sounds exasperated:

The world needs to stop looking to a global data broker who feeds data to advertisers as a legitimate and good faith steward of Web technologies. It violates the separation of concerns between server and client.

Clients are user agents—i.e., they do what the user wants, not what the server wants. … If we want HTTP(S) and friends to remain a free and open protocol for all, we have to cut Google out of the decision-making process. They’ve been behind Encrypted Media Extensions, they’ve been behind Manifest v3, and now WEI. The Web doesn’t belong to Google.

Just wait for WEI 2.0? Luckyo thinks it’s coming:

[WEI] is very much wanted by Google, as it allows them to lock down their dominant market position in field of online advertising. This puts Google in jeopardy of anti-trust people, and they already have several problems with them that are ongoing, so advancing this now would cause more problems on that front.

They’ll likely do the sensible thing: Wait for that moment to pass and try again.

Such redpillage. doublelayer is even deeper down the rabbit hole:

Ad fraud was their way of trying to find an excuse for having this feature. … People wouldn’t want it … if they told the truth: “We want to add a feature which explicitly breaks anybody who isn’t using Chrome, then get a lot of people to mindlessly activate it, then take the integrity information and leak it through Google Analytics or something for extra fingerprinting.”

Cue: The usual empty threats of switching to Firefox. Except toyg thinks they’re not so empty now:

Since FF fixed their main performance problems, switching is not particularly burdensome anymore. And now the assumption that Google is “evil” has reached the same level of popularity that Microsoft used to have.

We’re in a similar position as early-00s open source: Commercially fledgling, but establishing a solid mindstream in geek circles that will shape the future in unpredictable ways that are not favourable to Google.

Meanwhile, u/-jp- expects better:

I feel like the bar could be set a little higher than, “**** your privacy, and **** you.”

And Finally:

Rube Meowberg

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Hiki (via Unsplash; leveled and cropped)

Recent Articles By Author


文章来源: https://securityboulevard.com/2023/11/google-wei-is-dead-richixbw/
如有侵权请联系:admin#unsafe.sh