Web Environment Integrity

Google is up to things again: an attestation API for a website to cryptographically verify the authenticity of a client’s software stack, from the OS up.

Web Environment Integrity https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md

Some examples of scenarios where users depend on client trust include:

  • Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots. This creates a need for human users to prove to websites that they’re human, sometimes through tasks like challenges or logins.
  • Users want to know they are interacting with real people on social websites but bad actors often want to promote posts with fake engagement (for example, to promote products, or make a news story seem more important). Websites can only show users what content is popular with real people if websites are able to know the difference between a trusted and untrusted environment.

With the web environment integrity API, websites will be able to request a token that attests key facts about the environment their client code is running in. For example, this API will show that a user is operating a web client on a secure Android device. Tampering with the attestation will be prevented by signing the tokens cryptographically.

Many commenters think this will be the end of the open web as websites start demanding you use specific proprietary software in order to log in, or ensure their ads/tracking will be passed without tampering. What think you?

I saw this doing the rounds last week and only skimmed part of the spec. I couldn’t really be bothered reading the whole thing… so feel free to ignore my uninformed opinion :smiley:

My take as a user is that is pretty much a terrible idea in every respect. Even from the short bits you quoted is seems like they are grasping at straws trying to find reasons why this would be something users would want.

I’m also curious about the privacy implications. What sort of extra information gets leaked via the attestation process? Seems like a good way to provide more accurate IDing of users now browsers like Firefox are implementing mitigations of cross-site tracking via 3rd party cookies.

I don’t think “trusted computing” is necessarily a bad thing, but it should be users in control of trusting their computers and what runs on them, not companies like Google trying to dictate that their need to trust your device is more important and any user considerations.

So the intent is now someone/thing can say which browsers are ok and which are not?

not sure i like that idea :slight_smile:

WEI got a mention at the end of this piece by Cory Doctrow. It is a reasonably long read, but gives a pretty good idea of where ideas like this are coming from and where things are headed.

1 Like

Luckily that never went wrong with Shockwave/Flash, Java, Silverlight, uefi, DVD CSS,…

I wouldn’t be surprised if it ends up like the video game space where people are creating real-world robots that is almost impossible for anti-cheat software to detect. Pushing the security in video-games is a game of cat and mouse and makes the experience more buggy and difficult to use for legitimate users.

Looks like WEI is dead. They are going to roll-out the Android WebView Media Integrity API instead.