You must log in or register to comment.
Would someone kindly eli5? The dictionary definition was not helpful.
Basically, the idea is that a server can refuse to serve you (or degrade your experience with captchas/heavier restrictions) unless you (your device) complete a “challenge”. This could be something like the browser (through a system API) checking some device details like
- root/admin
- unlocked bootloader
- extensions (either bad extensions or something like an Adblock)
- VPN (potentially “if you have nothing to hide you have nothing to fear”)
- installed apps (Adblock via DNS like blokada,
- device emulation
- TPM (generate secure key to make sure device is “real”)
- OS state (heavily modified?, untrusted OS?)
etc. Basically making sure the “environment” is clean and not tampered with (trusted).
The problem is with what defines a “trusted” environment. It could start at just making sure the device isn’t rooted (like Android’s Safetynet/Play Integrity check; most people don’t root their device & don’t/won’t care, also easily justifiable since it can be a security vulnerability because the device is “wide open”).
Then, like the article mentions, the device makers (Google (phones, chromebooks), Microsoft (Windows, Xbox), Apple (macOS, iOS, visionOS, etc), Meta/Facebook (Oculus), etc) could change their terms for attestation and deny approval on stricter, potentially anti-consumer criteria such as device age (forcing you to buy more things).
It’s also important to note that Google is doing this already as well. It’s almost impossible to use Google with my VPN provider as I’m slammed with 5 captchas every Google.
There are a lot of websites for me that straight up refuse to load if I have a VPN. Even non-important sites.
I don’t think sites can request attestation yet, for vpn ips it’s usually that the ip/ip block has shown “suspicious” behavior & got reported either manually or picked up by bot sensors.
(Now of course it’s also bad to let Google and friends be the arbitrator of good and bad IPs, famous for the destruction of truly self-hosted email (among other things))
Basically, a website can block you or treat you suspiciously based on whether or not this “feature” says that your computer or browser is approved and unmodified.
This can become a problem as more sites adopt this. You can be using a 2 year old device and suddenly your bank stops working because your device no longer shows up as approved. It can be used to artificially enforce obsolescence. The fix would be to buy a new device.
You could be using Linux or a 3rd party browser and many websites will become unavailable to you because they can never show up as approved and unmodified. It basically breaks the open web.
The author does a pretty good job of explaining the potential problems this technology could cause. Scroll down to Why Attestation Is Bad.
Thank you. I did see that, but was left wondering more exactly. Is it the same as cars locking features behind a subscription?
I think a better comparison re: cars would be if inspections could only be performed by Ford or GM and the inspection rules were made by them instead of the government. They could say: we’re no longer passing inspections on models older than 5 years old, or if you used non-approved oil or filters the toll roads are gonna block you. They could put ads on your infotainment system and say you won’t get an inspection pass if you block them or replace the infotainment system with something else. Did you bypass the subscription lock on your heated seat? No more highway driving for you.
Imagine the web as a playground where some big companies like Apple and Google act as gatekeepers, deciding who gets access to certain features or sites. They use something called “Private Access Tokens” to check if your device is allowed. It’s like showing a special ticket to play with the cool toys.
The problem is, this system could limit our choices and freedom. Only devices approved by these companies would get full access, while others might be treated suspiciously or blocked. It could stifle competition and innovation because only approved browsers and operating systems would be allowed.
Moreover, attestation means they control what we do with our own devices. Customization might not be allowed, and they could tighten the rules later on. This could change the web for the worse and hurt competition and user choices, making it less open and free.
Is there a real life issue that people faced or this is all theories? I haven’t seen any sites blocking me yet with ads blocker used?