My favorite part is when they ask you to give them the benefit of the doubt, but also anyone who disagrees with them in a way that doesn’t fit their expectations is “noise.”

Wow, that blog post is truly nauseating and infuriating to read, knowing the context.

Fuck Google. They’re the Nestlé of tech.

[Don’t assume consensus nor finished state]

Often a proposal is just that - someone trying to solve a problem by proposing technical means to address it. Having a proposal sent out to public forums doesn’t necessarily imply that the sender’s employer is determined on pushing that proposal as is.

It also doesn’t mean that the proposal is “done” and the proposal authors won’t appreciate constructive suggestions for improvement.

[Be the signal, not the noise]

In cases where controversial browser proposals (or lack of adoption for features folks want, which is a related, but different, subject), it’s not uncommon to see issues with dozens or even hundreds of comments from presumably well-intentioned folks, trying to influence the team working on the feature to change their minds.

In the many years I’ve been working on the web platform, I’ve yet to see this work. Not even once.

…?
What is this, “Good vibes only?”

We developers should stop just looking at the technical side of our work only. There’s social, economic and values to be taken into account when we put our minds to solve a problem. We tend to go blindly into it, without thinking what it can cause when it is released into the world.

It’s like if we put a bunch of developers into a secret project to develop an Internet World Wide Nuclear Bomb a là Project Manhattan… the leaders shouldn’t really have to hide what they were about to do, just throw the developers and engineers troubles to solve and they wouldn’t mind what it will be used for. It’s just tech, right?

At least this guy seems to fit the type: I want to do this technology I’ve been tasked for, I’m trying to solve a technological problem. The rest of the world is telling him «Man, this is a bad idea to implement.» and he whines saying «I want solutions to this technology, not what is wrong with it!»

(And if you aren’t one of those developers, congratulations, we need more of you!)

@TheYang Exactly! Came here to say this. Everybody actively using chromium based browsers is a part of the problem.

Firefox depends on google for funding though. Google could probably deal a killing blow quite easily.

Firefox will most likely support this, if it doesn’t want to get cut off from most of the web.

However, it would be nice to have a Firefox or Chromium fork with a switch to disable the “feature”, an option to remove any links to websites requiring this stuff, and some search engine free of links to websites requiring it.

Please drink verification can

Or they just ban you without recourse and poof all your data and accounts are dead.

Edit: consider using Google Takeout to download your data periodically as a hedge against trouble with your account. This will help prevent data loss in the event your account suddenly goes poof. It won’t help you with the apps you bought though.

Thanks for this. I skimmed the proposal doc itself and didn’t quite understand the concern people have with it – most of the concerns that came to my own mind are already listed as non-goals. The first few lines of this comment express a realistic danger that’s innate to what’s actually being proposed.

Glory to Arstotzka … I mean Alphabet.

Please write for black mirror!

I’m sorta sitting here in that same scenario. My iphone screen was severely broken last week, I don’t use any other apple services. When I tried to get into it, my phone went into security lock mode. Coincidentally all of my 2FAs for my other accounts did their monthly checkin. No phone, no checkin so now I’m locked out of nearly all of my work accounts. Apple ID will renew in a few days, but I didn’t think to take my broken phone with me on a trip, so my SIM with my phone number is now 1000s of miles away. So now I’m boned til I get home. 2FA works well until it works too well.

Thank you for choosing Google!

you need a Microsoft signed stub to boot anything other than Windows on a PC

Not necessarily, most motherboards and laptops (at least every single one I’ve ever owned) allow users to enroll their own Secure Boot keys and maintain an entirely non-Microsoft chain of trust. You can also disable secure boot entirely.

Major distros like Ubuntu and Fedora started shipping with Microsoft-signed boot shims as a matter of convenience, not necessity.

Secure Boot itself is not some nefarious mechanism, it is a component of the open UEFI standard. Where Microsoft comes in to play is the fact that most PC vendors are going to pre-enroll Microsoft keys because they are all shipping computers with Windows, and Microsoft wants Secure Boot enabled by default on machines shipping with with their operating system.

I started looking at Mac’s for my next computer. Due to this amazing project. https://asahilinux.org/

you need a Microsoft signed stub to boot anything other than Windows on a PC

False. Every PC I’ve had has allowed Secure Boot to be turned off, and some of them allow me to add another trusted certificate as well.

you need Apple’s blessing to boot anything on a Mac

False. The Mac boot process is completely unlocked, at least on Intel Macs.

your smartphone manufacturer decides whether you can unlock it and lose attestation

My Pixel 6 allows me to unlock the boot loader at any time.

Attestation exists, unfortunately, but it’s not nearly as pervasive as you seem to think.

This is the next logical step, to add “web app” attestation, since the previous ones had barely any pushback

Uh, there was huge pushback. That’s why even a Microsoft Surface won’t stop you from installing Linux.

you need a Microsoft signed stub to boot anything other than Windows on a PC

Can you expand on this? Maybe I’m just misunderstanding you, but a “pc” is not a Windows made machine. It is a collection of disparate computer parts made by different companies with no requirement to run Windows as the exclusive OS once put together.

Even on a Windows OS, I can run any program I want (that’s made to operate with Windows). I may get a warning if it’s not a “known” developer, but I can still run it. Did I miss a big update to how 11 works with unknown software or something?

That is the only solution to all this!

To everyone: Please remove at least as much Google products/services as you can from your life. Start with the easiest ones. Have a plan and gradually find alternatives for all other products/services of them. Remove them from your life. It will help even if you do this partly. This is for the benefit of us all.

Also, let’s do the same to Microsoft, Apple, Meta, Reddit etc. Let’s not let our lives depend on them. They are corporations. They are programmed to maximize profit.

I know there’s currently not a lot of good alternatives out there, but if enough of us ditch these ass-companies, more and more open-source, decentralized, not-for-benefit services will pop up, and the existing ones will improve greatly. These are not for-profit projects that can be bought by corporations later and used to their benefit. They will only benefit their users.

Let’s do this!

Fuck megacorporations!

Not a bad idea. Just also avoid Microsoft, Apple, and any non-open hardware or software… they all do the same stuff or worse.

Spoiler for a later stage of your journey: Your phone gets wayv faster. That part is pretty nice.

Or have some letters removed all together.

Pretty much the entire US needs a healthy dose of monopoly busting.

Hell, just look at the Ma Bell breakup and the path all of those companies took to where they are now. We’re basically back to step 1.

Yeah, as if github aka Microsoft is going to do anything about it … but hey, anything to keep the pressure up and not letting this go through.

So, a lot of the replies are highlighting how this is “nightmare fuel”.
I’ll try to provide insight into the “not nightmare” parts.

The proposal is for how to share this information between parties, and they call out that they’re specifically envisioning it being between the operating system and the website. This makes it browser agnostic in principle.

Most security exploits happen either because the users computer is compromised, or a sensitive resource, like a bank, can’t tell if they’re actually talking to the user.
This provides a mechanism where the website can tell that the computer it’s talking to is actually the one running the website, and not just some intermediate, and it can also tell if the end computer is compromised without having access to the computer directly.

The people who are claiming that this provides a mechanism for user tracking or leaks your browsing history to arrestors are perhaps overreacting a bit.

I work in the software security sector, specifically with device management systems that are intended to ensure that websites are only accessed by machines managed by the company, and that they meet the configuration guidelines of the company for a computer accessing their secure resources.

This is basically a generalization of already existing functionality built into Mac, windows, Android and iPhones.

Could this be used for no good? Sure. Probably will be.
But that doesn’t mean that there aren’t legitimate uses for something like this and the authors are openly evil.
This is a draft of a proposal, under discussion before preliminary conversations happen with the browser community.

Here you go

There is no technical solution to trust.

Google knows this. Trust isn’t really the problem they’re trying to solve.