WEI turns non-compliant browsers into second-class citizens. You’re perfectly free to use whatever compliant browser engine and OS combo you like today – but in a world with WEI, you’ll have to use Approved Chrome on an Approved OS on Approved Hardware with Approved Signing Keys, or you won’t be able to sign into your bank.
No, Google has plenty of skilled engineers that can make spoofing an attestation extremely difficult. It will probably rely on hardware that you cannot modify. See details of a plausible implementation here: https://news.ycombinator.com/item?id=36859465
Approved Signing Keys -> Will this require for the end user to do it? If so, then this might be a short lived change, cause for a lot of people having a username and password is already super complicated.
Like many others in this thread you stack so many assumptions on top of each other. Why? I don't think that helps.
Will this person's bank implement WEI in such a way that none of this person's devices (computer, phone) are supported and will this person not be willing or able to switch banks, only then buying a new computer comes into view. Without knowing anything about this person, assuming average, the chances for this must be low or the bank will have no happy customers left.
I fully agree with the underlying worries you and others in this thread have, but to extrapolate that without any nuance into a world where we all become privacy-less, ad consuming, eye tracked zombies on newly bought computers is not helping the case (in my view).
> Will this person's bank implement WEI in such a way that none of this person's devices (computer, phone) are supported and will this person not be willing or able to switch banks, only then buying a new computer comes into view.
Yes, they will, because it has already happened.
On Android many many banking apps block rooted phones and custom OSes by using Play Integrity and Safetynet. And then games started doing it too, you can't play Pokemon GO unless your phone's OS passes Safetynet. And then restaurants joined in. Sorry, you can't order from McDonald's unless you pass Safetynet.
I have talked to government officials responsible for my country's digital security policy and they have explicitly told me that they want remote attestation to lock out devices not running big corporate systems and they do not care about freedom. The same ministry is responsible for police. If they could, they would forbid you doing anything that is not explicitly legal just to be safe.
It's called looking ahead to the straightforward results of the obvious power dynamic, to know what it will lead to when that dynamic gets entrenched enough to be taken for granted.
It's like how all these "free" websites coasted along for years being quite user friendly, but have recently switched to extraction mode. Anybody who thought about the incentives knew what was coming down the line eventually.
I already today have a phone dedicated to "important stuff" like accessing banks. I think it's actually a decent solution, and a low-end phone doesnt cost that much either.
Despite what some on the political spectrum try to say, the Internet has become a basic human right. It is required in schools in America. In many cases, it is required to even interact with certain government entities. Allowing governments and corporations to force users to a specific browser on a specific operating system just to interact with their site goes against everything the web is supposed to be -- an open platform for the free exchange of ideas.
This proposal is a slap in the face to all of that and basically allows governments and corporations to force users to use what those governments and corporations choose.
This is net neutrality all over again, just in a different vein.
I, for one, will continue supporting Mozilla and Firefox and will never again use Chromium-based browsers, or any browser which supports this. I just hope I can keep browsing the sites I need to.
In what way does this increase the security of my bank account? A criminal can use credentials it obtained via a hack, etc. using an approved platform to access my account. My own approved platform can be compromised by malware and used to access my account. This class of problems is addressed by physical ID tokens, not attestation.
Corporate world currently sells attestation as a way to create secure token out of everyone's phone to the public sector worldwide. They obviously want it for the walled gardens and to fight ad-blocking, but public sector really wants to "deal with the cyber criminality" and they are clueless.
That would be difficult to do, if say all banks decide to only support Windows/MacOs. My bank that I use is a bit wonky on Firefox but works fine on Chrome.
Some banks even refuse to run on Firefox.
Also, switching banks might be more difficult than switching an OS.
And you would lose the reward points if any if you switch a bank, not to mention, if you use autopay that is configured to withdraw from a certain card, you would need to go and reconfigure that everywhere.
It is not technically impossible, it's just going to arduous.
There are already countries where all banks in the country (and often it is a mere handful; not everywhere is like the USA with a big choice of banks) already require e.g. using their app on an Android version that passes SafetyNet, in order to log in to online banking.
Does that seem easier for people to do than buying a Windows or MacOS device? If your oldest credit cards are through your bank it could wreck your FICO for quite a while.
The problem is that this feature can and will be used to restrict the users, it doesn't offer any real benefit to you.
This will not increase security for the user either, it's just a new barrier at the risk of higher fingerprinting. Why should you care how your bank handles security? It's their responsibility, not yours to handle.
one example of a non-compliant browser would be something crawling the web and building up some sort of search index of things because I don't think we want anyone to be allowed to do that.
This is good as a user story if you are using a blessed OS/browser/device in that you can avoid CAPTCHA or whatever
This is bad as a user story if you are not blessed and get likely locked out because the web operator doesn’t recognize you as valid
This is worse in the second order effects in that it can be leveraged to fight against ad blockers, paywall bypassers, YouTube video downloaders, and so on, by forcing all those user-friendly software under the umbrella of being unblessed. Hence the moniker of “web DRM”
