I'm still not entirely sure why everyone is getting angry about Web Environment Integrity? It seems like a lot of sabre rattling from folks who don't actually grasp what it seeks to accomplish?
Like, any given website isn't obligated to utilize it.
You are not obligated to use websites that do utilize it.
There are very good reasons for app providers to want a secure environment that is tamper-resistant and can have the execution integrity validated.
"We won't let you connect to our application's services from an insecure device/stack" is nothing new in software. Why is WEI any different?
@neatchee One of the big issues for me is how this will hamper community projects like Librewolf and will instead put more power in the hands of corporations. Look no further than Android and Google Play to see how this would play out.
GrapheneOS is the most secure Android ROM out there, even beating out the ones by the OEMs. And yet, Google refuses to provide attestation to GrapheneOS, so it still has to do some spoofing to make apps that depend on Google Play to work.
As a result, you either stick with the OEM ROM with whatever issues it has, or you go for custom ROMs and risk a lot of your apps not working.
1/4
@rgbunny I'm heading to bed but I want to discuss this in particular later. I used to work for the incorporated version of CyanogenMod (Cyngn) so I am especially well equipped to discuss this topic in particular. Graphene is great but Google Play Services attestation is a beast unto itself that is strongly linked to brand management and platform certification, independent of "yes, we are actually graphene" types of attestation
@neatchee I fully expect WEI to do the same with browsers. It's going to make it harder to daily drive community-made browsers like Librewolf.
And on this note, how "pure" must a browser be in order to be verified by WEI? Will modifying about:config be allowed? Will extensions be allowed? This could further limit what the user can do to protect themselves on the web.
Yes, this is assuming that WEI can prevent users from doing stuff on these unverified browsers. But I don't see why it won't. While Google may want more visitors for ad revenue, the same can't be said for other organisations.
2/4
@rgbunny the answers to those questions will entirely depend on the attester. The WEI standard is not intended to have Google as the only attester, like with Play Services.
Which is an interesting comparison: nobody is stopping Graphene from building their own storefront, their own Play Services equivalent, using things like OpenMaps, and so on. There are tons of Android devices on the market that don't use Play Services, you just wouldn't recognize them because they're typically not phones.
Hell, my workout bike from Nordic Track runs android with their own services stack.
Play Services and Android are not synonymous
@neatchee Take for example, government websites. These are some of the ones which are most likely to implement WEI. They will have no qualms in forcing you to use Google Chrome and only Google Chrome to use their websites.
Even for Google, they can still abuse WEI while getting more visits. They can, for example, restrict Youtube access to verified browsers. After all, Youtube has very little competition and it's used ubiquitously.
And if you have to use a verified browser for your regular daily tasks, eventually, people will just migrate to it, consolidating the userbase to the browsers which are verified.
3/4
@neatchee And when WEI is pushed as being a security best practice, then more websites will implement WEI. This creates a larger incentive for people to move to verified browsers, as the web becomes increasingly inaccessible to unverified browsers.
Yes, this is all speculative on my part, but it has happened before with Android. There's just too much room for abuse.
Sure, WEI could be useful, but Google should've gathered feedback first instead of trying to strong arm it through like they did.
4/4