Apple has deployed a system called Private Access Tokens that allows web servers to verify if a device is legitimate before granting access. This works by having the browser request a signed token from Apple proving the device is approved. While this currently has limited impact due to Safari’s market share, there are concerns that attestation systems restrict competition, user control, and innovation by only approving certain devices and software. Attestation could lead to approved providers tightening rules over time, blocking modified operating systems and browsers. While proponents argue for holdbacks to limit blocking, business pressures may make that infeasible and Google’s existing attestation does not do holdbacks. Fundamentally, attestation is seen as anti-competitive by potentially blocking competition between browsers and operating systems on the web.

  • sin_free_for_00_days@lemmy.one
    link
    fedilink
    arrow-up
    86
    ·
    1 year ago

    If a website doesn’t want me to see their shit, then I guess i won’t see their shit. I already have some sites that don’t work because of my aggressive use of lists on my pihole, in addition to the usual browser plugins. If a site doesn’t work now, I just move on. I don’t give a shit about any site enough to put up with this type of bullshit.

    • Amju Wolf@pawb.social
      link
      fedilink
      arrow-up
      56
      ·
      1 year ago

      What if it’s your bank’s website? Or email provider? Or literally anything else you actually have to choose and can’t pick? “It’s okay because I don’t think it affects me / I can ignore it” is always a bad reason to allow a bad thing happen.

        • masterspace@lemmy.ca
          link
          fedilink
          arrow-up
          37
          ·
          1 year ago

          Honestly, if you’re telling people to run their own email host, you’re either trolling or a moron.

            • masterspace@lemmy.ca
              link
              fedilink
              arrow-up
              23
              ·
              edit-2
              1 year ago

              Every time I’ve ever looked into it or read anything on the topic it’s been like “do not do this. I lost my father, my children, two wives, and all my Pokemon cards in this endeavour, but in case you don’t want to listen, here’s how I partially successfully hosted my own email server for three months…”

              • Amju Wolf@pawb.social
                link
                fedilink
                arrow-up
                3
                ·
                1 year ago

                It’s not that bad but definitely not a solution for everyone. And you probably still don’t want to do it for your primary mail unless you’re otherwise extremely well versed in doing so, up to and including running multiple servers for redundancy.

                • Nalivai@discuss.tchncs.de
                  link
                  fedilink
                  arrow-up
                  9
                  ·
                  1 year ago

                  Not exactly. Having a running software is one thing, not having your emails be blocked by everyone because you’re not a trusted host is another. That another is a deal breaker and a huge pain in the ass, even though it helps fighting spam

            • neardeaf@lemm.ee
              link
              fedilink
              arrow-up
              15
              ·
              1 year ago

              You do realize the vast majority of people would need you to explain what a “rented host” is, then they still wouldn’t comprehend it.

        • some_guy@lemmy.sdf.org
          link
          fedilink
          arrow-up
          32
          ·
          1 year ago

          Run your own email like people should?

          This hasn’t been practical for a while now. If you’re not on a major domain, Google, MS, etc will block you as likely spam.

          • Neshura@bookwormstory.social
            link
            fedilink
            arrow-up
            5
            ·
            edit-2
            1 year ago

            Cannot confirm, somewhat. Setting it up so you don’t get blocked is rather easy, figuring out how to do that correctly is a bit of a pain though (I only managed to correctly set things up once I started using Mailcow and their built in DNS check tool)

            The domain still lands on some blacklists but that is down to one ISP blanket banning any mail servers in the IP block my ISP rotates my IP through.

            • Deemo@bookwormstory.social
              link
              fedilink
              arrow-up
              2
              ·
              1 year ago

              Unfortunately google is aggressive at spam filtering. For example when I signed up for bookwormstory.social the confirmation mail was sent straight to spam automatically (I had to fish it out and mark it not as spam) 😔

        • hascat@programming.dev
          link
          fedilink
          arrow-up
          29
          ·
          1 year ago

          Change your email provider? Run your own email like people should?

          This isn’t a practical suggestion for the vast majority of the population.

          • dust_accelerator@discuss.tchncs.de
            link
            fedilink
            arrow-up
            4
            ·
            edit-2
            1 year ago

            I have both my own email server and an additional paid email provider. not expensive and has very nice functionality in terms of sync, aliases, etc.

            If they now said I needed some 3rd party bullshit to access their site, I would quit paying them. There are tons of these smaller businesses.

            I doubt they will just be like “oh well, guess i’ll die, Daddy Google said so”

            What i’m saying is, it doesn’t have to be google OR become a tech wizard. There is a middle path that just costs a dollar.

        • Nyla Smokeyface@beehaw.org
          link
          fedilink
          English
          arrow-up
          23
          ·
          1 year ago

          It’s pretty shitty for a company to force someone to use a phone app or go to something as vital as a bank just because they won’t let the customer access the website. And there are plenty of reasons why someone wouldn’t be able to go to the bank in person every time they needed to, or at least it’d be extremely inconvenient to (especially for small things like checking your balance or transactions). Not everyone has a phone either.

          Change your email provider? Run your own email like people should?

          I’ve never deleted my email before but I’m pretty sure that means losing access to your entire inbox that you’ve likely had for years and having to update your contacts, the emails for all the accounts you have under it, etc. And being blocked from the website means you won’t be able to do any of those things through the official website. Does device atteststion prevent you from accessing your email through third party clients?

          Also, it’s not exactly easy or practical to host your own email. And for many people that would mean spending money on servers. I read a blog post last year of someone who gave up hosting their own email after 23 years doing so.

        • rambaroo@beehaw.org
          link
          fedilink
          arrow-up
          21
          ·
          edit-2
          1 year ago

          How do you “fucking go in” to an online bank? And why are you being so aggressive about a simple question? Getting tired of people still acting like redditors here.

        • masterspace@lemmy.ca
          link
          fedilink
          arrow-up
          14
          ·
          1 year ago

          And how the fuck is a phone app an alternative for avoiding attestation??? A phone app is inherently attested by being distributed through the app store.

          • blindsight@beehaw.org
            link
            fedilink
            arrow-up
            7
            ·
            1 year ago

            On a rooted phone, they can still fail attestation, apparently. That’s why Magisk Hide (or whatever it’s called) became a thing, to hide that the device is rooted. Google Pay also apparently needs Magisk Hide to function.

            I don’t trust my phone to store my payment details, so I don’t care about Google Pay, and my bank’s app works fine while rooted, so I don’t have any personal experience with it, just what I’ve seen in every single root guide I’ve used in at least the last 4 years (if not longer; I don’t remember how I rooted my previous phone.)

          • Amju Wolf@pawb.social
            link
            fedilink
            arrow-up
            4
            ·
            1 year ago

            Yeah, joke’s on the commenter; Google had had device attestation for phones for ages now and it’s also terrible. Many apps will outright refuse to work if you have a non-typical phone (rooted, some obscure hardware or custom OS).

        • Quokka@quokk.au
          link
          fedilink
          arrow-up
          12
          ·
          1 year ago

          Who the fuck goes into a bank in this day and age?

          Shit most branches I see are closing down.

          • TehPers@beehaw.org
            link
            fedilink
            English
            arrow-up
            3
            ·
            1 year ago

            I rarely do, but when I do it’s for something a bit specific, like ordering/depositing foreign currency (for travel) or depositing large checks that exceed the online deposit limit (which again is extremely rare). For everything else, it’s online only, especially since every time I go in, there’s only one teller working and the line is super long.

          • dust_accelerator@discuss.tchncs.de
            link
            fedilink
            arrow-up
            3
            ·
            1 year ago

            This is true. However, I don’t see this happening as the website/browser isn’t really the problem with online banking, it’s more often the user.

            On another note, how about no access at all, because this is a freaking huge attack surface for (D)DOS. Imagine you just invalidate signatures of all traffic to and from an attestation service. You could almost stop countries from functioning. That’s a serious vulnerability which we can easily do without.

        • Leigh@beehaw.orgM
          link
          fedilink
          arrow-up
          10
          ·
          1 year ago

          There’s no need to be so nasty, friend. I’m removing your comment because this isn’t the in line with our community value of ‘be(e) nice’

        • ReversalHatchery@beehaw.org
          link
          fedilink
          arrow-up
          9
          ·
          1 year ago

          Use the phone app

          Jokes on you. It refuses to work as my phone configuration is not approved by our corporate overlords. And yeah, obviously you can go to the bank at any moment, there are no times whatsoever when you need to do something right now, without lets say leaving the cash register at the shop

          • Paradoxvoid
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            1 year ago

            And that’s not even getting into how banks worldwide have been cutting down on staff numbers for years, and directing people to just their apps instead.

        • Amju Wolf@pawb.social
          link
          fedilink
          arrow-up
          5
          ·
          1 year ago

          Well you can protest, inform others, switch browsers, make your family switch…

          It’s not easy and might not accomplish much but at least you’re trying.

    • kent_eh@lemmy.ca
      link
      fedilink
      arrow-up
      18
      ·
      1 year ago

      If a website doesn’t want me to see their shit, then I guess i won’t see their shit

      That’s how I react to Twitter and Facebook requiring login to even view most things.

      Whatever you’re showing isn’t important enough to be worth me making an account.

    • esaru@beehaw.org
      link
      fedilink
      arrow-up
      12
      ·
      edit-2
      1 year ago

      To see how your approach works, try using the Internet with Javascript turned off for reading text. You will realize you can’t organize your life nowadays without bowing to what websites do technically.

      • Big P@feddit.uk
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        You can’t use websites when you disable a major piece of functionality? Shocker

        • esaru@beehaw.org
          link
          fedilink
          arrow-up
          7
          ·
          edit-2
          1 year ago

          Why would Javascript be a major piece of functionality for a website that is based on text articles?