Manifest V3 and Web Enviroment Integrity

[starbrite]

Is Pale moon doing anything to prepare for/get around WEI? As far as I understand it, it basically locks out any web browser/OS combination other than chromium-based-something on windows/android/apple, and Manifest v3 would stop adblockers from working... but tell me if I'm misunderstanding?
I only recently found PM and am in love, I'd hate to see it be rendered useless by google and WEI

[nicolaasjan]

Google seems to have paused the WEI program.
https://www.techradar.com/pro/new-google-chrome-browser-security-plan-slammed-by-experts

We also asked Google whether it had anything further to add beyond last week’s comment, when a company spokesperson told us that the program had been paused, and directed us in the face of early backlash to a response by the explainer article’s author, which concluded: “We welcome collaboration on a solution for scaled anti-abuse that respects user privacy, while maintaining the open nature of the web.

[moonbat]

For a change, Mozilla grew a pair and has refused to support this as well. Of course it remains to be seen what would've happened if it had got implemented.

[Kerebron]

This try has failed, we're waiting for another one. And another, and another... Until the slime sticks to the hull.

[Moonchild]

This try has failed, we're waiting for another one. And another, and another... Until the slime sticks to the hull.

So, stay vigilant and keep track of these kinds of proposals to slam them down when they come back like the bad pimple they are.

Is Pale moon doing anything to prepare for/get around WEI?

We won't be implementing this. Period.

Also, the problem is you cannot "get around" it because "attestation" is based on cryptographic signing. Basically WEI will tell the browser to go and get permission from one on a very short list of entities, which will cryptographically sign the attestation so it can't be faked (which immediately shows you where the weight of this spec lies!) to be presented to the website. So a simple "give back an answer to satisfy the website's request" can't be done as the website end will be checking the signature.

WEI is a spec that should be optional for high-sec/protected environments in the corporate sphere. If applied to the web as a whole it will simply kill any freedom internet users have -- of course ultimately, this can be distilled down to Google wanting to control the web clients in use so they can make sure their ads and tracking are being delivered (especially when combined with locking down extensions with manifest v3). Any other claimed need for this or similar specs will be veils to try and obscure that fact, IMHO.

[Moonchild]

Maybe people should push for support of this stance: https://github.com/RupertBenWiser/Web-E ... issues/137

[noellarkin]

If this becomes a thing, how is it likely to affect Pale Moon development? Sorry, I'm not too conversant with the 'under-the-hood' aspect of this...OP mentioned that it could be used to whitelist Chromium and nothing else, but wouldn't a spoofed Username solve that? Or are deeper checks involved?

[RealityRipple]

If this becomes a thing, how is it likely to affect Pale Moon development? Sorry, I'm not too conversant with the 'under-the-hood' aspect of this...OP mentioned that it could be used to whitelist Chromium and nothing else, but wouldn't a spoofed Username solve that? Or are deeper checks involved?

That was my point in the other WEI topic. Anything sent from a client can be spoofed. The best they could possibly do would be to introduce a client-side encryption key, which, the moment it's leaked, becomes useless.

[suzyne]

I would be very surprised if Web Environment Integrity ever got into a mainstream browser, but I an no expert on the politics and process of internet standards.

But if it did, I could imagine a "black market" of free and premium internet proxies that can make any browser look legit. if that would be at all technically possible?

[RealityRipple]

I would be very surprised if Web Environment Integrity ever got into a mainstream browser, but I an no expert on the politics and process of internet standards.

But if it did, I could imagine a "black market" of free and premium internet proxies that can make any browser look legit. if that would be at all technically possible?

The servers can't be forged - those would be a specific trusted list for each browser, likely with their public keys built-in, and unless there's some catastrophic security failure on their end (i mean when is there not a catastrophic security failure happening somewhere...) the private key for the server should never be known by anyone but that server. So any kind of proxy system is the wrong side of things to try to attack.

What can be forged is what the client sends to that server to be, essentially, "notarized" - there's no reliable way to achieve that without also allowing it to be emulated by a bad actor, resulting in a good server OK-ing a bad client, because the server only has the client's application's word for the information it receives.

[Moonchild]

resulting in a good server OK-ing a bad client, because the server only has the client's application's word for the information it receives.

Of course this does mean that the "good server" gets a record of your site visits, and opens the door to very widespread censoring of both sites and clients/regions the potential for overreach is massive here. Let alone the obvious privacy concerns...

[RealityRipple]

resulting in a good server OK-ing a bad client, because the server only has the client's application's word for the information it receives.

Of course this does mean that the "good server" gets a record of your site visits, and opens the door to very widespread censoring of both sites and clients/regions the potential for overreach is massive here. Let alone the obvious privacy concerns...

Oh, definitely. The use of the word "good" there was supposed to be analogous to "official". There's nothing good about it. Centralizing tracking is possibly the biggest threat to privacy since the internet itself.

[pale guru]

Half of this WEI pest is already reality. It is called Cloudflare, including other “cloud cybersecurity” hanky panky.

I'm sure Google will try to introduce WEI in a Salamitaktik way. Today there is an outcra of a view nerds, tomorrow most people will complain if a website “does not work” with webbrowser X when they can see it on Chrome somewhere else.

The Encrypted Media Extensions (EME) is even a W3C standard. Google still seem to make enough money with Youtube, otherwise they would have already switched to EME. (Above all, it is content created by other people, not Google.)

I'm happy Pale Moon does not jump on that WEI train as well.