this post was submitted on 26 Jul 2023
967 points (99.0% liked)

Technology

34877 readers
13 users here now

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.

Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.

Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

founded 5 years ago
MODERATORS
MinutePhrase@lemmy.ml
967
Google is already pushing Web Environment Integrity into Chromium (github.com)
submitted 1 year ago by narwhal@lemmy.ml to c/technology@lemmy.ml
380 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] aksdb@feddit.de 18 points 1 year ago* (last edited 1 year ago) (2 children)

Can someone ELI5 how this could prevent a fork of Chromium from just not playing nice and telling the website "yeah yeah, it's all untempered *wink wink*" and then still remove/alter stuff as it pleases?

Edit: ok I think I got it ... it's basically the server that decides if it trusts the judgment of the client or not. Can't wait to see that cat-and-mouse game going on 🙄

[–] that_one_guy@beehaw.org 4 points 1 year ago

it’s basically the server that decides if it trusts the judgment of the client or not. Can’t wait to see that cat-and-mouse game going on

This is partially correct. The server will check that you have a valid token issued by a trusted third party, who will almost certainly be Google, Microsoft, or Apple. When you connect to the web page, your browser will give this token to the server and say "hey look I'm legit." The token will have enough information on it to identify that it is relevant (being provided by a client that matches the hardware it is meant to verify) as well as a cryptographic signature that verifies it is in fact from the trusted third party. So it's less the server trusting the judgement of the client than it is the server trusting the judgement of whatever third party is attesting to your system.

[–] DrQuint@lemmy.world 4 points 1 year ago* (last edited 1 year ago)

Yeah, I can imagine a fork of chromium existing that takes all the data and does the rendering pipeline """normally""", but then on the side does something completely different and shows THAT to the user, while giving the server an idea that nothing is wrong and what it is doing is just normal chromium stuff.

But such an idea will be done entirely by enthusiasts, slowly, on an obscure basis. For the majority of users, that will never even be a conceivable notion of something they can do with the internet. Itll never be something you see on a top, mainstream browser.

In other words, Google wins.