Privacy

31808 readers

364 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

Chat rooms

[Matrix/Element]Dead
Discord

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

154

Apple already shipped attestation on the web, and we barely noticed (httptoolkit.com)

submitted 1 year ago by eterps@sopuli.xyz to c/privacy@lemmy.ml

28 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] helpimnotdrowning@lemmy.sdf.org 19 points 1 year ago (1 children)

Basically, the idea is that a server can refuse to serve you (or degrade your experience with captchas/heavier restrictions) unless you (your device) complete a "challenge". This could be something like the browser (through a system API) checking some device details like

root/admin
unlocked bootloader
extensions (either bad extensions or something like an Adblock)
VPN (potentially "if you have nothing to hide you have nothing to fear")
installed apps (Adblock via DNS like blokada,
device emulation
TPM (generate secure key to make sure device is "real")
OS state (heavily modified?, untrusted OS?)

etc. Basically making sure the "environment" is clean and not tampered with (trusted).

The problem is with what defines a "trusted" environment. It could start at just making sure the device isn't rooted (like Android's Safetynet/Play Integrity check; most people don't root their device & don't/won't care, also easily justifiable since it can be a security vulnerability because the device is "wide open").

Then, like the article mentions, the device makers (Google (phones, chromebooks), Microsoft (Windows, Xbox), Apple (macOS, iOS, visionOS, etc), Meta/Facebook (Oculus), etc) could change their terms for attestation and deny approval on stricter, potentially anti-consumer criteria such as device age (forcing you to buy more things).

[–] Sl00k@programming.dev 11 points 1 year ago (2 children)

It's also important to note that Google is doing this already as well. It's almost impossible to use Google with my VPN provider as I'm slammed with 5 captchas every Google.

[–] Zana@beehaw.org 3 points 1 year ago

There are a lot of websites for me that straight up refuse to load if I have a VPN. Even non-important sites.

[–] helpimnotdrowning@lemmy.sdf.org 1 points 1 year ago

I don't think sites can request attestation yet, for vpn ips it's usually that the ip/ip block has shown "suspicious" behavior & got reported either manually or picked up by bot sensors.

(Now of course it's also bad to let Google and friends be the arbitrator of good and bad IPs, famous for the destruction of truly self-hosted email (among other things))