> Google's plan is that, during a webpage transaction, the web server could require you to pass an "environment attestation" test before you get any data.
There is no value in this "attestation" for me as a user. I want to be able to do whatever I want with the browser (for example, remove ads or block access to canvas and webgl) and I want sites to be unable to know this. And probably this attestation will provide additional fingerprinting signals which is what I don't want.
Attestation is a great concept for stuff you're in control of. Employee laptops, your own servers, your own phone, you name it. You want to be able to control and verify your devices are still under your control, preferably without manually entering the data center every week to check. The concept isn't inherently bad.
That said, the concept is seemingly aimed at blocking ad blockers and preventing browsers like Brave from impersonating Chrome so it can block ads without the need for extensions and such.
The only user-positive use case I can think of for this is for self-hosted software. Maybe it can be used to detect MitM attacks or malware messing with the browser? In practice this will just mean "no Firefox, no Linux, no adblockers".
In theory one could imagine a scenario like a bank website refusing to be accessed unless the entire OS & browser stack pass attestation - as that would rule out things like keyloggers, malicious browser extensions, and session hijacking.
In practice it'll just be used to lock down content and force unskippable ads on users, of course.
And in practice it will eventually mean being unable to do online banking if you're on Linux. My Android phone with a custom ROM doesn't pass even a basic SafetyNet check, and this means I essentially cannot use mobile banking. For now, using a browser on my phone is a "workaround", but this proposal could change that
one could imagine a scenario like a bank website refusing to be accessed unless the entire OS & browser stack pass attestation - as that would rule out things like keyloggers, malicious browser extensions, and session hijacking.
The important part is that "malicious" isn't up to you to decide anymore; if you have any "unapproved" software that acts in your interests and not others', this could theoretically be used to lock you out too.
> a bank website refusing to be accessed unless the entire OS & browser stack pass attestation
Even that use case leads to bad outcomes. I already have to jump through hoops to get banking apps to run on my rooted phone. Banking websites refusing to run on anything but Chrome on Windows is a likely scenario here, and that's awful.
IT in big banks is usually horrible and their security departments would close you and your family in a cage if it was possible and helped them avoid liability. If attestation exposes let's say your password policy, be sure you'll be required to set it for monthly changes the moment they can do that.
I don't want them to have a say in how I run my devices.
But that's not a direct value. I'm aware that reducing fraud for banks will potentially (bank behavior makes me doubt this) increase interest rates/decrease fees since they'll have less stolen money. I'm also aware that the current internet is built on free-as-in-beer services due to ads typically covering costs.
I'm not interested in being hobbled for either of those problems. I remember when banks used to reject my browser because it wasn't IE in Windows. I remember when I had to look at webpages that were 50% advertising.
I hope banks like getting phone calls, then. MacOS and Windows normies are going to get caught up in this, and so are all of the laypeople who got pissed at those two and moved to OS's like Linux Mint.
Attestation can have value in a corporate network, ensuring only patched company laptops can connect to certain services, for example.
But software already exists to do this kind of thing for private networks. I really, strongly believe that this kind of functionality has no place on the open web.
This proposal is user-hostile, and could be very dangerous to the future of the web.
There is no value in this "attestation" for me as a user. I want to be able to do whatever I want with the browser (for example, remove ads or block access to canvas and webgl) and I want sites to be unable to know this. And probably this attestation will provide additional fingerprinting signals which is what I don't want.