Google tries to defend its Web Environment Integrity
techreport.com
I'm happy to see this being noticed more and more. Google wants to destroy the open web, so it's a lot at stake.
Google basically says "Trust us". What a joke.
You are viewing a single comment
Would WEI stop Adblock by DNS? Like pihole or similar ?
Basically it's a way for a "third party" that's chosen by the web server to verify the environment where the front end code is running meets its standards. Those standards would be up to the third party. So I'd imagine if an assessor said "hey, we can verify ads load properly" or even "we verify this extension isn't running" then many sites would possibly choose those assessors. It also is blatantly deceitful because of all the issues it suggests it can fix, it doesn't actually fix any of them. And many of them aren't even that big of a problem.
From my very basic understanding of it yes. It in effect checks what's loaded against what was served and if there's a discrepancy it does its thing.
Note. If I have misunderstood please someone correct me.
Is there anything that would prevent some kind of proxy stripper? I'm thinking something that loads the page with a clean agent, strips out the shit and serves a nice clean page?
Definitely beyond pihole as it stands, but doable.
It would need something that would trick the checker into reporting an all good when local extensions fiddle with the rendered page. Not impossible IMHO but I'm wayyy to dumb for that shit. I was a sre not a developer.
Yes and no. They can freely enforce a specific DNS server and reject any browser with a custom one as "tampered with". Just like they can freely enforce any part of your system being like they want it to be "or else".
All of that can be easily checked via JavaScript, but now if you world use extensions to disable those checks you would not pass the attestation.
So yeah, essentially you no longer have control over your computer, and need to bend over and accept everything the site owner wishes to do.
Including a malicious site owner's wishes.
No, but that only works if the ads are being served by known ad hosts, so you should expect that adtech will get hip to that and proxy their traffic through the same hosts as the content.
That being said, it’s pretty easy to check if a user has network blackholing going on in clientside JavaScript, you just do a test request to a popular ad network and see if it resolves, no special browser support needed.
No that should still work. The server will send a page to your browser, and when the browser renders it, it will request the ad. And your pihole will block the request.
Unless WEI somehow changes how page rendering works but I don't think so.
Not really. The environment could easily include resolution of an ad server. If a site uses two ad servers and neither resolves, the attestor could decide to fail the environment. The problem is the attestation is left open for the attestor to create. It could check web browser, extensions, operating system, etc. I fail to see how this is at all privacy protecting to begin with.
That's absolutely horrible.
Stop WEI.
Does blocking ads by DNS still work? Current ads are AFAIK more sophisticated
Yes, it works well. There are some ads, like those built in to apps and pages for self-promotion (Microsoft having an ad for office on their own website, for example), that cant be blocked without disabling the service itself because the ad dns is the same as the content dns, but otherwise it works well.