This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.
Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.
Rules:
1: All Lemmy rules apply
2: Do not post low effort posts
3: NEVER post naziped*gore stuff
4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.
5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)
6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist
7: crypto related posts, unless essential, are disallowed
Part of the point is that you may not be able to spoof it.
On code I write on hardware I run locally, how is it ever possible to not be able to remove an element from the UI?
If you don’t use a client with certain signature, the web request will end in different response, i. E. an empty response, as if your client had a certain signature. Please correct me if I am wrong, though.
Why can’t my modded client just give it that signature?
Because you don’t have Google’s private key. Same reason you can’t watch Netflix episodes without Widevine.
Drink up, me hearties, yo ho!
I watch Netflix shows in high definition without widevine every day.
🏴☠️🚢
Bro I’m watching a Netflix show right now and don’t have a subscription
Widevine has been hacked multiple times, it’s the usual arms race.
A private key to do what?
I only have the most cursory understanding of what Widevine is, but a quick Google reveals github projects claiming to spoof it.
Where I fail to understand is this. Whatever authentication the open source browser I modify needs to do, I can let it keep doing, because at some point it has to provide my browser C++ code with a clear text DOM before it renders it to an image to be displayed by my window manager. I can write that browser to simply remove DOM elements it deems to be ads - just like ublock does - before it renders it graphically.
The only way around this would be to turn browsers in to a completely dumb terminal that accepts an octet stream of pixel data so it can display bitmaps, which is completely unfeasible (every webserver would become a graphics card for each of it’s users), and even if it did that, a simple neural net would identify the ads and remove them.
What am I missing?
— The explainer, section How it works.
— The explainer, section Web environment integrity.
Now Julien Picalausa of Vivaldi browser theorizes as follows:
So, AFAIU, if worst comes to worst you won’t be able to run an unsigned browser and browse the web.
I still don’t see why my open source browser can’t just lie when it’s sending a description of itself to the third party. The only way I could see it working is if that description needs to be encrypted by a key that’s compiled in to a closed source browser, and then websites only accept requests from a few closed source browsers.
Is that what you’re saying? That unless I have one of a couple accepted clients which are proprietary and closed source, websites just won’t work?
It seems logical to assume that there would be no point to the whole thing if it was so easily avoided just by modifying your browser. Someone who’s, for example, selling fake engagement (e.g., fake reviews), which is listed as one of the things Ben Wiser at al. want to prevent, will probably have enough technical expertise to use a modified browser that will circumvent WEI, so why would Google even bother?