• helpimnotdrowning@lemmy.sdf.org
    link
    fedilink
    arrow-up
    18
    ·
    1 year ago

    Basically, the idea is that a server can refuse to serve you (or degrade your experience with captchas/heavier restrictions) unless you (your device) complete a “challenge”. This could be something like the browser (through a system API) checking some device details like

    • root/admin
    • unlocked bootloader
    • extensions (either bad extensions or something like an Adblock)
    • VPN (potentially “if you have nothing to hide you have nothing to fear”)
    • installed apps (Adblock via DNS like blokada,
    • device emulation
    • TPM (generate secure key to make sure device is “real”)
    • OS state (heavily modified?, untrusted OS?)

    etc. Basically making sure the “environment” is clean and not tampered with (trusted).

    The problem is with what defines a “trusted” environment. It could start at just making sure the device isn’t rooted (like Android’s Safetynet/Play Integrity check; most people don’t root their device & don’t/won’t care, also easily justifiable since it can be a security vulnerability because the device is “wide open”).

    Then, like the article mentions, the device makers (Google (phones, chromebooks), Microsoft (Windows, Xbox), Apple (macOS, iOS, visionOS, etc), Meta/Facebook (Oculus), etc) could change their terms for attestation and deny approval on stricter, potentially anti-consumer criteria such as device age (forcing you to buy more things).

    • Sl00k@programming.dev
      link
      fedilink
      arrow-up
      10
      ·
      1 year ago

      It’s also important to note that Google is doing this already as well. It’s almost impossible to use Google with my VPN provider as I’m slammed with 5 captchas every Google.

      • Zana@beehaw.org
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        There are a lot of websites for me that straight up refuse to load if I have a VPN. Even non-important sites.