> Computer scientists always consider the worst case scenario because it allows us to edge against the risk—or, well, certainty—that something will go wrong.
> Why are people complaining about WEI and not PATs then?
> Well, Google is simultaneously the owner of the most popular web browser (Chrome) and the most popular mobile operating system (Android) on top of which Chrome runs. WEI is guaranteed to be a recipe for anti-competitive practices.
I don't follow. How is any of this exclusively harmful when WEI does it? Is Apple not also in a position to use PATs for anti-competitive purposes?
It's transformative (in a bad way) for the vast majority of users to be using systems that are capable of attestation, however we get there. Once that happens, it's a slippery slope into a world where you can't use open source browsers for commercial activity and the ladder is largely pulled up on a new browser ever becoming popular again.
At that point, it'll be left as an exercise for the remaining browser makers to slowly enshittify.
What's funny is that this trend could lead to the downfall of Chrome outside of Android and ChromeOS because at the end of the day, attestation is in the control of the OS maker.
Attestation is an issue in incentives, particularly on the part of website owners who lose incentive to offer a decent UX to non-attested users when most users are attested.
Apple PATs in isolation cannot achieve this, while google is making a new web standard that will almost certainly achieve this if it is successfully pushed.
That is, apple-only PATs are compatible with an open web. WEI as a standard is incompatible with an open web.
That said, PATs become dangerous in a world where WEI is being pushed - to that end I’ve recently disabled PATs on my iDevice.
The scary part isn’t what happens with attestation on todays web, it’s what kind of web gets built tomorrow when the vast majority of users support attestation.
The author of WEI acknowledges this risk but the only mitigation is a suggestion that maybe browsers can occasionally hold off on attesting - basically, letting market share of attestation hold just shy of 100% in hopes that it doesn’t dominate the web.
I’m sure the future google engineer who removes this restriction and saves 10% of chrome sessions from captchas will also get a promotion.
until sites "find a way" to ask multiple times for attestation (if it has a 10% chance of failing on each request and 10 of them in a row fail, what's chance of the client supporting WEI and randomly holding off on all of them?)
> Why are people complaining about WEI and not PATs then?
> Well, Google is simultaneously the owner of the most popular web browser (Chrome) and the most popular mobile operating system (Android) on top of which Chrome runs. WEI is guaranteed to be a recipe for anti-competitive practices.
I don't follow. How is any of this exclusively harmful when WEI does it? Is Apple not also in a position to use PATs for anti-competitive purposes?