If you keep feeding the Google monster you soon won't be able to browse the internet without a 3rd party attesting that your computer is worth browsing that site.
"Users often depend on websites trusting the client environment they run in. This trust may assume that the client environment is honest about certain aspects of itself, keeps user data and intellectual property secure, and is transparent about whether or not a human is using it."
This reads like someone hopelessly out of touch with actual users.
Most users don't give a shit if their client is "honest", or if it's respects intellectual property. These are concerns of web admins and media companies. Users just want something to load websites.
No no, it's not the users that care if their client is honest, it's the websites. But users want to use those websites, and therefore whatever is in the website's interest is in the user's interest.
There's a lot you can justify with a creative thought process.
I think it depends. When I use an ATM, I want to make sure it's the official bank ATM and won't steal my information. Also, spam is a tax that websites must pay and we as users are indirectly paying for this tax regardless of whether we intend to or not.
> When I use an ATM, I want to make sure it's the official bank ATM and won't steal my information.
sure, but in that situation, the "client" is you, and the "server" is the ATM. as the client, its not your job to worry or care if you are being "honest" with the "server". your concern is only getting the money. its the banks job to secure the ATM from bad actors, not yours.
After all the intense backlash they faced, they made it a 'limited' webview feature rather that dropping it entirely. Now that it's away from a standardization body, what's to prevent it from being developed unimpeded by public opposition? What's to stop them from expanding it to browsers once the 'feature' is ready? After all, this is exactly the pattern we saw with FLoC, 'privacy' sandbox and the Topics API.
It will come back again and again, and each time there will be less public outcry. It'll end up being normalized and eventually accepted. General purpose computers give the unwashed masses too much power.
And after that's normalized, then Google will enhance your user experience by bringing "Android Webview security" to Chrome on android, you know, it makes you really secure, it's really to help you keep safe.
A few years down the road, a surprising amount of companies insist you can only use their product on those secure smartphone browsers because of it's enhanced security, so Google helps you out by adding a special "Android Secure Mode" to desktop Chrome.
Web sites want you to visit them, they have no reason to barrier you. Some sites I use still have http and if a site wanted you to visit it in a specific way they'd use an app. If the model is to make web sites less accessible for profit it would need a compelling reason to visit it in spite of the barriers. It will never happen.
Nothing unreasonable or unsubstantiated. This is exactly what happened with app geolocking, privacy sandbox/topics, SafetyNet/Play Integrity API, etc. All of these are supposed to improve security and privacy and yet none of them are under the control of the user. Clearly implying that the user is the biggest security/privacy threat to them.
Which sites require those? How would that allow them to make more profit?
I literally said if they want people to visit anywhere they use a site and if not they lock down the experience with an app, and you said they lock down apps as 'proof' that they'd lock down web sites because somehow they are equal. Apps have never been about freedom. Starbucks doesn't want user choice and privacy when they ask you to download their app.
And I'm yet to see what business model it would work for. I'm going with 'none'.
> Which sites require those? How would that allow them to make more profit?
Practically every banking site (or more importantly banking apps). And a lot of weird cases like bus/train timings app, mobile operator apps, etc. You don't see that a lot with websites yet because the web isn't so severely constrained as mobile apps are. But the moment they appear, it will go the other way. One good example of this is AMP - which thankfully fizzled out for other reasons.
> And I'm yet to see what business model it would work for. I'm going with 'none'.
You can go with whatever you feel like. But the real world experience corroborates what the other commenter said. And one good reason for this is the corporate security culture. 'Our app isn't secure if it doesn't use the PIntegrity' type of argument. They'll all fall for it even if it's detrimental to their users.
Publishers, already pushing back against ad blockers and now suing because their sites were scraped and incorporated into LLM weights, would love to have clients "attest" to the "humanity" of the user and "integrity" (read: no ad blockers) of the browser. It's not hard to imagine that, if given access to the feature, they'd jump on it as soon as it ways feasible and make the user experience for non-attesting browsers progressively worse to force the change.
Your point is that struggling publishers will stay relevant, gain subscribers and afloat/make more money by implementing ad blockers, worst user experience and safety checks to make their sites less accessible. I'm sure it'll happen any day now.
Absolutely, yes. They will be empowered by tools they don't yet have to make it feasible to slowly "boil the frog". Remote attestation is just such a tool.
Double-plus-good rights management!