[Aachen]

What I'm scared of is some sort of cryptography becoming the death of the open web. Baking keys into your hardware and doing remote attestation. It doesn't tie you to a real-world identity except that you're locked into using an unrooted (DRM'd) device for using online services like a normal person

If I had to choose between two evils, I'd rather upload my passport to cloudflare and be able to get anonymous tokens from their API (RSA blind signatures or whatever) to prove I'm a real person and browse the web with Firefox and no closed source components, than be forced into hardware attestation and a locked-down device. But uploading government IDs to a (few) central point(s) of trust will create outcry about privacy whereas hidden cryptography baked into normal people's devices with Google Play Services and Apple Something and just working in the background goes unnoticed until everyone (the 99% who aren't on a custom ROM) already experienced the benefits

For webauthn I know it can be all software, I've used virtual devices for testing a server implementation's security, but I vaguely remember there also being a mode that requires having keys signed by a hardware vendor. Just not sure anymore if that was webauthn or something else related to authentication

[jeroenhd]

Apple has already shipped remote attestation with Safari and Cloudflare has been working to standardise their test release of this scheme as a web standard. It's only a matter of time before remote attestation starts replacing CAPTCHA thanks to the advances in AI.

The worst part will probably be that any hardware backed attestation mechanism will need to blacklist entire ranges of devices once scrapers and other bots find a mechanism to mass produce attestation results, the same way a dumped key from a bluray player carries the risk of killing all future bluray player functionality from devices with that model.

WebAuthn is pretty useless for this purpose as far as my understanding of it goes (as you can pretty much emulate all of it, except if the website has a hardware whitelist that'll eventually block a lot of legitimate users as well). It's harder to bypass remote attestation mechanisms, though, as they're actually meant to provide security against bots.

[wkat4242]

> If I had to choose between two evils, I'd rather upload my passport to cloudflare and be able to get anonymous tokens from their API (RSA blind signatures or whatever) to prove I'm a real person and browse the web with Firefox and no closed source components, than be forced into hardware attestation and a locked-down device.

I don't want to do either. Not interested in Altman's eyeball crap either.

Bot prevention is not my problem as a user anyway. In fact in many cases scraping is very useful to me and could be used to have AI agents monitoring a website and informing me when something changes. Like a price drop.

[Aachen]

I mean, yeah, obviously nobody wants either, but

> Bot prevention is not my problem as a user anyway

It isn't until it is. Today already one needs to

- "hold this button for 5 seconds to access this website" (and if you let go in between it offers the same captcha but will deny access until you reload the page and do what they ask), e.g. phys.org article I accessed iirc from HN

- Select all mountains or whatever, many forms on many many websites

- Rotate this puzzle piece until it fits (Chinese video website where someone linked to from YouTube because the randomly selected Chinese recipient of a gift posted their reaction there)

- Add up the dice from these 15 pictures and select the matching die (github registration)

- "Your IP address doesn't have access. Request ID 929cjn289w." various websites

- "Something went wrong" -> open the developer tools -> server says IP address blocked. Retry with a different user agent string succeeds. (German eBay)

- Can access something from popular browsers but not then grab it with curl because they block that user agent (I needed this because my Android "download manager" was broken. Why the browser can't download it by itself like on any other OS, I don't know, but so I need to do downloads with wget/curl/whatever and this is very often blocked by user agent string)

- Verify your phone number to prove you're not a bot (Microsoft, Google, German eBay, Telegram, you name it)

But it's not your issue as a user! :P

More seriously, this is why I'm bringing this up now before the choice is already made, things magically work for the 99% using crypto solutions like proposed in the submission and the freedom to run free software is even more impaired than it already is today (ask anyone who runs a custom ROM or something as heinous as rooted their device but would still like to use payments or get updates for their device like a normal person)