CHROME (google) is planing to implement DRM (kinda) into their browser
CHROME (google) is planing to implement DRM (kinda) into their browser
looks like rendering adblockers extensions obsolete with manifest-v3 was not enough so now they try to implement DRM into the browser giving the ability to any website to refuse traffic to you if you don't run a complaint browser ( cough...firefox )
here is an article in hacker news since i'm sure they can explain this to you better than i.
and also some github docs
-->since everyone is confused about this i'm gonna try to explain as best as i could and also clearing some misconceptions:
1# why this is such a big deal ?
if this gets implemented AND it gets widely adopted websites now can refuse to give you content if you are running a non complied browser, remember those website that say "oh you are using an ad blocker so disable it to access our site" they can detect this by various methods but ultimately all of them rely on running a JavaScript into your browser. which you guessed it, its easy to modify and tamper with manually or using extensions
now what WEI-API does is that it can verify the integrity of the web page ( JavaScript/HTML/CSS has not been modified ) and even tell the website what extensions - ad blocker detected no content for you - you are using and what browser you are using - firefox or brave detected no content for you - and do not be fooled into thinking that this can be spoofed. and website owners who think that they are running a business not a charity will implement this.
2#will using firefox save me?
if this gets widely adopted and you inevitably encounter a website that require this ( for your job ,school or your bank ) you have no choice but to use chrome just like when your banking apps refuse to work because your phone is rooted which means that SAFETY-NET is broken
3#why this is a threat to begin with?
this is only viable if the web adopt it so why bother?, well guess what google is famous for making its services very easy to integrate and well documented just look on how easy it is to integrate google analytics and google adsense* into websites and how many of them use it in the internet.
4#what can we do to prevent this?
this is my personal opinion but i think we simply can't, this not like the reddit incident were very large portion of the user base was upset most people don't know/care/give-a-fuck about web technologies and how they work.
#and Finally "but google said they don't plan to use this to fingerprint you (Device ID) or track your browser history or interfere with the work of extensions"
do you really believe that a company like google whose bread and butter is advertising would not make it easier for themselves, a company who has been exposed time and time again for lying and having ulterior motives ( you don't need to look far just look into what manifest-v3 did )
Stop using Google products I don’t know how else to fucking say it.
Chrome -> Firefox Drive -> sync or Dropbox or any number of options Sheets and productivity tools > libre office or Apache open office YouTube -> Invidious or even better, odysse Google search -> duck duck go, SearXNG, StartPage, etc Gmail -> not a ton of great options. I’d probably recommend proton mail but the FOSS email world is definitely lacking, or gets blocked or goes down, harder to self host etc.
I see so many comments from people saying they'll jump ship if Google adds this to Chrome. They'll move over to Firefox right away. But the thing most people don't know is one reason Google has such a broad reach is they make it so crazy easy to integrate their services for developers.
So, yes, users who dislike what they're doing should stop using Google products if possible. But, more importantly, developers or project managers, etc. should all resist the urge to utilize this kind of feature even if it's easy.
Users like visiting websites that are expensive to create and maintain, but they often want or need to do it without paying directly. These websites fund themselves with ads, but the advertisers can only afford to pay for humans to see the ads, rather than robots.
Won't you think of the poor poor ad companies?
Yet another vitally important front in the war on general purpose computing (it's a short and important read imo)
Fuck Google, and fuck DRM.
I work at a vpn/adblocker company and we just finished releasing an updated mv3 extension that does block ads effectively (among other things) but the feature set is limited vs mv2 because of the changes. Furthermore, google has actually pushed back their mandated release schedule for mv3 compliance because something less than 30% of the extensions on their store are anywhere close to ready for it (which if they pushed ahead with mv3 they would effectively break 70% of what's on there overnight).
The DRM shit is just next-level bad though. Enshitification 101.
Louis Rossman made a video about this and especially where he quotes users from HackerNews hammers the point home for me. Firefox will be forced to adopt this "feature" if it ever becomes reality, as Chrome has overwhelming market share and the average user only cares that the site loads.
They want to go back to the days of websites requiring internet explorer... just this time with their browser. Even though getting away from that culture is most of the reason people ever switched to chrome. I will say though, just using firefox for everything you can isn't enough of a protest. If this goes the way Google (Alphabet I guess) wants it to, you bank will require you to use a browser with DRM. You will be forced to use a browser whose source code you can't verify as secure, to access your bank. And that is where the protest lines need to be drawn. If your bank does that? Send your message. Close the account. Take back your money. Now I'd personally do this for everything possible, but that would be a looooot of time spent getting very little across to companies that don't care if you visit their site. Taking money from banks though? Yeah it might be a whole process where you gotta request it, verify in person, wait a week to get the cash, and THEN close it, but so what? A couple hours of doing stuff and then a week of business as usual before a couple more hours opening a new bank account. That's more than worth doing to send a REAL message.
This is scary
Remember when the web looked like this?
They want everything to run in TEE on the TPM, which has device specific keys signed by the manufacturer and can't be accessed through normal means
Best case scenario is someone learns to spoof it, but that's not easy. Possible, but unlikely to be packaged for personal use, since it'd be the kind of exploit you could sell to the right group for a 6 or 7 figure payout - and that's doing it officially and above board. Plus, if you did share it, you'd want to keep your identity hidden, the manufacturer would probably try to silence you with legal action
Hopefully, the EU challenges them if they try to move forward, someone brought up a law on the books in Germany that makes it illegal to use an automated system to make the decision to deny someone access to a system
Remember kids, piracy and shoplifting are your friends. Reason I say shoplifting is this will be used to block you from paying for stuff online, just look at how google pay is blocked on non google approved spyware Roms
I am pirating stuffs. They can't stop me. No other websites can stop me. Piracy sites are not going to use DRM. Firefox + ublock is heaven. Using it even for browsing lemmy as I like the mobile interface better than apps available right now.
Most probably firefox will also bring this or they will lose market share further which is already pretty low.
Lol welp, guess who just switched to Firefox
This code will only ever be installed on my machines by force against my will.
No benefit to any users at all, all benefit only to Google and their Advertisers.
BIG INTERNET is coming to get us
I have long felt that the computer industry course-corrected with mobile phones. They made a mistake in the early years of computers by letting users do things like install software from unauthorized sources, modify software to run to their liking, or even strip out the operating system and replace it with an alternative. Now we get things like TPM, Pluton, chains of trust, and DRM. 2% (rounding up) to protect users from malicious software tampering, 99% (rounding down) to extract rents from users and to track them for advertising or other purposes.
And if you start building a QEMU machine that spoofes your machine IDs? So you can do all ypur DRM sruff from QEMU?
Well they can DRM deez nutz
jokes on them
im going back to lynx
I know my uBO has saved me from some hostile shit. So yeah it's a part of my browser security. I have it configured to a stricter blocking mode so it's not just blocking ads for me, it gets other stuff that can be a problem.
Anyway I'm aware of the Manifest V3 business and being on Chrome I'm just waiting for the hammer to fall before going to Firefox. If they start adding DRM as well, I'm out of there quick.
Yeah, yeah, I know, just go to Firefox now, but I don't really want to deal with a new browser and all my custom stuff until I have to. I'm old and that shit is super hard to motivate on for me. Not to say I'm inept, I mean I've spent my whole career in tech, but old dogs and all.
No no no Just no FUCK DRM!!!
From what I've read, the information they're gathering already exists and can be gathered by the server (browser type, user, etc.) with an added layer of encryption to ensure that information isn't tampered with which is easily spoofed today. Of course, this approach doesn't stop folks from tampering with the web browser directly to inject whatever information (outside of maybe what browser they're using since that'll be tied to the key) they want into the payload but that makes closed-source web browsers substantially more trustworthy (aka not Firefox) to site owners.
If this does gain mass market adoption, then yeah, I suspect it will force users to use proprietary web browsers (google chrome, edge, etc.). Which is a step in the direction that Google wants.
I imagine that ad providers (Google) can also start throwing their weight to force mass adoption by de-monetizing non-compliant browsers, which may pressure site owners to not serve non-compliant browsers.
Correct me if I'm mistaken.
Will this fly with GDPR?
I haven’t used Chrome years, Firefox and Brave browser suit me fine. Since Brave uses the same engine and extensions. What’s the downside of Brave besides ppl not liking the creator? If I stopped using every device and product with an evil genius behind it I’d live in a cave somewhere with no technology at all.
rip cds dvds and load to cheap thumb drives for legal backups. distribute to your friends in case you lose your copy. It's on them if they copy your backups. vlc usually just works as a mobile->car bluetooth source. G broke theirs hoping to charge for it on YTmusic. not a dime mfrs. ha. I use HandBrake for ripping dvds->mp4s, mp3 w/e you need. many other rippers to choose from. open source forever. chrome is just google's version of that source code. get a working version
Just use Firefox?
Which is worse, this or the C2PA specification?
Permanently Deleted
Sh!t
I predict this standard will die the way of Flash and Silverlight. If it makes the web more fragile and less accessible it will fail.
web env. integrity is not as bad as people make it out to be.
yeah I absolutely agree that it's terrible and also a bad idea (we don't need MORE drm in our browsers, I'm looking at you, Widevine (although firefox worked around it by running drm in an isolated container)), but it's main purpose is to detect automated requests and effectively block web scraping with a drm system (it ensures two things: your useragent can be trusted and you're a real non-automated user), NOT detect ad blockers. It doesn't prevent web pages from being modified like some people are saying.
there's a lot of misleading information about the api as it doesn't "verify integrity" of the web page/DOM itself.it works by creating a token that a server can verify, for example when a user creates a new post. If the token is invalid, server may reject your attempt to do an action you're trying to perform. (this will probably just lead to a forced captcha in browsers that don't support it...)
Also, here's a solution: Just don't use Chrome or any Chromium-based browsers.
Using two different browsers should be the norm imo. One for comfort, performance and compatibility, like Chrome, Edge or Opera, and the other one for privacy, like Firefox, UGC, Tor, DDG, etc.
Remember when browsers just browsed....