You know captchas? They’re there because bot activity can be really hard to moderate. So those are there to test if there’s an actual human talking to the website: They try to give a test that only a human can do. The problem is, now that machine learning models can actually do some of those things, like read handwritten words and identify cars vs bikes, we need a new test that only humans can pass. Also, these captchas are annoying to users, and if you’re a website that runs off of clicks and ads, a captcha might piss off a user and they leave, and you get to show fewer ads.
So, the people running a website have a need to stave off bot traffic, but also not piss off real, legitimate human traffic. One solution is “attestation”, which basically means getting someone else to attest, or plead on your behalf, that you are running on an unmodified device. In a perfect world, Apple would like their phones to be so incredibly locked down that you can only do things that they allow. One of those things would be using an iPhone to do bot stuff. So, since Apple controls what software runs on your iPhone, they can (in theory) prevent you from running bot software. This means that iPhone users would be (in theory) guaranteed safe human traffic. But if you’re a website owner, how do you know that the request is actually coming from an iPhone? Simple. Request the device ID from the iPhone, and ask a question that only an iPhone would know the answer to. This is essentially what web attestation is. From the article: “a way that web servers can demand your device prove it is a sufficiently ‘legitimate’ device before browsing the web” and “your treatment on the web depends on whether Apple says your device, OS & browser configuration are legitimate & acceptable.”
This has significant implications for the openness of the device you use, as well as the control that you as a user have over how you use the web. The primary example would be adblockers. Apple and Google get to say whether you’re human or not, so if you have an adblocker, Google can just say “no, I won’t attest that this user is human” and you’ll get treated differently. It’s not difficult to imagine a world in which Youtube would just refuse to serve users who aren’t 100% trustworthy, given their recent adblocker experiment. And this is the case for every link in the chain, from the device, to the OS, to the browser (and other stuff you might have on your system), and browser extensions. There are concerns that this will hurt competition in all of these spaces. Built your own computer? Well now you might be considered non-legitimate. Developed your own browser? Haha, definitely can’t get attested.
tl;dr: Instead of captchas, ask the device if it’s real and unmodified. See above for why this is bad.
Use an adblocker or extensions that Google or Apple might not like
Built, repaired, or modified your computer/laptop/phone/smart fridge
Use an older, less-supported computer/laptop/phone, or one from a smaller brand/manufacturer
Like open-source software
Like competition & free market for the hardware/software of computers and phones and browsers
Don’t like the monopoly of Chrome
Don’t like Cloudflare or similar services
Worth noting that if all this comes to pass, these people aren’t stupid. They will toe the line to make sure not too many people are pissed off. But if you are pissed off, better make noise now, as they almost certainly won’t change their minds later.
Hypothetically, I wonder if it would be possible to spoof this if you also had an actual unmodified attested device. Something like a device in your home network that would, if you have an iPhone as well as an unattested computer that you actually want to use: get request for attestation from a website, send that request to your iphone instead, as if your iphone had opened the page and was receiving the request (or just have the iphone also try to load the page), intercept the signature the iphone sends to the website, and have your computer send it to the website instead.
Basically, the idea is that a server can refuse to serve you (or degrade your experience with captchas/heavier restrictions) unless you (your device) complete a “challenge”. This could be something like the browser (through a system API) checking some device details like
root/admin
unlocked bootloader
extensions (either bad extensions or something like an Adblock)
VPN (potentially “if you have nothing to hide you have nothing to fear”)
installed apps (Adblock via DNS like blokada,
device emulation
TPM (generate secure key to make sure device is “real”)
OS state (heavily modified?, untrusted OS?)
etc. Basically making sure the “environment” is clean and not tampered with (trusted).
The problem is with what defines a “trusted” environment. It could start at just making sure the device isn’t rooted (like Android’s Safetynet/Play Integrity check; most people don’t root their device & don’t/won’t care, also easily justifiable since it can be a security vulnerability because the device is “wide open”).
Then, like the article mentions, the device makers (Google (phones, chromebooks), Microsoft (Windows, Xbox), Apple (macOS, iOS, visionOS, etc), Meta/Facebook (Oculus), etc) could change their terms for attestation and deny approval on stricter, potentially anti-consumer criteria such as device age (forcing you to buy more things).
It’s also important to note that Google is doing this already as well. It’s almost impossible to use Google with my VPN provider as I’m slammed with 5 captchas every Google.
I don’t think sites can request attestation yet, for vpn ips it’s usually that the ip/ip block has shown “suspicious” behavior & got reported either manually or picked up by bot sensors.
(Now of course it’s also bad to let Google and friends be the arbitrator of good and bad IPs, famous for the destruction of truly self-hosted email (among other things))
Basically, a website can block you or treat you suspiciously based on whether or not this “feature” says that your computer or browser is approved and unmodified.
This can become a problem as more sites adopt this. You can be using a 2 year old device and suddenly your bank stops working because your device no longer shows up as approved. It can be used to artificially enforce obsolescence. The fix would be to buy a new device.
You could be using Linux or a 3rd party browser and many websites will become unavailable to you because they can never show up as approved and unmodified. It basically breaks the open web.
Imagine the web as a playground where some big companies like Apple and Google act as gatekeepers, deciding who gets access to certain features or sites. They use something called “Private Access Tokens” to check if your device is allowed. It’s like showing a special ticket to play with the cool toys.
The problem is, this system could limit our choices and freedom. Only devices approved by these companies would get full access, while others might be treated suspiciously or blocked. It could stifle competition and innovation because only approved browsers and operating systems would be allowed.
Moreover, attestation means they control what we do with our own devices. Customization might not be allowed, and they could tighten the rules later on. This could change the web for the worse and hurt competition and user choices, making it less open and free.
Would someone kindly eli5? The dictionary definition was not helpful.
You know captchas? They’re there because bot activity can be really hard to moderate. So those are there to test if there’s an actual human talking to the website: They try to give a test that only a human can do. The problem is, now that machine learning models can actually do some of those things, like read handwritten words and identify cars vs bikes, we need a new test that only humans can pass. Also, these captchas are annoying to users, and if you’re a website that runs off of clicks and ads, a captcha might piss off a user and they leave, and you get to show fewer ads.
So, the people running a website have a need to stave off bot traffic, but also not piss off real, legitimate human traffic. One solution is “attestation”, which basically means getting someone else to attest, or plead on your behalf, that you are running on an unmodified device. In a perfect world, Apple would like their phones to be so incredibly locked down that you can only do things that they allow. One of those things would be using an iPhone to do bot stuff. So, since Apple controls what software runs on your iPhone, they can (in theory) prevent you from running bot software. This means that iPhone users would be (in theory) guaranteed safe human traffic. But if you’re a website owner, how do you know that the request is actually coming from an iPhone? Simple. Request the device ID from the iPhone, and ask a question that only an iPhone would know the answer to. This is essentially what web attestation is. From the article: “a way that web servers can demand your device prove it is a sufficiently ‘legitimate’ device before browsing the web” and “your treatment on the web depends on whether Apple says your device, OS & browser configuration are legitimate & acceptable.”
This has significant implications for the openness of the device you use, as well as the control that you as a user have over how you use the web. The primary example would be adblockers. Apple and Google get to say whether you’re human or not, so if you have an adblocker, Google can just say “no, I won’t attest that this user is human” and you’ll get treated differently. It’s not difficult to imagine a world in which Youtube would just refuse to serve users who aren’t 100% trustworthy, given their recent adblocker experiment. And this is the case for every link in the chain, from the device, to the OS, to the browser (and other stuff you might have on your system), and browser extensions. There are concerns that this will hurt competition in all of these spaces. Built your own computer? Well now you might be considered non-legitimate. Developed your own browser? Haha, definitely can’t get attested.
tl;dr: Instead of captchas, ask the device if it’s real and unmodified. See above for why this is bad.
Also see #why-is-attestation-bad-generally from the article. In summary, be especially concerned if you:
Worth noting that if all this comes to pass, these people aren’t stupid. They will toe the line to make sure not too many people are pissed off. But if you are pissed off, better make noise now, as they almost certainly won’t change their minds later.
Brilliant, thank you for this dark information. I appreciate the effort
Hypothetically, I wonder if it would be possible to spoof this if you also had an actual unmodified attested device. Something like a device in your home network that would, if you have an iPhone as well as an unattested computer that you actually want to use: get request for attestation from a website, send that request to your iphone instead, as if your iphone had opened the page and was receiving the request (or just have the iphone also try to load the page), intercept the signature the iphone sends to the website, and have your computer send it to the website instead.
Basically, the idea is that a server can refuse to serve you (or degrade your experience with captchas/heavier restrictions) unless you (your device) complete a “challenge”. This could be something like the browser (through a system API) checking some device details like
etc. Basically making sure the “environment” is clean and not tampered with (trusted).
The problem is with what defines a “trusted” environment. It could start at just making sure the device isn’t rooted (like Android’s Safetynet/Play Integrity check; most people don’t root their device & don’t/won’t care, also easily justifiable since it can be a security vulnerability because the device is “wide open”).
Then, like the article mentions, the device makers (Google (phones, chromebooks), Microsoft (Windows, Xbox), Apple (macOS, iOS, visionOS, etc), Meta/Facebook (Oculus), etc) could change their terms for attestation and deny approval on stricter, potentially anti-consumer criteria such as device age (forcing you to buy more things).
It’s also important to note that Google is doing this already as well. It’s almost impossible to use Google with my VPN provider as I’m slammed with 5 captchas every Google.
There are a lot of websites for me that straight up refuse to load if I have a VPN. Even non-important sites.
I don’t think sites can request attestation yet, for vpn ips it’s usually that the ip/ip block has shown “suspicious” behavior & got reported either manually or picked up by bot sensors.
(Now of course it’s also bad to let Google and friends be the arbitrator of good and bad IPs, famous for the destruction of truly self-hosted email (among other things))
Basically, a website can block you or treat you suspiciously based on whether or not this “feature” says that your computer or browser is approved and unmodified.
This can become a problem as more sites adopt this. You can be using a 2 year old device and suddenly your bank stops working because your device no longer shows up as approved. It can be used to artificially enforce obsolescence. The fix would be to buy a new device.
You could be using Linux or a 3rd party browser and many websites will become unavailable to you because they can never show up as approved and unmodified. It basically breaks the open web.
Imagine the web as a playground where some big companies like Apple and Google act as gatekeepers, deciding who gets access to certain features or sites. They use something called “Private Access Tokens” to check if your device is allowed. It’s like showing a special ticket to play with the cool toys.
The problem is, this system could limit our choices and freedom. Only devices approved by these companies would get full access, while others might be treated suspiciously or blocked. It could stifle competition and innovation because only approved browsers and operating systems would be allowed.
Moreover, attestation means they control what we do with our own devices. Customization might not be allowed, and they could tighten the rules later on. This could change the web for the worse and hurt competition and user choices, making it less open and free.