Web Environment Integrity

From HandWiki
Short description: Abandoned API proposal by Google

Web Environment Integrity (WEI) is an abandoned API proposal previously under development for Google Chrome.[1] A Web Environment Integrity prototype existed in Chromium,[2][3] but was removed in November 2023 after extensive criticism by many tech groups.[4]

Proposal

Sequence diagram showing WEI attestation

The draft proposed an API for websites to get a digitally signed token that contains the certifier's name and whether or not they deem the web client to be authentic. The stated goal was for sites to be able to restrict access to human users instead of automated programs and "allow web servers to evaluate the authenticity of the device and honest representation of the software stack and the traffic from the device". Access to this API would not be allowed in non-secure (HTTP) contexts.[5]

History

On April 25, 2023, Google engineers, Ben Wiser, Borbala Benko, Philipp Pfeiffenberger and Sergey Kataev created a GitHub repository explaining the details of the proposal.[6] The proposal was flamed by GitHub users, with numerous comments, issues and pull requests voicing strong opposition to the existence of the standard and arguing for its deletion.

On July 21, 2023, Wiser and fellow Google engineer Yoav Weiss added a code of conduct to the explanation repository[7] and locked it from receiving new comments, issues or pull requests.[citation needed] On the same day, preliminary code was added to Chromium to implement the standard. This also received a large amount of highly negative comments.[2]

On November 2, 2023, Google abandoned the proposal, removed the prototype implementation from Chromium, and proposed a replacement API named "Android WebView Media Integrity API" limited to WebViews on Android. Google plans to start testing the new API with partners in early 2024.[4]

Reception

The proposal received widespread criticism for limiting general purpose computing, with some comparing WEI to digital rights management (DRM).[8] Others have accused the standard of being evidence of Google abusing Chrome's near-monopoly of browser share.[9] Some have issued official statements on the matter in 2023:

  • On July 25, Mozilla opposed it, stating "Any browser, server, or publisher that implements common standards is automatically part of the Web ... Mechanisms that attempt to restrict these choices are harmful to the openness of the Web ecosystem and are not good for users."[10]
  • On July 27, Vivaldi opposed it as "simply dangerous" and feared that attestation providers would not be trustworthy.[11]
  • On July 29, the Free Software Foundation opposed it as "an all-out attack on the free Internet" and claimed it would significantly limit the browsers that could be used.[12]
  • On August 1, Brave Software announced they will not include WEI in their web browser.[13]
  • On August 7, the Electronic Frontier Foundation opposed it as "a bad idea that Google should not pursue" and opposed its proposal of selecting a "small percentage" of random users to simulate behavior without WEI in order to prevent websites from blocking unattested users. The EFF claimed that "[m]any websites will consider that 'small percentage' of users an acceptable price to pay" and feared Google would set the percentage extremely low to combat ad fraud.[14]
  • On August 11, the World Wide Web Consortium refrained from taking a stance as it was "not being worked on in W3C, nor has there been any submission [for W3C] review".[15]

See also

  • Remote attestation

References

  1. Amadeo, Ron (2023-08-03). "Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web" (in en-us). https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/. 
  2. 2.0 2.1 "[wei Ensure Origin Trial enables full feature · chromium/chromium@6f47a22"] (in en). https://github.com/chromium/chromium/commit/6f47a22906b2899412e79a2727355efa9cc8f5bd. 
  3. "Feature: Web environment integrity API". 2023-05-09. https://chromestatus.com/feature/5796524191121408. 
  4. 4.0 4.1 Claburn, Thomas (2023-11-02). "Google abandons Web Environment Integrity proposal" (in en). https://www.theregister.com/2023/11/02/google_abandons_web_environment_integrity/. 
  5. "Web-Environment-Integrity/explainer.md at main · RupertBenWiser/Web-Environment-Integrity" (in en). https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md. 
  6. Wiser, Ben (2023-08-18), Web Environment Integrity API, https://github.com/RupertBenWiser/Web-Environment-Integrity, retrieved 2023-08-19 
  7. "Create CODE_OF_CONDUCT.md · RupertBenWiser/Web-Environment-Integrity@7998217" (in en). https://github.com/RupertBenWiser/Web-Environment-Integrity/commit/7998217b3d7334a71c26c52aeeadc1c6b1ba1dc4. 
  8. Amadeo, Ron (2023-07-24). "Google's nightmare "Web Integrity API" wants a DRM gatekeeper for the web" (in en-us). https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/. 
  9. Claburn, Thomas. "Google Web Environment Integrity draft draws developer rage" (in en). https://www.theregister.com/2023/07/25/google_web_environment_integrity/. 
  10. "Request for Position: Web Environment Integrity API · Issue #852 · mozilla/standards-positions" (in en). https://github.com/mozilla/standards-positions/issues/852. 
  11. "Unpacking Google's new "dangerous" Web-Environment-Integrity specification" (in en). 2023-07-25. https://vivaldi.com/blog/googles-new-dangerous-web-environment-integrity-spec/. 
  12. Farough, Greg (2023-07-28). ""Web Environment Integrity" is an all-out attack on the free Internet" (in en). https://www.fsf.org/blogs/community/web-environment-integrity-is-an-all-out-attack-on-the-free-internet. 
  13. Snyder, Peter (2023-08-01) (in en), "Web Environment Integrity": Locking Down the Web, https://brave.com/web-standards-at-brave/9-web-environment-integrity/, retrieved 2023-08-29 
  14. Doctorow, Cory; Hoffman-Andrews, Jacob (2023-08-07). "Your Computer Should Say What You Tell It To Say". https://www.eff.org/deeplinks/2023/08/your-computer-should-say-what-you-tell-it-say-1. 
  15. "Web Environment Integrity has no standing at W3C; understanding new W3C work". 2023-08-11. https://www.w3.org/blog/2023/web-environment-integrity-has-no-standing-at-w3c/. 

External links