A potentially precarious situation might be brewing regarding the integrity of the open web as we know it. Recently, a very controversial API was discovered that has been in the works by a team of Google engineers for over a year.
Called the “Web Environment Integrity” (WEI), this is a potential gatekeeping move that has many concerned, including the three critical competitors to Google's Chrome web browser.
This situation has unfolded over the past two weeks, resulting in widespread criticism over the implementation of such a protocol.
Allow me to take you through it.
When It's Google, It is Controversial 🤦♂️🤦♀️
According to the developers, WEI is meant to effectively create a secure environment where websites can request a token from the user that an attester would then attest.
This would be done to certify key facts about the user's web environment. Post that, the website would be able to decide if they want to trust the certification findings from the attester or not.
💡 In simpler terms, this API would facilitate a way of detecting whether a connected user meets the website's criteria for a secure connection.
But, to achieve this, the API would need access to far-reaching data from the user, opening the door for uniquely fingerprinting them. Even though the developers feel that the API shouldn't be used for such a thing, many doubt how it will pan out.
Google devs mention that this API would primarily be used for anti-fraud use cases, such as detecting social media manipulation, non-human traffic, phishing campaigns, and other online-based fraud.
But, others believe that this could be used to further invade users' privacy by forcing them to give over critical information about their systems. It could also be used to restrict access to sites when using non-conforming web browsers.
This has resulted in stern responses from Chrome's three major competitors: Firefox, Brave, and Vivaldi.
👉 In the case of Firefox, when a request for a position was opened in their GitHub repo regarding WEI, Brian Grinstead from Mozilla clarified that they entirely oppose this API.
He said:
Mozilla opposes this proposal because it contradicts our principles and vision for the Web. Any browser, server, or publisher that implements common standards is automatically part of the Web.
Mechanisms that attempt to restrict these choices are harmful to the openness of the Web ecosystem and are not good for users.
He even cast a shadow of doubt on the proposed “Holdback” safeguard in WEI that is supposed to allow users of non-conforming browsers to access such websites.
👉 Similarly, the CEO of Brave had a more aggressive stand when a Twitter user presumed that Brave was just a reskin of Chrome, and would follow suit. He made it pretty clear that Brave won't be providing support for WEI, like the various elements of Chromium; they choose not to ship.
👉 And finally, we have Vivaldi, who has been the most vocal. They published a scathing article against the implementation of WEI, where they corroborated their doubts on whether they can refuse to implement WEI or not.
They believe that any browser that decides not to implement this would effectively not be trusted, and any website using this API would then easily be able to reject users from such browsers 😲
These were just the most known criticisms of the WEI API; there has been a lot of conversation over this on Hacker News, Ars Technica, and even Reddit.
There's no clarity whether this will be implemented more widely, or be scrapped/rebranded into a different thing altogether.
💬 What do you think about Google's recent proposal and the criticism? Share your thoughts in the comments below.
More from It's FOSS...
- Support us by opting for It's FOSS Plus membership.
- Join our community forum.
- 📩 Stay updated with the latest on Linux and Open Source. Get our weekly Newsletter.