helpimnotdrowning.net (eternally unfinished)

  • 1 Post
  • 13 Comments
Joined 1 year ago
cake
Cake day: June 9th, 2023

help-circle






  • Basically, the idea is that a server can refuse to serve you (or degrade your experience with captchas/heavier restrictions) unless you (your device) complete a “challenge”. This could be something like the browser (through a system API) checking some device details like

    • root/admin
    • unlocked bootloader
    • extensions (either bad extensions or something like an Adblock)
    • VPN (potentially “if you have nothing to hide you have nothing to fear”)
    • installed apps (Adblock via DNS like blokada,
    • device emulation
    • TPM (generate secure key to make sure device is “real”)
    • OS state (heavily modified?, untrusted OS?)

    etc. Basically making sure the “environment” is clean and not tampered with (trusted).

    The problem is with what defines a “trusted” environment. It could start at just making sure the device isn’t rooted (like Android’s Safetynet/Play Integrity check; most people don’t root their device & don’t/won’t care, also easily justifiable since it can be a security vulnerability because the device is “wide open”).

    Then, like the article mentions, the device makers (Google (phones, chromebooks), Microsoft (Windows, Xbox), Apple (macOS, iOS, visionOS, etc), Meta/Facebook (Oculus), etc) could change their terms for attestation and deny approval on stricter, potentially anti-consumer criteria such as device age (forcing you to buy more things).