Request for Mozilla Position on an Emerging Web Specification Specification Title: Web Environment Integrity API Specification or proposal URL (if available): https://rupertbenwiser.github.io/Web-E...
I bet you heard about safetynet on android devices. It is a service that checks if you run a genuine licensed not-modified version of android. If not - app developer can just restrict you access to the app. It is mostly used by banking apps, but there’re many examples of not security critical apps utilize this.
Google wants to do the same but for browsers and websites. If you run firefox or modified chrome or use adblocks, youtube, twitter, etc. would be able to detect it and can restrict access to the website.
If you root your device correctly. Can’t expect most mobile users to do that. Can’t expect users with locked bootloaders to do that. Can’t even expect many power users to do that. A lot of very tech literate people I know that customise their computer OS heavily still don’t want to root their phone.
I bet you heard about safetynet on android devices. It is a service that checks if you run a genuine licensed not-modified version of android. If not - app developer can just restrict you access to the app. It is mostly used by banking apps, but there’re many examples of not security critical apps utilize this.
Google wants to do the same but for browsers and websites. If you run firefox or modified chrome or use adblocks, youtube, twitter, etc. would be able to detect it and can restrict access to the website.
SafetyNet is fairly easy to defeat.
If you root your device correctly. Can’t expect most mobile users to do that. Can’t expect users with locked bootloaders to do that. Can’t even expect many power users to do that. A lot of very tech literate people I know that customise their computer OS heavily still don’t want to root their phone.
Only because nobody is actually enforcing key-backed attestation.