b3orn

> 2027: Non-WEI compliant websites are marked as "insecure" by Chrome and Safari. Accessing them requires confirmation through a "yes, I accept the risk" dialog box.

Did I misunderstand WEI? It's an API a website can use to confirm that a client is "authentic", so shouldn't this rather be "Goodle/Apple/Facebook/... drops support for Non-WEI compliant browsers".

devsda

Think of it as a way for Google coercing websites into implementing WEI.

Any site can be marked as insecure if it doesn't block non wei compliant devices.

You may ask why does that make a website insecure? They can give any number of reasons that can be silly, made up or outright lies as long as they are able to convince larger public.

For example, they can claim that a site that allows shady(read wei non-compliant) clients is more susceptible to hacking and can be a threat to your data and your devices as well. Therefore it is insecure.

This may come across as silly to techies, but it can sound reasonable to people who don't understand the web in general.

jsnell

> Think of it as a way for Google coercing websites into implementing WEI.

And why exactly do you think they'd want to do that? What do they gain from it? What do you even think the WEI is that you think this motivation makes the tiniest bit of sense?

devsda
> What do you even think the WEI is that you think this motivation makes the tiniest bit of sense?

First let me add some snippets on what the authors of WEI think can be gained from it:

* This is beneficial for anti-fraud measures. Websites commonly use fingerprinting techniques to try to verify that a real human is using a real device[1]

One of the proposed use cases: Detect non-human traffic in advertising to improve user experience and access to web content* [2]

Another snippet :

we could standardize the set of signals that browsers will receive from attesters, and have one of those signals be whether the attester recommends the browser for sites to trust (based on a well-defined acceptance criteria). As new browsers are introduced, they would need to demonstrate to attesters (a relatively small group) that they pass the bar, but they wouldn't need to convince all the websites in the world [2]

This is clearly an attempt at gatekeeping both web client software and the clients themselves.

> What do they gain from it?

I think we can agree that Google is primarily an advertising and search company. One of the threats to Google's revenue as an advertising company is ad-fraud and this 'anti-fraud' measures protect their bottom-line. Another threat is ad-blocking and though they don't explicitly mention it, the WEI "bar" mentioned above can potentially be used to prevent ad-blocking by denying attestation to clients capable of ad-blocking (either directly or by allowing plugins).

Client attestation also prevents bots(both good & bad bots of all types including new search indexing bots) from accessing websites. This has a nice side-effect for Google that it restricts building a new search engine(a competitor) without its blessing. Search is a gateway to Google's advertising.

> And why exactly do you think they'd want to do that?

Like any product that any company introduces, it is to drive adoption? The more websites use it, the more normalized and legitimate WEI becomes. Once it becomes a standard and an integral part of web, it is easier to dictate terms that keep their position entrenched.

We can argue whether ad-blocking or bots are good or not and whether these concerns are all pure speculation or hyperbole. But once the technical capability is there and it is only the ethical/moral belief of corporate executives( and probability of government intervention) that prevent it, I wouldn't trust them to do the right thing especially when money is involved.

[1] - https://groups.google.com/a/chromium.org/g/blink-dev/c/Ux5h_...

[2] - https://github.com/RupertBenWiser/Web-Environment-Integrity/...