I'm not a fan of using attestation to build DRM implementations, especially in a way that goes out of the way to shut out other platforms. They wouldn't even respond to my suggestion to use an approach that is both *stronger* and would allow them to whitelist operating systems.
Conversation
Replying to
As long as you can use it without the attention-coin-mining bullshit enabled... Refusing to enable it on "untrusted" operating system is kinda a feature. ;-) But yeah, it's all grossing me out.
1
1
Replying to
I do think that on a technical level, it's a decent choice. The Chromium base is the most secure option and they set privacy-unfriendly defaults, disable invasive optional services and make some important tweaks. Built-in content filtering is also the right approach by far.
1
1
However, they haven't have the best attitude towards security and there have been some major issues. The previous Electron-based desktop browser was awful too. The approach on mobile was saner from the start, and that's what I recommended to people as a decent option in the past.
1
1
The main thing is that they clearly have the wrong motivations. The DRM issue was the last straw for me. I don't like attestation being used for DRM. I see a lot of value in it as a security feature for users but having a root of trust makes it possible to (ab)use it for DRM.
1
2
Attestation would still work without a root of trust and then it couldn't be used by projects like Brave for DRM. It could still be used by users to verify or monitor devices, including a company monitoring the security / patch level / etc. for a fleet of devices that they own.
1
1
I strongly dislike how their attitude for the Android app is that it should have a hard dependency on Play Services too. Meanwhile, Google themselves explicitly avoids hard dependencies on Play Services for Chromium so Brave is actually a regression from Chromium in this regard.
1
2
There's just something so horribly wrong about them adding a hard dependency on Play Services for SafetyNet attestation as part of the attention span nonsense. I could brush it aside as silly nonsense that won't work out before but it's clearly the core of their project...
1
1
2
Replying to
Did they break running on microg without SafetyNet crap? That would be a serious regression making it unusable to me.
1
Replying to
No, but they made the attention span feature depend on it. It still works without it, and you wouldn't have wanted to use that anyway. I still find it to be over the line despite being optional and it just makes it so clear that their goals are totally incompatible with mine.
1
1
1
I have a similar impression of Mozilla that has evolved over the years based on dealing with them and closely watching what gets prioritized, which decisions are made and how things are presented to users including in marketing. I find it odd Apple has more privacy substance.
I've had some incredibly negative personal experiences with Mozilla and I got a lot of insight into how their organization works internally including how misaligned their external image is from the internal reality. I don't like how they see contributors and how they treat them.
1
2
I think there's something seriously wrong with explicitly building a business model where internally you talk about having 10 unpaid contributors for every paid contributor as a way to scale projects and compete with an organization like Google. I was strung along by them myself.
1
2
3
Show replies