I wonder how this whole "web protection" racket is going to end up. We are now almost completely reliant on web tech to deliver government services in Australia, so even if I decide to opt out of Facebook/Instagram/Reddit/Google search I still need something to view and interact with websites that isn't going to be some kind of silo'd and DRM'd hell hole.
We've been falteringly down this path before (hello ActiveX and government contracts) but if Chrome is the last man standing (via Edge and Chromium even), we're kind of stuffed.
I kind of feel like a digital serf already, having pledged my allegience to Google (via samsung and chrome), switching to another lord like Apple just seems like swapping one master for another.
And why exactly is that a problem? Google avoids a huge litigation by keeping Firefox alive, while Firefox only have to make it the default browser. Symbiotic relationship without any hidden motives.
Why wouldn't government websites use it? Of all the websites I would want using WEI, banks and government services are pretty high up the list. It's not like government websites run ads or whatever (as far as I know). I wouldn't want things fucking with my bank accounts and I would opt-in in a heartbeat.
This seems like arguing that https is less accessible than http and therefore https shouldn't be implemented in browsers.
Accessibility is a website design issue. A website that relies on unofficial third-party hacks/userscripts/extensions/tampering to provide accessibility has completely failed to provide accessibility.
I'm not strictly talking about accessibility in web site design, although that is part of it. I just mean that government has to have ways for all/most of its citizens to interact with them.
In my experience the government loves raining money on tech that claims it will keep them “safe”. All it’ll take is for some huge security consulting firm to recommend WEI and it’ll be required to participate in most western countries.
Not so far fetched - Clouflare browser isolation [1] seems to be pretty close. Instead of parsing and executing the websites on local computer, they host a remote Chromium instance. The page is rasterized and send to local browser as sequence of Skia[2] Draw commands.
Seems like the clients could run a speculative local simulation and periodically reconcile with server positions. The server simulation, of course, is always treated as authoritative.
Second Life's spiritual successor, High Fidelity (now dead as a commercial project, but which lives in our open source fork overte.org) does something like that.
The server picks a client to do the physics for part of the world. It's pretty clever and means a very light server can go a long way, but the downside is that physics gets unreliable.
One of our plans is to have an option for a SL-like model where the server is again in charge, for scenarios that require security, reliability, or physics to keep running in the absence of clients.
Regarding VNC, Mighty was trying to do this but couldn't make it work.
As for the DRM, an open web is clearly important, but we already have plenty of DRM on the web for content – Netflix/Prime/etc won't stream you video unless you're a trusted player, right down to the screen you're viewing it on.
This is a business model problem, not a technical or moral one at its root. If the business model didn't require exclusive distribution of expensive to produce content, or if it didn't require viewing of ads to pay for the content, then these wouldn't be issues.
Until those business models change, an open standard for how browsers proved they are operating in a trusted way seems reasonable, and would have many security benefits outside of DRM/ads that would benefit users. It's already hard enough to build a browser that there are only ~3, so let's not pretend that adding more browser API surface is suddenly going to make it impossible for an indie browser to exist, they functionally don't already.
Given how much malware and phishing slips through into ads, ad-blocking is a security measure on the users part. The benefit of WEI to ad and media companies is obvious, but I'm not sure this is a net security benefit for users.
I don't have any insider info here, but I've worked in companies doing a lot of marketing on Google/FB/Twitter/etc, and they have pretty robust ad marketplaces. There are layers of review, ads are fairly limited in what they can do, security is high.
However these are only a small slice of the market, there's then a very long tail of ad networks that have much less concern for the user, these are where most of the issues are. I once refused to integrate with one (still a major network) because it required allowing them to slurp up all text entered on your site (hell no). They thought it was strange that I pushed back on this. This is post GDPR, in the UK.
These are not the companies that will be implementing WEI. They might, but it's probably beyond them technically, and even if not they'll happily just fingerprint as much as they can instead.
On the flip side, if you're a content creator making money from content you publish online, it would be nice to know scraping is much harder. If you're an online banking user it would be nice to know that bots will have a much harder time automating the stealing of accounts, and so on.
I use this for retrocomputing, in a way, to be very silly! tenox7's WRP [Web Rendering Proxy] basically runs headless Chrome and renders pages to gif/png/jpg and shoves them back at a client browser.
Cant we then just point a camera at the screen showing the frame buffer, and then pass the video stream through classifier and segmenter neural nets, and black out the parts that are detected to be advertisements?
I expect FAANG will try to normalize putting cameras in rooms to observe how screens are being used, and enforce a "no cameras pointing at screens" rule with their own cameras.
Similar ideas have been stress-tested in the last couple years: eye-tracking in the context of remote academic exams, some work-from-home contracts, some competitive e-sports. Basically, environment integrity: a "trusted", "secure" physical environment — beyond just the software environment – as a mandatory prerequisite for $webThing.
Beaming desires directly to your skull is obviously the next step. Then we can make sure you want to buy a PlausibleBurger as soon as you get your paycheck.
No, I meant that the screen could mess up the video stream shown so that it would look "fine" for the human eye but as a completely scrambled mess to a camera. You know how hard it was to film a CRT-monitor and AFAIK there have been some (abandoned) research on how to put something like that into LED specifically do defy the screen-capturing.
CRTs were never impossible to film - you just had to put in some effort to adjust shutter settings on the camera.
I can’t imagine there existing a technique for emitting photons perceptible to the human eye and yet it not being possible for a camera to capture them.
Well, Google had Stadia so... they actually can do that. I mean it, they actually can stream web-pages over VNC to millions of ChromeVNC (nee Chrome) users at bearable costs. Just throw in some YouTube integration as a performance tweak and voila, most people wouldn't even notice.
The main problem with this idea that is probably the only thing preventing it from happening is that even in 2023, this is still too expensive. You can't run all of a user's browsing sessions through a system like that for the ~$20/year income advertising generates on average.
(A reminder of the drum I like to beat; these companies do not make anywhere near as much money per person as people tend to think. ~$20/year is a reasonable estimate of the higher end based on Facebook and Google earnings reports; companies that are not Facebook or Google make even less. That's what they're breaking the internet for. $20/year.)
If you don't take the raw income from ads but instead look at the profits, the bar is even higher. It's a minimum of an order of magnitude too little money to pay for that (and I think a very solid case could be made for 2 orders of magnitude), so it's going to be some years before it would be feasible even at the current level of web capability. (Add more 3D and heavier weight UIs based on WASM and some raw canvas or other and it gets even worse.) So if it is the future, it's still far enough away that I wouldn't try to found the startup today; you're still way too soon.
As big as the cloud is, it is absolutely dwarfed by the amount of computing power not in the cloud. It's not even close.
You'd have to get people to pay for it. For that, there has to be something very compelling. I can't think of what that would be. Apparently neither can anyone else, because otherwise like I said this would be a present reality and not a blog post.
However, this is just an analysis of this idea from the 2023 perspective. I'm not saying it isn't the future. It's clearly a future a lot of players want. I'm just explaining why, in light of that, it doesn't already exist.
How about we use generative AI to produce the experience I might like to see if I were browsing the web, based on Google's extensive data on me? That can be rendered to me in a continuous stream on YouTube. Then I would have to stop for YouTube ads and see the ads in the generated video. That solves all sorts of problems, like deciding what to look at next. Or not seeing Ars or Hacker News update fast enough. I would just see the generated world I would be looking at if I were actually browsing the web. All of it loads seamlessly and instantly. All of it unbounded. All of it pixel perfect.
Actually, can't wait until all this shit implodes on itself and we're back to browsing through gopher, usenet, and wais.
> The thing is, this is coming. There is literally nothing you can do to stop it. Your protests are meaningless next to the desire for some people at Google to sanitise the web.
We can stop this by having websites test for "Web Environment Integrity" APIs and refusing to serve clients that implement it.
>> We can stop this by having websites test for "Web Environment Integrity" APIs and refusing to serve clients that implement it.
That would be an incredibly difficult battle because it would be fighting against big tech companies that make web browsers and profit from ads--namely Google and Microsoft.
Getting browsers to adopt and implement Web Environment Integrity is Step 1.
Step 2 is where all Google web sites start requiring Web Environment Integrity to be used or they lock you out of the site.
Step 3 is where all websites serving Google ads require Web Environment Integrity to be used.
Step 4 Profit!
Web Environment Integrity is the beginning of the further DRM-ification and enshittification of the Web.
Wherever you live, you should contact your government representatives and regulators and put a spotlight on this issue for what it is--monopoly abuse of power.
Grassroots efforts are great and it is good to let your friends, family, and associates know what they are doing and why it is wrong.
However, government regulation of this abuse is needed to stop it by force of law.
> Low bandwidth? VNC will simply degrade the quality of what you see. Look, do you really want poor people viewing your expensive website?
Not with Trusted Web VNC Extensions(TM), which will stream the content in multiple interleaved layers, with the advertising layer naturally having the highest priority.
I might be ignorant here, but what development? Wasn't Chrome a done product years ago? It seems to me that the powers that be just keep on stuffing more and more nonsense into it for the sole purpose of making it harder, nay impossible, for anyone to compete.
Are they more complicated? The Linux kernel, maybe, although I'd like to see a citation for this because I'm not 100% convinced. Debian? No way. Maybe Debian and all the packages that make up a default install, but most of that isn't Debian so I don't think that's an apples to apples comparison.
Does it really need Google-sized investments though? I know it's a lot but if Google is willing to give it for free(tm), then it's a error mark in their budget which tells me other more focused entitities would have no trouble continuing development (e.g. Brave is a fork, right)?
I don't think Brave are doing substantial Chromium development. They turn off a bunch of features, in their fork, but I don't think many changes are flowing back upstream, they're mostly focused on the Browser UX layer than the Engine layer, much like Arc, and arguably Edge (although I think Edge does contribute some back).
The other alternative is 'security through complexity', and serve everything as a wasm 'executable'. Flutter seems like an early experiment in that direction, if you try to examine it's inscrutable html.
As much as I absolutely hate this, this (or something like it, like the many examples discussed here) is probably the easiest way to create a secure and profitable web-browsing experience for the non-technical mainstream.
This is assuming that the mainstream web browsing experience these days (in the US) looks something like this:
- 65% social media
- 25% mandatory work websites that made you wish you were spending time browsing within aforementioned 65%
- 10% other
And that almost all of this is being done on a mobile device that is already locked down relative to a true desktop (i.e. no Dev Tools for you!)
A bit surprised no one's mentioned Amazon Silk. Though it was for mostly different reasons, the Silk Browser more or less works this way. It's not using VNC (AFAIK), but it does do server-side rendering and then blast some kind of par-boiled stream to the remote device. Sure makes tracking and monitoring easy...
I think Silk is still the default browser on all their tablet devices, it certainly is the FireTV products. While you can load alternative browsers, there are few to choose from: even Firefox quit updating their FireTV build a year or two ago.
Ultimately I thought this would be the value of Mighty Browser: control the browser runtime on a server and ban the use of add-ons, ad-blockers, etc. for complete and total control over what your users see.
For context Mighty was a browser running in the cloud, vnc style, giving the user more bandwidth and cpu power. It was started by Suhail the founder of Mixpanel, however he wound it down last year and the team pivoted to generative AI.
I think I've seen my workplace do something like this when I visit a github url which is outside of the organisation's internal github. Has anyone experienced something similar?
Yes this exists, symantec web isolation basically a proxy that injects a little js on the client, instead of proxying http traffic it opens a vnc viewer in your browser, the proxy renders the site you requested in a per session container inside the proxy cluster and your browser displays the output and sends your interaction with the site to the container. some mostly asian financial regulators mandate this happens for all endpoint devices, mobile, thin client, desktop whatever if a human is on the end it must be "web isolated".
Reminds me of a Show HN some time ago of a website where you can fly around a chromium window in 3d, the chromium window was a complete chromium browser except it was locked down, basically you could "only" browse the web inside of it and it was supposed to be a multiplayer thing like watchtogether except you share a chromium window, which is hosted somewhere else.
They would love to do VNC, but that would cost them a shitton of money. Think of all the money and time they've spent pushing the rendering of websites to the user's browser just so they can save on CPU costs, despite the abysmal experience of client side rendering. Why undo that?
I definitely think the future of some things is streaming. Despite the failing of stadia, et. al., competitive multiplayer gaming is still #1 on my list of things to stream. This is the one place I would be entirely happy to participate in draconian DRM, assuming it is packaged in a reasonable manner (aka not a hacky kernel driver).
A fair multiplayer game is much more valuable to me than some notion of control over the underlying software/hardware ecosystem. I am happy to surrender control in favor of correctness/fairness in some contexts - i.e. those that allow you to impact the ability of others to enjoy their experience.
Now, if you are sitting by yourself watching movies or reading e-books or the news, I agree - this stuff is not much more than senseless oppression and antagonization.
Streaming is certainly taking over radiologist viewing stations. It fits very well with a lot of annoying things that the pandemic/remote work put a heavy focus on. It also fits with healthcare IT's enterprisification of everything where everyone is made to be a slave to their tools.
HN is completely moronic about cheating in multiplayer. I seriously can't believe that people here think it's ok. Absolutely disgusting that you're getting downvoted.
I am honestly not sure that is the reason for the downvote but I don't really give a shit. HN is a weird place.
In past attempts to discuss this, the conversation was typically driven into "if it can't be perfect, why even try" kinds of rhetoric. The primary criticism being that you can still use some sort of vision AI/robot to cheat to some degree. My counterargument is that there exist systems beyond deterministic DRM approaches that can be blended in to make it effectively perfect for all practical purposes. Statistical analysis (aka you might be cheating) combined with dynamic active canaries (i.e. fake, 2-frame targets you bait the bot into aiming at) can solve the problem really well. You could put statistical bounds around the likelihood of fair play that look like IBM mainframe uptime figures.
The only other reasons I'd expect downvotes: Extreme principled ideologies (aka no DRM ever no matter what I don't care). Or, those who are actually cheating at video games and can't imagine a world where they'd be forced to bust their ass to get ahead at something.
Not all of us live in cities with fiber connexions. This is a very first-world, urban take. That's just another idea to exclude rural kids, and I shouldn't downvote for this, but I sometimes am tired of how much we are treated as second class citizens. I'm now in a big city (70kcapita) but I still have most family and friends in much smaller country villages and they already feel they are ignored. Once again HN prove them right.
Also I did set up VNCs (w/o clipboards) for datasec when I worked at a PAAS. Low refresh rates and low res (it was basically spyder/Hadoop web page, and terminal commands to import data), it was unusable when I worked from my parents house or when I visited friends in deep Brittany.
Have you ever heard of this thing called starlink? Are we going to pretend like gbps-class connectivity is not going to saturate every last square inch of this planet before the decade is out?
Streaming is not going to solve cheating[1] in the general case. I think the only scalable solution to cheating is community moderation, like in the dedicated server era.
We've been falteringly down this path before (hello ActiveX and government contracts) but if Chrome is the last man standing (via Edge and Chromium even), we're kind of stuffed.
I kind of feel like a digital serf already, having pledged my allegience to Google (via samsung and chrome), switching to another lord like Apple just seems like swapping one master for another.
Maybe Stallman is onto something.