Google employees propose a new web standard ``Web Environment Integrity'' to eliminate bots and remodeled browsers with certification by ``trusted third parties'' to create a ``healthy Internet''

Four Google employees have proposed a new web standard ` ` Web Environment Integrity '' for detecting SNS operations and batch creation of accounts by bots, and detecting behavior of cheating in web-based games by remodeling browsers.

Web Environment Integrity Explainer

The Web Environment Integrity project is inspired by existing authentication systems such as Apple's App Attest and Google Play's Play Integrity API . For example, on Android terminals, there is a mechanism called 'rooting' that allows the user to completely control the terminal, but if you use the Play Integrity API, the application can determine whether the terminal is rooted or not, Bank applications, online game applications, etc. use this API to refuse to start on rooted terminals.

If Web Environment Integrity is introduced to the web world, it seems likely that 'traffic from untrusted sources' will be blocked in the same way as the Play Integrity API. For the time being, the following four points are stated as the goals of the project, and the fourth is 'to prevent blocking due to the presence or absence of authentication'.

1: Make it possible to check the reliability of the terminal accessed by the web server and the truthfulness of the installed software and traffic
2: Provide a mechanism to prevent fraud that is sustainable in the long term with a robust configuration
3: Do not create a new mechanism for tracking users between sites
4: Prevent websites from blocking with or without authentication

Nonetheless, websites that introduce Web Environment Integrity want to block unauthorized access, so it is difficult to find out how to achieve the fourth goal. Ad blocker AdGuard has posted

a blog post criticizing that it is trying to close the world of the web by shutting out apps that Google doesn't like, such as ad blocking. At the time of writing the article, Web Environment Integrity ``By returning a result as if authentication was not successful for a few percent of successfully authenticated traffic, the site was set to block with or without authentication.

The mechanism of Web Environment Integrity is as shown in the figure below, and it is said that it is a ``trusted third party'' that provides the ``authentication API'' in the red frame, but ``Although it is explained in general terms, it will actually use Google's authentication server through Google Chrome,'' said the news site Ars Technica .

One of the proponents of Web Environment Integrity (WEI) claims in the comment section of Hacker News that ``WEI is not DRM and will not suspend content'', but in a reply to that comment , ``If there is a site that forces the use of Chrome, it can be used just by disguising the user agent, but when WEI is introduced, it will be blocked because it can not be disguised.'' It can be said that it is 100% DRM.”

As of July 2023, Web Environment Integrity is still in the proposal stage, but the intention to create a prototype has already been indicated in May, and work seems to be progressing. The progress of work related to this API can be confirmed on Chrome Platform Status .

in Software, Posted by log1d_ts