Apple already shipped attestation on the web, and we barely noticed

These schemes all have the same problem that reddit and Twitter have: they need me more than I need them. If your website or app or whatever won’t work if I’m not on the right device I won’t visit it, and that’s not a bad thing

It's a bit more complicated than that, unfortunately.
What happens when Microsoft adds something to their web building tools that forces all visitors to websites using these tools to use IE? Or when your bank (or even worse, utilities) start requiring Windows and IE?
- It'll probably end up worse than that. Turn off secure boot and Windows may still run, but it will no longer verify and all these sites will now refuse to work on your computer. So if you like to run Linux, even dual booting or running Windows in a VM for those things that absolutely require Windows won't be good enough anymore.
- I'd be very surprised for one thing, because IE is no longer a product Microsoft supports in any capacity. I'd also be confused as to which tools the web hosting market just shifted to that they're using Microsoft tools, there are monopolists out there I'm worried about but Microsoft isn't my main one right now
These schemes all have the same problem that reddit and Twitter have: they need me more than I need them.
This sentiment comes off a lot like "it won't affect me, I don't care".
Like, it doesn't really matter whether you decide not to use these websites anymore. Nobody should have to put up with this shit. That's why we take a stand against it.
- This sentiment comes off a lot like “it won’t affect me, I don’t care”.
  Then you’ve severely misunderstood what I wrote
  Nobody should have to put up with this shit. That’s why we take a stand against it.
  That is exactly what I’m advocating for
- Exactly. There's a good reason why we don't, for example, allow people to sell themselves into slavery, even if they "consent" to it!
Till one day your government will require it.
- 🇨🇳
I hope you will make the difference. Show em!

I'm getting here too late for this to be visible, but fuck it.

The difference is Apple doesn't pass any information on to the website. It just tells the website whether or not it passes their integrity check. Your web environment gets the Apple stamp of approval or it doesn't, that's all the sites will know.

Googles shit is going pass actual information about the browser state, add-ons, and the device to the site so they can restrict access based on any criteria they choose. That creates endless more avenues for abuse by giving the websites the ability to judge you for themselves and micromanage how you are allowed to visit their site.

Apple's is the equivalent of a metal detector before walking into a building. It will go off but it doesn't violate your privacy or enable targeted screening by telling anyone what it detected.

Google's is the equivalent of a strip search, where it will drop your clothes and pictures of your junk onto the property managers desk so they can decide if you're worthy to enter. Maybe they don't like your brand of underwear, or a tattoo you have, and refuse to let you in.

It's hardly OK for Apple to be doing even that either, you know. Who the fuck does Apple think it is, to be entitled to "attest" to a goddamn thing?!
The notion that anyone can "attest" to users' caputured-by-DRM status is fundamentally toxic to the Internet as a whole and must be resisted at all costs and by any means necessary, legal or illegal.
Can you post any source at all that would back your claims? Or any technical details at all?
Neither the actual proposal https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md#what-information-is-in-the-signed-attestation, nor the article itself seem to show that there would be a difference when it comes to privacy.
The entire problem with this proposal is that it limits client choice, similar to how Google Play integrity API on Android restricts some apps from running on rooted/unlocked phones.
That same problem obviously also exists in Apple's implementation.
Your comment was on the top for me, Lemmy's default "hot" sorting brings fresh takes to the front, so don't worry too much about your answers always getting buried.
Transmitting that info to Apple is still a problem. Why do you trust Apple, but not Google?
Google's version will likely ask you first, and you'll know which sites are asking for it. Apple's won't.
- We did by giving them billions and billions of consumer dollars.

Somehow, I am not surprised. Both, that Apple already did it and that there was no public outcry about it.

The solution would be not to visit those sites that require this, right?

Well it’s already integrated into cloudfare and fastly. So good luck with that.
Pretty much all major sites use one of those two as a CDN.
- Ok, so I will not use them. This is acceptable to me
- Wouldn't cloudflare's client (the website you're trying to visit) be the one to implement this, while cloudflare simply does the verification?
Getting a list together would be step 1
- Would a list of "offenders" be necessary? I'd say a list of alternative sites that don't implement this BS would be better.

your treatment on the web depends on whether Apple says your device, OS & browser configuration are legitimate & acceptable.

Well, fuck that.

It's not a problem until more sites start REQUIRING it, and then it's too late. Even if some Apple already provides it, it's more dangerous as use grows

It makes it even more easy to adjust online prices for apple users, lol
is there any positive use case for it for the user at all?
- No, its an alternate evil scheme to uniquely identify users and not bots. Replacing the phone number.
- For sites that support it, you don't have to fill out a captcha.
  Instead it transmits a list of running processes (or other, formerly private info).

What I don't understand is how does the attester check the device is not modified? Anything client side is just a matter of time until its get bypassed.

It needs integration with the TPM/secure element chip in the CPU and a device key issued by the manufacturer to sign an attestation that nothing in the software chain from kernel to browser has been modified .
These schemes tends to get regularly broken, just look at SGX

What does this mean? Do they now own the internet ? Can someone please TLDR it?

A very short TLDR would be:
Apple (in this case) decides if your device should be trusted as a human, or if it's suspicious / a robot, which could break parts of the Internet for those not joining this "attestation", or using software that doesn't support it.
A more ELI5 version would be that Apple has implemented a controversial API (The Web Environment Integrity API) that indicates if a combination of OS + Browser + User behaviour is to be trusted as being human.
Attestation before used to mean "is this device who it says it is", and one can check that in some ways as part of WebAuthN (aka "Passwordless login"), where it would be useful to know if an Android device a site knows you have (as you've logged in before) is that same device. It's a system to trust devices. The WEI-API expands this to look at your OS, your browser and your environment, like installed applications.
Problem with this, is that the requirements don't have to be public. Apple can decide what makes a "trustworthy device" and what can be considered "suspicious".
Bad examples like these are to "fail" attestation if you have torrent clients installed, of if you're connected via a VPN, or if you're not using Bing + Edge on Windows.
Browsers and OS'es refusing to support attestation are likely to become a minority (most users use Chrome, and Google seems to be in favour). Should sites start blindly trusting this "attestation" - in replacement of captcha's -, we could start seeing more privacy-prone combinations being locked out of these kind of sites.
- Thanks mate. I'll tell everyone to stop buying apple products but people are really ignorant and would not careless. Their $2000 phone is more imp. to showoff than fucking Internet.

Didn’t notice yet

The only thing I've seen it used for is skipping captchas on cloudflare.
- How would I notice it, for example I noticed cloudflare was listed, and lemmy.world is currently using it until they can move off it I believe. Does that mean I could see it somewhere while accessing that instance?