Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

? I didn't say it's a security flaw. The problem is that it's a terrible, user-hostile, open-web-hostile approach to security that shouldn't have even been proposed.

>there's no reason to think that carriers would even want any sort of device attestation

With the bargaining power that Google has in the mobile space, I strongly suspect they could find a way to entice carriers into moving towards enforcing device attestation. And I don't just mean forcing devices to attest; I mean things like, Hmmm, are you sure you want these untrusted Android devices on your RCS services?

> or be legally allowed to do that under the terms of their spectrum licenses.

I don't really like relying on hoping the laws will help, but it would be nice to know for sure if they do. Unfortunately, I am assuming you aren't actually positive.

Google Fi definitely favors Google devices heavily and there is no supported way to use a non-data-only device without an Android phone with GMS.



> ? I didn't say it's a security flaw.

Nobody said you did. Normally, crummy security(security flaws) is what disqualifies someone from security and not functioning security. You're comment implied WEI would work as imagined and you remarked that should disqualify Google from security. That's a bit ass-backwards, disqualifying someone because they didn't introduce security flaws.

> The problem is that it's a terrible, user-hostile, open-web-hostile approach to security that shouldn't have even been proposed.

But it isn't a security flaw. And no, it isn't a terrible, user-hostile, open-web-hostile approach to security. It's just a gleam in someone's eye who's stated goal is to not create something which is a terrible, user-hostile, open-web-hostile security approach but some additional signal which websites can try to use to filter out malicious traffic. Why do WEI critics always come off as sounding like the "think of children" anti-encryption fear mongers? At least wait until it becomes something first.

> With the bargaining power that Google has in the mobile space, I strongly suspect they could find a way to entice carriers into moving towards enforcing device attestation. And I don't just mean forcing devices to attest; I mean things like, Hmmm, are you sure you want these untrusted Android devices on your RCS services?

With the bargaining power that Apple has in the mobile space, I strongly suspect carriers can tell Google to pound sand. Unless Google is implementing something Apple has already, I doubt that will happen.


I don't understand why you think the literal only way a security standard can be bad is if it has a literal security flaw. What Google is doing is bad for reasons other than security flaws, but it's no different from the other reasons why Google being involved in standards other than security standards is bad. It's just that in this case, their evil, user-hostile mechanism has absolutely no reasonable use case outside of security.

Yes, developing bad, user-hostile, open-ecosystem-hostile security standards should indeed bar you from security standards work even if the prison you've built for end users is maximally secure.


At least wait until the bank robbers have spent their loot before calling the police, because they might be just about to bring it back.


> disqualifying someone because they didn't introduce security flaws.

Actually they did introduce a giant security flaw: https://news.ycombinator.com/item?id=36985317

Because of this I propose that "the users should require that server attest it, environment and content with respectable attester before it provide any other data to the user - user should get signal if server operates on up-to date unmodified stack and did not modify server environment in any way to track, monitor, gather (steal) user's data, nor is compromised." How about that?

>"the the bargaining power that Apple has in the mobile space"

Like 30% (and loosing) of worldwide phones? Think globally not US. And we shouldn't forget that Apple may loose EU market altogether because of it inflexibility when comes to battery replaceability.

>Why do WEI critics always come off as sounding like the "think of children" anti-encryption fear mongers?

No we do not. In fact many just want opposite - for encryption not to be used as power over common people but by the people.

> "At least wait until it becomes something first."

As Google implements it before even finalizing proposal and banned all comments and pulls - I will not.

> It's just a gleam in someone's eye who's stated goal is to not create something which is a terrible, user-hostile, open-web-hostile security approach but some additional signal which websites can try to use to filter out malicious traffic.

To put it by analogy from Car owning company: "We propose that any package delivery must be delivered in secure and attested way - so we propose mechanism that will provide way for smaller companies fly drone before you get your package. We will not allow them to sell your photos - pinky promise."

This is more or less how I feel about Google promises.

If you propose something on global - you should take all the time to think about ways that it can be mismanaged before you even propose it, If you trivialize concerns then you are as guilty when they inevitably happen.

>some additional signal which websites can try to use to filter out malicious traffic.

"The solution to the surveillance economy seems to be more surveillance."

This is quite good quote - because if you think for second about this phrase it should give you good idea what You can get…

WEI will be the ālea of Internet.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: