Root Causes 334: What Is Attestation on the Web?

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

September 27, 2023

Most people hate dealing with CAPTCHA, but it offers great benefits for web site operators. In this episode we discuss alternatives to CAPTCHA, how they work, and their pros and cons. Plus, the Get-Off-My-Lawn! browser returns.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanWe want to talk today about an attestation on the web. What does that mean?

Jason SorokoAttestation on the web? Tim, I am me.

Tim CallanYes. You are.

Jason SorokoSo I'm kind of attesting to the fact that I’m me in saying that, and maybe it's because you and I talked ahead of time, or somehow in your human brain in interacting with me, you've kind of been convinced that I am me. So if I attest to that you've got to make a decision as to whether or not that's true.

And it's interesting, isn't it? Because you and I've talked about AI and isn't attestation becoming more fuzzy when we in terms of the human voice and ways that we express ourselves to each other now. Am I really me, Tim? Or am I artificial intelligence me? Who knows?

Tim CallanAbsolutely. Right. Sure.

Jason SorokoWe've talked about that. So let's talk about though, attestation on the web. And, of course, that takes many, many forms. Many forms. One of the ways you can do that, of course, is carry around a distributed ID with you, that's been somehow somebody else's authority has been stapled to it digitally. If you think about SSL certificates, one of the reasons they're trusted is because a Certificate Authority has signed it and that chains it’s way up all the way to a public key that exists in the root store of your browser. These are so many different ways that we attest, and we prove that people are who they are, or that you're in possession of something that's been signed by somebody else that has authority, etc. etc. etc. But what we're talking about here is, Tim, you've used the web for many, many years, you've seen things like CAPTCHAs.

A CAPTCHA is a way of saying, hey, I'm a legitimate user. I'm not some kind of bot, or some kind of an entity that is doing something either malicious or unintended, or automated, or something like that.

Tim CallanAnd it has a variety of advantages. It makes it harder to essentially DDoS somebody, it makes it harder to attempt certain brute force attacks against login identities and things like that. There's a variety of reasons why you might do that.

Jason SorokoSure. And if I'm a site, a website that has a whole lot of content that I make money from, and I would be really in bad shape, if an automated system were to come in and just screen scrape everything that I've got. I mean, I could lose my business because of it and so CAPTCHAs have all kinds of really good reasons to exist.

Well, there are other alternatives to CAPTCHAs. And that is, what happens if you could provide to me some sort of an attestation token, Tim, that I could recognize? If I'm that server who has content that I don't want to have screen scraped, and I want to know that you're a legit human being and not a bot, well, you could provide to me one of these access tokens, it just happens automatically inside your browser. And it's essentially the computer's way of, you know, it's the equivalent to doing the CAPTCHA.

Tim CallanThis is a browser that's really being used by a real human being.

Jason SorokoIt's a real browser with a real human being on a real client and everything is normal and intended for the way the usage that I want you to be using this particular website is. Again, it's CAPTCHA replacement is what we’re talking about and these CAPTCHA replacements are really no more or less difficult to conceive and your mind is just being a token. An alphanumeric string that's been generated by something that essentially is a shared secret between you and I.

Tim CallanYou can see that part being very easy to deliver. I guess a question would be, so somewhere upstream of that interaction, though, there's got to be some way that the browser decides that I'm qualified for a token, right?

Jason SorokoWell, it would be the web server. So let's decide on how it is the browser will get one of these tokens in order to hand it over to a web server when they're challenged to do so. Just like when you're challenged to give a CAPTCHA, you would be challenged for one of these tokens. So how do you end up with one of the tokens?

If you think about Apple, Apple has an entire ecosystem of MacBooks and iPhones and iPads and well they know that the browser that they installed in those things is legit. They're the ones that installed it and so therefore I'm looking back here at a website on Apple – developer.apple.com. You search this called challenge: private access tokens. This is from June 9, 2022. And it talks about this very thing about actually being able to possess these tokens, these private access tokens for the exact purpose of having a replacement to CAPTCHAs.

Now why is this coming up? Why this is coming up is because there have been other proposals. We're talking about Cloudflare, Fastly. CDNs. You can imagine how CDNs would have a real interest in being able to have CAPTCHA replacements, because they're the ones offering the access.

And so we're now also talking about Google themselves, with private access tokens. And, so I think, Tim, these kinds of CAPTCHA replacements have been around, but it didn't get to be like, whoa, whoa, hang on, what's going on here, until somebody with as gigantic of a market share as Chrome is trying to decide, alright, is Chrome gonna go to the way of these private access tokens and determine who can get to the web. Because if that happens, then we've got Chrome, we've got Safari and the whole Apple world, and then the CDNs all doing this. And then all of a sudden, wow, that's a whole lot of the world doing private access tokens, essentially, to do CAPTCHA replacements.

Tim CallanSo, CAPTCHA, CAPTCHA. We all hate CAPTCHA. Like everybody hates it. So is there a problem with this? It sounds like a good thing.

Jason SorokoSounds like a good thing. In fact, I invite anybody to go off and look at web environment integrity API. It's on GitHub. And this is what a lot of these things, this is the thing that's been developed by some folks from Google and being prototyped in Chromium, and etc.

So yeah, so just to give that little last piece of information. So what are the downsides? We all hate CAPTCHA. Why wouldn't we all just throw up our hands ago, this is fine. Get rid of CAPTCHA. Fantastic. We're good to go.

Let's talk about people who have legitimate needs to be able to browse around the internet and not have to deal with either CAPTCHAs or these web access tokens, these attestation schemes that we're talking about. What that means is essentially what Google and Apple could do here, right, it's not a stated mission of theirs but you can see one of the gigantic advantages to them is not just getting rid of CAPTCHAs, but it's actually really, really harming competition from other potential browsers.

Tim CallanBecause those browsers don't have the opportunity to perform attestation in the same way, and therefore, their user is stuck dealing with CAPTCHAs but if I move over to Chrome, now it's not and therefore I'm going to migrate to Chrome. Is that the idea?

Jason SorokoI think that's part of it. But it could go as far as if large chunks of the internet require these, this web environment integrity tokens as an example, then you could actually completely block out new browsers.

Tim CallanSo you're imagining a future where somebody says, I'm not going to bother with CAPTCHA. You need a web environment and integrity token or I'm just not going to offer the service to you?

Jason SorokoI think it's possible.

Tim CallanSo what's preventing another browser? So, I think we're talking about, three guys in a garage browser, what you and I talked about.

Fogy browser. Get off our lawn browser. Get off my lawn browser. What's to prevent get off my lawn browser from doing the exact same thing?

Jason SorokoI think it's because in order to get into that ecosystem, you're gonna have to somehow ask permission to be part of the ecosystem. And the problem is fogy browser is gonna look an awful lot like, hmmm, are you just a bot? Or, is your fogy browser not just a browser for human beings but are you just a web automation tool, that's dancing around as a bot. So there's gonna have to be some kind of a process where people who own the attestation token ecosystem let in the lesser browsers. I think that the barrier could be quite high, because there are a ton of really microscopically small browsers. I mean, making your own browser is really not hard to do and there's really good reasons to do it.

Tim CallanWe just talked about this in terms of the CA/Browser Forum and being nervous about limiting access to the CA/Browser Forum based on market share or various other criteria for small browsers. And, at the time, we talked about well everybody started out with no users, right? Once upon a time, Chrome had no users. And the same concerns would apply here, I think.

Jason SorokoExactly the same. So isn’t it interesting Tim, this is now the second time we've covered anti-competitive against small browsers coming from the big, big, big tech companies. Isn’t that interesting?

Tim CallanAnd the potential for that, right. I mean, there's nothing to suggest that Apple and Google are doing this but if they could do this, then I understand why people would be concerned.

So, on the other hand, you could imagine I'm thinking about - now I'm going back a little longer in time, but I'm going back to we had an episode called What is Apple Passkey? I'm looking at 230. Our episode 230. What is Apple Passkey? And we're talking about, of course, it's a different technology but it's the same idea, which is to make the online browsing experience smooth and seamless and roadblock free for our users while keeping them safe.

You can imagine a product manager at Apple sitting here thinking, absolutely, I want this for my iPhone user, or my MacBook user. Of course I do. This feels like this is all kind of part of the same area of interest for these consumer facing technology manufacturers.

Jason SorokoTim, let me put it this way. I'll put it in slightly different words because I think I know where you're going. I think you're right, in that, if you're an Apple product manager, there are big advantages. In other words, why did Google and Apple say yes to ultimately what is FIDO’s underlying WebAuthn technology? That's what's going on underneath the covers?

Like think about what it takes to get Apple and Google and others to say, yes. That takes a lot. I think what you got to give and take in return is, if you want to be a new player in the browser world, for example, you're probably gonna have to support your own form of WebAuthn within. Otherwise, your users might go, hey, I can't log into websites the way that I used to with Chrome or Safari.

Tim CallanRight. I have a better experience when I go to my bank on safari than I do on your browser, therefore, I'm going to just go to Safari. Right.

Jason SorokoSo in other words, I don't think that WebAuthn stops. I mean anybody can implement it and I think the barrier to entry is low, but it's not so low, that that really the smallest players are just gonna be able to snap their fingers and put it in the browser.

And so I'm not going to sit here and call WebAuthn a potential anti-competitive tool but you can see how Google and Apple employing it, they're raising the bar for other browsers competition. I mean that's the spirit of what you were saying, and I agree with that.

Tim CallanSo, of course, now you get into real tricky areas because, if I am, let's say, Google, and I can just plain throw more resources at the problem and therefore, make a browser that does neat tricks that someone else can't make because fogy browser doesn't have the resources that Google does, is that anti-competitive? How do you make those decisions, but I get that building kind of a systematic advantage for the large market share browsers makes people uncomfortable.

Jason SorokoIt's uncomfortable. On the surface, it seems to be solving a problem but on the other hand, there are anti-competitive risks underneath it. That’s the trend.

Tim CallanAt the same time, it is a real thing. Like I said, we all hate CAPTCHAs. And wouldn't it be nice if they went away? And so let's not ignore that either. Because that's valid.

Jason SorokoYou got it? Tim, this has to do a lot and there's other podcasts that you and I've had where we have talked about the issues around browser, the privacy browsers, and how some of them imagine in a world where you're trying to get away from the problem of being identified very, very granularly because of your browser user agent exposure plus, plus, plus all of the other attributes you bring to yourself while you're browsing the web, which brought together is enough pieces bits of information to uniquely identify you. We've talked about that in the past.

So imagine now, it's not even just you using an obscure browser, potentially. You could be using one of the privacy browsers, and protect - - You see where I'm going with that, right?

Tim CallanAbsolutely. You bet. By the way, that’s our episode 255 - What is a Privacy Browser? So you can go listen to that one, too.

What if I'm deciding very explicitly that I would like to have a higher privacy profile and as a result, I get boxed out of all of these either boxed out of these better experiences - - And I think to some degree, you could say, look, if I know that if I'm going to use a privacy browser, I'm going to have to deal with CAPTCHAs, and that's the price I pay, right? Or I know if I'm going to use a privacy browser, then I can't use a PKI based login, and therefore I'm gonna have to log in another way and that's the price I pay. I can make that decision. But to your point, if there are entire experiences or services or areas of what's offered to me that just plain aren't available, now the tradeoff has gotten much greater, and it may be a tradeoff, I'm not willing to make any more.

Jason SorokoSo Tim, think about this for a moment, right, because it occurred to me - If the attestation token is somewhat unique, or very unique, and I, you know, is just another piece of information that could uniquely identify you while you're browsing around the web, well, obviously, if I'm a privacy browser, I'm going to be looking to block that.

So not use it, which is what you're saying, but then it really comes down to what's going to be the level of discrimination when you are trying to not use that.

Then if you're going to open up the door to CAPTCHAs still, or, then what opportunity does that give then the bad guys who really are using these kinds of browsers to do bot activity as an example, or, or use user agents to look like that browser? I can just see that it's a bit of a war between the privacy world, the small browser community websites that want to discriminate against, and then what's the gap that's being left open for the actual bad guys that nobody likes to deal with? The people who are causing DDoS, the people who are causing screen scraping and doing bad things? It's gonna be an interesting world. This just another piece that's shaping this, this interesting ecosystem of browsers right now.

Tim CallanOh boy. And of course, every time we talk, the whole landscape just gets more complex now doesn't it?

Jason SorokoYes, it does.

Tim CallanAll right. Well, okay. There you are. So web app attestation fits into this whole constellation of what you and I always talk about, about identity and logins and access and all of that. We thought it was good to explain it. And I think you did a great job of that, Jason. Thank you.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!