| ▲ | johncolanduoni 9 days ago |
| Why would BigTech care about the dozens of users using an open source password manager? What’s their gain from preventing these people from logging in? They love money and don’t care about user freedom, sure. But they’ve shown no evidence of hating user freedom on principle. Every time I’ve seen them actually attack user freedom, there was an embarrassingly obvious business angle. Like Chrome’s browser attestation that was definitely not to prevent Adblock, no sir. |
|
| ▲ | xg15 9 days ago | parent | next [-] |
| Because they'd actively have to make their proprietary passkey systems interoperable with password managers. This is fail-closed, not fail-open: If they truly didn't care, they'd also be no incentive for them to implement support. But I fear it's worse. Based on how past open standards played out, I find it believable they do care - that there won't be an open ecosystem of password managers. > But they’ve shown no evidence of hating user freedom on principle. Yes, they did, just see Microsoft's crusade against Linux and the origin of the "embrace-extend-extinguish" term. |
| |
| ▲ | johncolanduoni 8 days ago | parent [-] | | They already failed then. All sides (browser->website and browser->passkey holder) of passkeys are open standards. They already don’t restrict passkeys from e.g. open source apps they have no control over, for both Google accounts and any site on Chrome. Webauthn “fails open” by default in the sense you’re indicating; if you don’t check the attestation, any app or device made by anyone can hold a passkey. I haven’t encountered or heard of anyone restricting passkey apps/hardware outside of business-managed employee accounts. I recommend reading the MDN docs on Webauthn, they’re surprisingly accessible. > Yes, they did, just see Microsoft's crusade against Linux and the origin of the "embrace-extend-extinguish" term. The whole point of the trial that term came from was that Microsoft explicitly saw Linux as a material threat to their business. What threat are Google quashing by preventing you from using passkeys they don’t control? |
|
|
| ▲ | 63stack 9 days ago | parent | prev | next [-] |
| >Why would BigTech care about the dozens of users using an open source password manager? Because big tech loves control. Just because you can't see the angle yet, it doesn't mean there isn't one now, or won't be one later. It has been shown time and time again that they will take all the freedom away from you that they can. |
| |
| ▲ | johncolanduoni 8 days ago | parent [-] | | What instance have you seen where BigTech opted for control with no monetary incentive? | | |
| ▲ | 63stack 8 days ago | parent [-] | | There is already an example of Microsoft selling passkeys with their own "secure (tm)" stamp on them, and not accepting anything else just a few comments down. Even if there wasn't already an example, it's easy to turn control into a revenue stream at a later time. | | |
| ▲ | johncolanduoni 8 days ago | parent [-] | | That is for their enterprise SaaS, and has an obvious profit motive (I.e. bundling). Do you think Chrome is going to start charging for using their passkey storage and then kick all the other apps off Chrome? > Even if there wasn't already an example, it's easy to turn control into a revenue stream at a later time. I think you’ll have to justify or qualify this a bit. If Google forces every website on Chrome to have a red background, how do they turn that control into a revenue stream later on? | | |
| ▲ | 63stack 8 days ago | parent [-] | | Saying "oh that's enterprise" is just moving the goal posts. Chrome has already started kicking off extensions, see ublock. I can't divine the future about how they will further their income streams. | | |
| ▲ | johncolanduoni 8 days ago | parent [-] | | No it’s not. My goalpost from the beginning was “show me an example where there wasn’t a clear monetary incentive for restricting user freedom”. That one has a monetary incentive (make our paying customer for product X also buy product Y). As for blocking things that block ads; if you can’t see the monetary incentive for Google there then I don’t know what to tell you. I didn’t ask you to divine the future. I said “I’ve not seen them do X without trying to get Y” (a statement about the past), and you still haven’t given me a remotely credible example. | | |
| ▲ | fc417fc802 7 days ago | parent [-] | | You will almost always be able to find a way to derive a monetary advantage from any given arbitrary restriction of user freedom. Thus your claimed goalposts are essentially pointless. | | |
| ▲ | johncolanduoni 6 days ago | parent [-] | | Come on, I didn't come up with some 4D chess logic to impute a monetary advantage. In the examples people gave me, it was things like bundling (the oldest trick in the monopolist book) and ensuring that users look at your ads. Do you really think that if Chrome gets sued for blocking uBlock, that discovery won't find 1000 memos from executives and PMs at Google talking about how much money ensuring users have to see their ads would make? | | |
| ▲ | fc417fc802 6 days ago | parent | next [-] | | Fair point, it's less immediately obvious. Still I don't see where 4D chess is necessary. Some levers let you make money directly. The effective use of others is more opaque but if you hoard enough of them you will presumably be able to figure something out. Where's the direct monetary incentive to interfere with end users installing a modified Android image? What about SafetyNet? At absolute minimum you can use it to influence the perception of your brand as being the gold standard. | |
| ▲ | 63stack 6 days ago | parent | prev [-] | | Respectfully, you don't seem to understand the full picture on this. |
|
|
|
|
|
|
|
|
|
| ▲ | bryanrasmussen 9 days ago | parent | prev | next [-] |
| >Why would BigTech care about the dozens of users using an open source password manager? I agree, why would BigTech care about those dozens of users. Screw those guys, they can use our password manager or they can get lost, we don't need them! |
| |
| ▲ | johncolanduoni 8 days ago | parent [-] | | They already let the open source password managers work just fine with every facet of passkeys. Why would they reverse this now, was my point. |
|
|
| ▲ | withinboredom 9 days ago | parent | prev [-] |
| > Why would BigTech care about the dozens of users using an open source password manager? Bots using a custom password manager to share logins. |
| |
| ▲ | tux3 9 days ago | parent [-] | | If all you want is to make a bot that can use passkeys automatically, add a transistor between your Yubikey's touch button and GND. When you turn the transistor on, the capacitive sensor is activated. Now the Yubikey is just an API you can call, websites cannot tell the difference. You can't export keys, but a bot can add new keys after using existing keys to log in. | | |
| ▲ | withinboredom 9 days ago | parent [-] | | this doesn't work on stolen aws accounts though /s | | |
| ▲ | jrockway 9 days ago | parent [-] | | You can proxy all the underlying USB communications to a physical device. Allowing attestation in the spec was not an anti-bot measure. |
|
|
|
