4 min Devops

What are possible problems with Google’s Web Environment Integrity API?

What are possible problems with Google’s Web Environment Integrity API?

A new Web Environment Integrity (WEI) API is being tested on Google Chrome. Developers are unhappy about the project, describing it as something dangerous, restrictive and even undermining the internet values.

Google made a new API proposal, which should bring Web Environment Integrity (WEI) to Web sites. This will allow websites to monitor the authenticity of devices and network traffic across different browsers. Suspicious issues can be easily blocked via WEI, meaning users can be denied access.

What is good and what is bad is determined by an ‘attester’. That’s the name for an authoritative third party, such as Google. Websites contact the attester to verify that the connection request is legitimate. The attester has an attestation ready for secure requests, which is encrypted to prevent forgery.

Actions WEI should stop include bot traffic on websites, phishing campaigns and attempts to crack passwords. According to Google, the API poses no threat to user privacy, cross-site user tracking would not be possible, and the API does not interact with plug-ins on the web browser.

API is ‘dangerous’

Competing web browsers Vivaldi, Brave and Firefox, have their own views on the proposal. For example, Julien Picalausa, a developer of the Vivaldi browser, writes that the proposal is dangerous. “If an entity has the power to decide which browsers are trusted and which are not, there is no guarantee that they will trust a particular browser. Any new browser would not be trusted by default until they have somehow demonstrated that they are trustworthy, at the discretion of the attesters.”

Thus, the proposal appears to play to the disadvantage of new parties looking to make a name for themselves in the browser world. There are also concerns that the API will disable ad-blockers and make scrapping impossible, as it is done through bot traffic. However, Google is already calling a halt to ad-blockers with Manifest V3, the latest version of the Chrome Extensions platform.

Tip: YouTube tightens policy around ad blockers

Privacy not guaranteed

According to Picalausa, the whole privacy story is also no certainty. The vague wording of the proposal would allow Google to track the behavioural metrics of internet users.

Brave, a Chromium-based web browser, says it will not use the API. The web browser’s CEO, Brendan Eich, replied this to a post on the social media platform X. “We won’t be shipping WEI support, just as we disable or otherwise nullify lots of other junk that Google puts into Chromium.” The message to which the CEO responded assumed that Google is mandating WEI integration in Chromium.

‘Threatens the openness of the web ecosystem’

From rival Mozilla, there is no official response to the proposal yet. Brian Grinstead, engineer at Firefox, did let it be known earlier that the web browser rejects the proposal. “Mozilla opposes this proposal because it contradicts our principles and vision for the Web. Mechanisms that try to limit these choices are harmful to the openness of the Web ecosystem and are not good for users.”

Yet competitor Apple has a similar tool for its Safari browser, Private Access Tokens. The browser integrated the tool about a year ago and it serves to verify the sender of an HTTP request. Why could a similar tool be built into Safari without too much resistance? Tim Perry, creator of the HTTP Toolkit tool, writes in a blog that it is because of Safari’s smaller market share.

Google writes off Private Access Tokens as a tool that restricts freedom too harshly. The WEI proposal states, “Because of the fully masked tokens, this technology assumes that the attester can produce a high-quality sustainable attest without any feedback from websites about gaps such as false positives or false negatives.”

Google itself says it has come up with a proposal that better protects web browsers and primarily addresses the problem of bots and scraping. The proposal is receiving considerable criticism from competing web browsers and developers, who warn about the privacy and openness of the web. Competitor Apple did manage to integrate a similar protocol, which Google says is even stricter, into its web browser last year without much difficulty.