RayRay on Nostr: waxwing breaking down Apples web attestation 👇🏽 ...
waxwing (npub1vad…nuu7) breaking down Apples web attestation 👇🏽
quoting nevent1q…pmrdYes, it is a bit unobvious.
So like, you are using iOS or MacOS and you're browsing with Safari.
You access a website which is protected by Cloudflare; perhaps that site is experience some DDoS attack in the most extreme case.
What they can do is show you a captcha and force you to prove you are human to access the site.
Or the privacypass model: some centralized service asks you to solve a few captchas well in advance, then provides you with blinded tokens. Later, when you want to access a site, you can bypass captchas by showing these tokens: they don't reveal you're the same person as the centralized service saw earlier, but they prove you *did* earlier do that captcha.
Apple now changes it a bit: now they are the central server, and, under the hood, the Safari browser sends a request back home to Apple for some blinded tokens. They are given to you because Apple can check that your device is "legit".
Imagine, as the article says, that they stop issuing tokens if your OS is out of date, or, they don't like you etc.
It certainly is an interesting idea/model, because the UX for most users will be perfect: no captchas, ever. But it is also potentially disturbing.