That would just DRMize the web with a few select browsers being allowed to access content and the rest being left to dust.

Not really - how could it be worse than the status quo? Worse case you could use turnstile, no?

Cloudflare’s scheme with PATs is essentially a form of attestation, which, realistically, will only be implemented by Microsoft, Apple and Google, and if you’re a Linux or BSD user which isn’t integrated with a device manufacturer, you’d just have no other choice.

This is an unpopular opinion, but Recaptcha has never had this problem. I might face a few more captcha image screens to solve, but what’s being proposed with PATs is dangerous.

Ask a deaf-blind person which solution they think is less bad.

Companies will realize the majority of abuse comes from humans completing CAPTCHAs and little to none from TPM attestations. It's then a small leap to only trust TPMs and lock everyone else out. After all, every genuine user has an OS that requires a TPM.

"Remote Attestation" is the tech for this.

and trust me, this technology is not in the interest of the user, especially if the user wants free (as in freedom) and open internet.

If you read the article you realise you need a valid, unique, device

> In June, we announced an effort with Apple to use Private Access Tokens. Visitors using operating systems that support these tokens, including the upcoming versions of macOS or iOS, can now prove they’re human without completing a CAPTCHA or giving up personal data.

> By collaborating with third parties like device manufacturers, who already have the data that would help us validate a device, we are able to abstract portions of the validation process, and confirm data without actually collecting, touching, or storing that data ourselves. Rather than interrogating a device directly, we ask the device vendor to do it for us.

The trick is that bot farms do not have access to correctly provisioned mobile phones (for now). Thus anyone with a valid mobile device gets a pass.

Something about my browser trying to figure out if I'm not 'abusing' a website feels off to me. Perhaps because it's the user-agent acting in the interest of the website.

This already being worked on as part of Private Attestation Tokens and the best thing is Turnstile is using this already, read https://blog.cloudflare.com/eliminating-captchas-on-iphones-...

That depends on whether you can trust the browser. For example, browsers have long had flags to indicate whether they’re being driven by webdriver, but you can simply recompile the browser without those flags.

is it really just "simply recompile"? I would assume some intensive patching and learning would be necessary, especially for someone who isn't familiar with the source or the build process.

Sometimes even more simple -- there are some methods people use that are as simple as "copy and paste this javascript that overwrites some properties". There's a lot of people scraping the web, so there's somebody out there that has done the work for you already.

My point is, you don't really know what software is connecting to your web server.

That's true, you never really know what's on the other end, but even the simplest hurdle is a full stop for most people.

If you're automating a browser, you're probably technical enough to compile a patched web browser -- or, at least, to use someone's script to compile one, or to download one that someone else has built.

you're being downvoted, but while the question you pose proposes a bad idea, it is a good question that resulted in a lot of interesting conversation, so you get my upvote.