zlacker

[return to "Signal Server code on GitHub is up to date again"]
1. red_tr+G1[view] [source] 2021-04-07 15:08:20
>>domano+(OP)
Is there any mechanism to validate that the code running on Signal's servers is the same as on Github?
◧◩
2. monoca+J2[view] [source] 2021-04-07 15:13:45
>>red_tr+G1
That's basically the same problem as DRM, so no, you can't verify that someone is running only code you want them to run against data you gave them, on hardware they own.
◧◩◪
3. lxgr+yx[view] [source] 2021-04-07 17:28:50
>>monoca+J2
Yet DRM does exist. (Yes, these schemes usually end up getting broken at some point, but so does other software.)

The problem is more generally called trusted computing, with Intel SGX being an implementation (albeit one with a pretty bad track record).

◧◩◪◨
4. monoca+6q4[view] [source] 2021-04-08 19:45:46
>>lxgr+yx
DRM has only been successful in the space of making easily replicable attacks more expensive than what is being protected by the DRM. Microsoft has talked about this publicly in this great talk on the Xbox One's physical device security. 'We can't stop people hacking, but we can make each hack more expensive than what someone would spend on games on average'. https://www.youtube.com/watch?v=U7VwtOrwceo

SGX running on centralized servers turns that calculus on it's head by concentrating the benefits of the hack all in one place.

[go to top]