zlacker

[return to "Google Chrome Proposal – Web Environment Integrity"]
1. Showal+nV[view] [source] 2023-07-19 05:51:22
>>screen+(OP)
>6.1.1. Secure context only Web environment integrity MUST only be enabled in a secure context. This is to ensure that the website is not spoofed. Todo

do they realize that you can use a custom certificate / patch the check routines? I don't think they quite realize what they are even suggesting.

◧◩
2. kevinc+kX2[view] [source] 2023-07-19 17:47:17
>>Showal+nV
You are the one being naive. This will be a cryptographically signed stack from the TPM, to the bootloader to the OS to the browser. If you flip a single bit away from the "approved" that signature will fail.
◧◩◪
3. chii+uxg[view] [source] 2023-07-24 02:51:51
>>kevinc+kX2
This is why TPM should never have been allowed. It's a way for control to be removed from the user, even tho they wholly own the physical machine!
◧◩◪◨
4. kevinc+ljh[view] [source] 2023-07-24 10:27:17
>>chii+uxg
I'm not sure about this. TPMs can provide valuable features such as non-bruteforcable disk encryption and other secret management and secure boot can be valuable protection for your devices. The real problem here is that this is allowing a third-party to verify what software you are running. Doing these things on my device by my choice is one thing. Having another party require that I am using a specific unmodified software stack is another.
[go to top]