zlacker

[return to "Apple already shipped attestation on the web, and we barely noticed"]
1. sam0x1+h5[view] [source] 2023-07-25 14:32:34
>>pimter+(OP)
But signing necessarily is happening on the user's device... what is to stop brave/etc from also signing their outgoing requests with the same key your local Chrome install is using? On a mobile device I can see how this would work but how would this ever work on (non-apple) PCs without exposing the key to anyone willing to poke around a bit?
◧◩
2. freedo+Tp[view] [source] 2023-07-25 15:48:06
>>sam0x1+h5
> But signing necessarily is happening on the user's device...

No, there is signing from a third party server in the chain too. If iPhone A visits website B, then A must provide to B a token signed by Apple in order for it to be trusted.

It also depends on hardware tamper-protected keys that the user can't get to without destroying the device (or at least the keys) in the process.

[go to top]