zlacker

[return to "Mozilla Standards Positions Opposes Web Integrity API"]
1. michae+ig[view] [source] 2023-07-25 04:53:44
>>danShu+(OP)
So imagine you have a separate slot in your desktop/laptop occupied by a secondary single board computer of sufficient power to run your banks website or other secure operations. Since you are going to use it to git push to import repos or move money you give two shits if it has much in the way of customization.

You hit a physical button and an internal kvm switches usb input and displayport out between primary and secondary machine. There is no shared clipboard or way for data to be intentionally be shared between machines and nothing to distinguish this setup from any other "secure" setup to disallow its use. It ticks the correct boxes to meet the described intent of the feature and unlike a secure environment one is obliged to use for everything would actually be more secure as you have no good reason to install a bunch of software or browse random websites on the slower secure environment.

◧◩
2. jeroen+8h1[view] [source] 2023-07-25 13:30:41
>>michae+ig
You can also just use a Windows VM and forward the already-working TPM to it. With tools like Cassowary you can use Windows browsers through an app-only RDP connection, integrating the VM seamlessly. Hardware acceleration will be a bit more difficult, but for things like encoding or decoding video you can already forward virtual GPUs on most platforms if you get the configuration right.

I don't think you'll need to buy an SBC for this. A weekend of messing with virtual machines will be enough.

◧◩◪
3. michae+LU2[view] [source] 2023-07-25 19:42:35
>>jeroen+8h1
This is fundamentally different on multiple fronts. Insofar as security if the host is compromised the VM has none because of the hosts control over the VM's environment. For the same reason anything that requires you to be in an authenticated environment is probably not going to accept an authenticated environment that is itself hosted in one that is not. The browser/system would assert that it isn't in the Matrix by testing naively by looking for the presence of VM specific information or devices and more securely by performing operations which must work differently in a vm see this post

https://stackoverflow.com/questions/39533/how-to-identify-th...

◧◩◪◨
4. jeroen+323[view] [source] 2023-07-25 20:15:09
>>michae+LU2
Remote attestation is already available on big cloud providers and Windows runs virtualised on many servers across the world for remote work. Excluding all of those browsers would probably be problematic for almost every use case.

I don't think big websites will block every VM (especially since Microsoft has some kind of super secure browser implementation that uses virtualisation). You may need to make KVM fake HyperV, though.

[go to top]