zlacker

[return to "Google is already pushing WEI into Chromium"]
1. ailef+73[view] [source] 2023-07-26 12:26:11
>>topshe+(OP)
Can somebody explain what are the practical implications of this?
◧◩
2. smalls+r4[view] [source] 2023-07-26 12:33:53
>>ailef+73
The Browser application needs to pass a binary image check, and if the browser hash doesn't match Google database, you cannot proceed to the website (since your browser may be corrupted). A major big deal for non main-stream browser, and for non Google browser developers, extension developers (eg. AdBlock), etc. In summary, some websites (like banks, Netflix, etc) will no longer be available for non mainstream browser users. Also, even if you're using Google Chrome, you may need to run the latest version to satisfy the hash check. Every day, the number of broken websites will continue growing until all non Google Chrome users have a blocked internet.
◧◩◪
3. nonane+Ba[view] [source] 2023-07-26 13:02:45
>>smalls+r4
Can you please explain why a third party browser can’t lie about its hash, just like it can lie about it’s user agent?
◧◩◪◨
4. ndrisc+sl[view] [source] 2023-07-26 13:46:57
>>nonane+Ba
The idea is that an operating system service provides the attestation. In turn, the OS is signed, with the bootloader verifying the signature. The bootloader is also signed, with a hardware chip verifying the signature.

The infrastructure to do signed OS loading is already in place, and on some operating systems (e.g. Android), the OS attestation service is already in place. So everything is mostly in place already to have your browser attest that it is official Google chrome on Google Android on an approved device with a hardware chip that verifies a Google approved boot signature. That hardware chip contains a Google approved private key (a key that's signed by a manufacturer that Google has in turn approved/signed) that can't be extracted, and that's the key that makes the attestation. Replace the hardware boot verify chip with one that will verify software you want, and you lose your attestation key.

They could also make the OS service reach out to a web service to get an attestation that the attestation key hasn't been revoked, so even if someone did physically extract the key from hardware and share it, it could be revoked (assuming each device gets its own key).

In effect, wide use of this kind of thing means that open source software is no longer free since even if you can look at the code, you must be part of the anointed class (i.e. working within our approved by a major corporation) to edit it and run your edits.

[go to top]