Google Web Environment Integrity Is the New Microsoft Trusted Computing

>>neelc+(OP)
The problem here is that most people don't give a crap. I was explaining this situation to my girlfriend last night over a drink. She's a high level academic with a strong mathematical and logical background in a different field but she didn't really formulate an opinion on it past "if my stuff keeps working, why is it a problem?". Which is fair, because it's a hypothetical risk, but the side effects are a net negative and the open nature of the web is at risk.

As always people see the happy path down the middle of the forest, not the creatures waiting to leap out and eat them two steps down the line.

>>baz00+8t
> she didn't really formulate an opinion on it past "if my stuff keeps working, why is it a problem?".

Once upon a time, I was a homeless teenager running from a cult. If not for software I wouldn't have gotten out of that.

WEI (and other such things) are mainly about regulating who is allowed to write software, and so the way I think about it is this: If WEI existed when I was a homeless teenager, I might be dead.

I do not think I would like your girlfriend very much if she said keeping "her" stuff working was more important than my life, although I could understand her not understanding how big of a deal it is when you talk abstractly about the "open nature of the web" without putting it into human terms;

The "open" part is really important to get across because it means anyone who has the ability to can contribute: Does such a high level academic with a strong mathematical and logical background understand what can be lost not just to industry, but to science itself when a church wants to name itself the arbiter of who can work?

>>geocar+Hz
>WEI (and other such things) are mainly about regulating who is allowed to write software

No, it's about being able to prove that your device is secure. Attestation doesn't stop you from writing software for your device.

>if she said keeping "her" stuff working was more important than my life

Arguing that you would be dead if your viewpoint isn't correct is a bad argument.

>what can be lost not just to industry, but to science itself when a church wants to name itself the arbiter of who can work?

It would be a better analogy to say that "employers can run background checks on people who want to work for them." Because it is up to each website to choose which attestors they trust and the websites have the choice of doing whatever they want with information or not requiring attestation at all.

>>charci+fE
> No, it's about being able to prove that your device is secure. Attestation doesn't stop you from writing software for your device.

How do I prove my device is secure while also being able to run any software that I want?

>>Button+XW
>How do I prove my device is secure while also being able to run any software that I want?

The operating system should properly prevent software from violating the security of the system. If you mean that you want to be able to run an OS that does that provide a level of security that is expected then you shouldn't be able to prove that insecure OS is secure.

>>charci+3P1
Ok let me know when there’s an OS or browser that’s totally secure. Attestation does not prove that a device meets any security bar. And likewise lack of attestation does not prove that a device does not meet a security bar. Attestation merely shows that a device has been “allowed”. You might argue that all devices with attestation have been audited for security so at least that provides some standard. How well did audits work in the past for things like mortgage backed securities in 2008? No, it doesn’t provide any guarantee other than the power that be are empowered to grant themselves and their friends privileged status while leaving everybody else without a device that can run the software they want.

zlacker