zlacker

[parent] [thread] 2 comments
1. notato+(OP)[view] [source] 2022-01-27 23:44:58
If you can argue that remote attestation doesn't provide additional security, then i'd love to hear that argument. but it seems like a fairly clear-cut case that it does provide additional security, and i don't think it's reasonable to accept a lower level of security for the sake of allowing unverified builds of open-source software.

there are specific contexts where you want to distribute information as widely as possible, and in those contexts it makes sense to allow any software versions to access the information. but for contexts where security is important, that means verifying the client software isn't compromised.

replies(2): >>curmud+r2 >>nijave+Fr
2. curmud+r2[view] [source] 2022-01-28 00:02:05
>>notato+(OP)
A server rate limiting login attempts is additional security.

A remote system asked to promise it's what it says it is: the illusion of security.

Jailbreaking, DRM, etc are all evidence of this illusion.

3. nijave+Fr[view] [source] 2022-01-28 03:32:47
>>notato+(OP)
It can go pretty terribly sideways just like antivirus with poorly coded, proprietary, privileged agents running on end user devices collecting data.

I worked at a place that only allowed "verified" software before and it's an ongoing battle to keep that list updated. Things like digital signatures can be pretty reliable but if you're version pinning you can make it extremely difficult to quickly adopt patched versions when a vulnerability comes out.

[go to top]