zlacker

Web Environment Integrity Explainer

submitted by christ+(OP) on 2023-07-19 12:53:58 | 89 points 45 comments
[view article] [source] [go to bottom]

NOTE: showing posts with links only show all posts
3. 000ooo+Xa[view] [source] 2023-07-19 13:43:27
>>christ+(OP)
This topic was posted earlier today but was seemingly killed..

https://hnrankings.info/36778999/

◧◩◪
12. gjsman+Qo[view] [source] [discussion] 2023-07-19 14:34:05
>>hoover+Jn
Shameless plug for the article I wrote 1 year ago now, "Remote Attestation Is Coming Back," which warned that this was coming to the web and had quite a discussion about that idea:

>>32282305

◧◩◪◨⬒⬓
14. madeof+jB[view] [source] [discussion] 2023-07-19 15:15:19
>>hoover+Tn
Don't worry, Sony's already figured this out out https://www.creativebloq.com/sony-tv-patent

McDonalds!

◧◩◪◨
17. dhx+g41[view] [source] [discussion] 2023-07-19 17:00:36
>>mike_h+MK
Why should anyone trust a remote server providing a signed statement of authenticity when Intel[1], MSI[2], Lenovo[3], NVIDIA[4], Microsoft and others keep losing their keys? Even if they haven't lost their keys recently, technology companies don't have a great track record of producing foolproof hardware designs (e.g. recent case of [5]), if foolproof was ever a reasonable expectation. For starters, it's assuming technology such as ptychographic X-ray computed tomography and focused ion beam machining won't become more commonplace and commercially viable to readily break TPM attestation schemes. Or that with wider use of TPM attestation, more effort will be expended into breaking it whereas for the current state with minimal adoption, few people care.

The issue client-side is that if a single vendor or TPM design is compromised, threat actors have ample motive, resources and ability to exploit this compromised hardware, whilst everyone else has few choices, such as dumping at great expensve some more e-waste. And critically, you as a user are blocked by your acceptance of TPM attestation technology from discovering attacks and auditing your own system security, as you ceded control of your own systems. Instead, your systems are controlled by a few technology companies that have a proven terrible track record of fulfilling their alleged intent of keeping your systems and data secure. And why should they care if it doesn't lead to a higher profit at the end of the year?

[1] https://github.com/binarly-io/SupplyChainAttacks/blob/main/M...

[2] https://github.com/binarly-io/SupplyChainAttacks/blob/main/M...

[3] https://github.com/binarly-io/SupplyChainAttacks/blob/main/L...

[4] >>30565985

[5] https://arxiv.org/abs/2304.14717

◧◩◪◨
31. thesup+uO4[view] [source] [discussion] 2023-07-20 17:45:18
>>Aerbil+cM1
>> No one can control the web unless every personal computing device on earth is closed source down to the hardware.

It happens one step at a time:

https://gabrielsieben.tech/2022/07/29/remote-assertion-is-co...

[go to top]