zlacker

[parent] [thread] 6 comments
1. px43+(OP)[view] [source] 2023-07-24 23:56:25
When Microsoft did this with IE, they did it with proprietary and undocumented APIs. The fact that this is an open spec, discussed in an open forum, using well established and standard technologies is what ensures it can never be positioned against users in any meaningful way.

To me it looks like SGX for the web. Maybe it will introduce some neat and weird capabilities, but at the end of the day, it will be trivial to bypass at scale if it ever positions itself as being harmful to users.

replies(3): >>AlotOf+Jg >>caskst+zV >>accoun+775
2. AlotOf+Jg[view] [source] 2023-07-25 01:57:57
>>px43+(OP)
Can you explain how you'd bypass it?

Let's say example.com decides to require attestation from the {MS, Apple, Google} providers, and that they attest to only Chrome without extensions. You can't forge the attestation because cryptography. You can't fail to provide it (because they'll just refuse to send the bits). You can't use a "malicious" attestor because example.com won't trust it.

What's the trivial bypass I'm missing? How does a freely accessible standard impact the ability to bypass things in any way?

replies(1): >>px43+ue5
3. caskst+zV[view] [source] 2023-07-25 08:15:50
>>px43+(OP)
Yeah, like it is completely trivial to watch 4K Netflix in Firefox on Linux, right? Oh wait...
4. accoun+775[view] [source] 2023-07-26 10:49:25
>>px43+(OP)
This is as much of an "open spec" as EME - if you don't have the keys Google uses you can't implement it in a meaningful way.
replies(1): >>px43+ff5
◧◩
5. px43+ue5[view] [source] [discussion] 2023-07-26 11:36:24
>>AlotOf+Jg
TPMs can be emulated. Also basically every hardware platform can be placed into a hardware debug mode that allows live debugging of the underlying operating system. Keys can also be extracted from hardware. If even one supported platform leaks a key (and in this doomer fantasy world all platforms must be supported right?) then the attestations can be bypassed. It only needs to be bypassed once to be bypassed everywhere, basically forever.
replies(1): >>AlotOf+ku6
◧◩
6. px43+ff5[view] [source] [discussion] 2023-07-26 11:40:23
>>accoun+775
EME is a great example. It's been around for over a decade now. In what way has it negatively impacted users? Is piracy any harder than it was? EME has been built into Chrome since long before it was an official W3C spec, which it has been for six years now. People lost their minds when EME was getting standardized, yet here we are. This same nonsense is playing out with WEI, yet people haven't seemed to learn a thing.
◧◩◪
7. AlotOf+ku6[view] [source] [discussion] 2023-07-26 16:51:59
>>px43+ue5
Key revocation is a thing and no, not all platforms must be supported (or are intended to be supported). Here's the relevant Google blog post:

https://android-developers.googleblog.com/2019/09/trust-but-...

[go to top]