zlacker

[parent] [thread] 2 comments
1. AlotOf+(OP)[view] [source] 2023-07-25 01:57:57
Can you explain how you'd bypass it?

Let's say example.com decides to require attestation from the {MS, Apple, Google} providers, and that they attest to only Chrome without extensions. You can't forge the attestation because cryptography. You can't fail to provide it (because they'll just refuse to send the bits). You can't use a "malicious" attestor because example.com won't trust it.

What's the trivial bypass I'm missing? How does a freely accessible standard impact the ability to bypass things in any way?

replies(1): >>px43+LX4
2. px43+LX4[view] [source] 2023-07-26 11:36:24
>>AlotOf+(OP)
TPMs can be emulated. Also basically every hardware platform can be placed into a hardware debug mode that allows live debugging of the underlying operating system. Keys can also be extracted from hardware. If even one supported platform leaks a key (and in this doomer fantasy world all platforms must be supported right?) then the attestations can be bypassed. It only needs to be bypassed once to be bypassed everywhere, basically forever.
replies(1): >>AlotOf+Bd6
◧◩
3. AlotOf+Bd6[view] [source] [discussion] 2023-07-26 16:51:59
>>px43+LX4
Key revocation is a thing and no, not all platforms must be supported (or are intended to be supported). Here's the relevant Google blog post:

https://android-developers.googleblog.com/2019/09/trust-but-...

[go to top]