zlacker

[parent] [thread] 10 comments
1. meandm+(OP)[view] [source] 2023-07-25 14:56:55
Some of the takes about why attestation is bad seem purposely false because the author dislikes the feature. If attestation isn't triggered then prior behaviour will happen (captcha etc).. this is a progressive feature.. and the point of the attestation isn't to prove you're using an approved device, it's to prove a human is actually present, of which, a verified software stack is needed, otherwise the feature is useless..
replies(4): >>Zinu+Wf >>helloj+vs1 >>dahwol+LD1 >>fruitr+lA2
2. Zinu+Wf[view] [source] 2023-07-25 15:54:53
>>meandm+(OP)
> If attestation isn't triggered then prior behaviour will happen

That’s up to the web server to decide, it could just block you instead, and there is incentive to do exactly that.

> attestation isn't to prove you're using an approved device

That’s what it is doing though, so it can and will be used for that.

replies(1): >>meandm+sQ3
3. helloj+vs1[view] [source] 2023-07-25 20:25:05
>>meandm+(OP)
Does this progressive feature allow every visitor to a site to be uniquely identified with 100% certainty? Because that doesn't sound very progressive.
replies(1): >>meandm+aR3
4. dahwol+LD1[view] [source] 2023-07-25 21:05:10
>>meandm+(OP)
It doesn't prove that a human is present at all.
replies(1): >>meandm+KP3
5. fruitr+lA2[view] [source] 2023-07-26 04:40:30
>>meandm+(OP)
The captcha and fingerprinting methods are higher effort compared to attestation, so I think there is an incentive for most sites to get rid of it in favor of attestation.
◧◩
6. meandm+KP3[view] [source] [discussion] 2023-07-26 14:07:20
>>dahwol+LD1
It actually does, that's entirely it's purpose.. I know it takes a little effort to actually go and research yourself, but here you go https://developer.apple.com/videos/play/wwdc2022/10077/
replies(1): >>dahwol+tx5
◧◩
7. meandm+sQ3[view] [source] [discussion] 2023-07-26 14:10:27
>>Zinu+Wf
Where's the incentive to block your potential customers?
◧◩
8. meandm+aR3[view] [source] [discussion] 2023-07-26 14:13:14
>>helloj+vs1
Again, you need only research and find they are designed independently not to allow this https://developer.apple.com/videos/play/wwdc2022/10077/
replies(1): >>helloj+AE4
◧◩◪
9. helloj+AE4[view] [source] [discussion] 2023-07-26 17:09:18
>>meandm+aR3
If that is the case, what stops people from setting up bot farms to gathering millions of valid keys per origin, and then passing them off to requesting users to use with unapproved devices? Seems like the same choke point still exists, in that captchas may be required to prove the token requestor is human.

And since you also could do it maliciously in the sense that you could fire and forget requests if you didn't care about the token, you could spoof your ip across the range of all residential ips to try and force captcha rate limiting on everyone that requests an attlestation.

◧◩◪
10. dahwol+tx5[view] [source] [discussion] 2023-07-26 20:31:24
>>meandm+KP3
You must have never heard of test automation with real devices? No human there, still passes this check.
replies(1): >>meandm+Z58
◧◩◪◨
11. meandm+Z58[view] [source] [discussion] 2023-07-27 14:42:56
>>dahwol+tx5
Even if that's true (apple is a bit ambiguous here because they say passcode login is enough), this is still connected to a need to login physically, it sets a much higher cost of acquisition for most.. plus this isn't relevant.. the tech is still aimed at proving real human interaction, even if it's not perfect at that today..
[go to top]