zlacker

[parent] [thread] 1 comments
1. saurik+(OP)[view] [source] 2023-07-25 18:35:47
FWIW, Cloudflare also seems confused, so it is no wonder that we are? :(

https://blog.cloudflare.com/private-attestation-token-device...

> At WWDC 2022, Apple announced Private Attestation Tokens. Today, we’re announcing that Cloudflare Access will support verifying a Private Attestation token. This means that security teams that rely on Cloudflare Access can verify a user’s Apple device before they access a sensitive application — no additional software required.

> Private Attestation Tokens do not require any additional software to be installed on the user’s device. This is because the “attestation” of device health and validity is attested directly by the device operating system’s manufacturer — in this case, Apple.

> This means that a security team can use Cloudflare Access and Private Attestation Tokens to verify if a user is accessing from a “healthy” Apple device before allowing access to a sensitive corporate application. Some checks as part of the attestation include:

> Is the device on the latest OS version?

> Is the device jailbroken?

> Is the window attempting to log in, in focus?

> And much more.

replies(1): >>helloj+s21
2. helloj+s21[view] [source] 2023-07-25 23:36:18
>>saurik+(OP)
What prevents the client from receiving a valid token and then passing it off to another entity for that entity to use in their request? Could you have token farms that just generate tokens and provide them to "unhealthy" devices?
[go to top]