zlacker

[parent] [thread] 5 comments
1. protoc+(OP)[view] [source] 2023-07-26 15:05:49
This is kind of overblown isnt it?

I remember sites doing all sorts of hacks to identify and shut down IE back in the day. "Works best in Chrome/Firefox".

"The proposal calls for at least the following information in the signed attestation:

    The attester's identity, for example, "Google Play".
    A verdict saying whether the attester considers the device trustworthy.
"

So a user agent string and a weak attestation?

This seems an overcomplex nothingburger.

replies(3): >>nobody+a2 >>helen_+V4 >>allisd+F8
2. nobody+a2[view] [source] 2023-07-26 15:13:08
>>protoc+(OP)
And if the "attester" decides that IceWeasel on Ubuntu (or Firefox with uBlock/uMatrix/NoScript) isn't "trustworthy," but (unmodified) Chrome is "trustworthy," you've just created vendor lock-in.

That's not a "nothingburger" IMHO.

replies(1): >>protoc+vB9
3. helen_+V4[view] [source] 2023-07-26 15:20:51
>>protoc+(OP)
It’s a signed attestation. A user agent can be spoofed, this attestation needs to be signed cryptographically with a trusted key, for example a hardware key shipped in your device by an approved vendor. Think Apples Secure Enclave.

The goal is a verified stack - the hardware key proves you have approved hardware. The approved hardware proves you don’t have a tampered OS. The untampered OS proves you have approved binaries. The approved binaries disallow certain actions that users want such as blocking ads or downloading YouTube videos.

4. allisd+F8[view] [source] 2023-07-26 15:34:10
>>protoc+(OP)
What part of attestation don't you understand? If linked with a OS level signing with keys stored on TPM, it's game over for private browsing. The only thing worse than companies proposing such measures are the useful idiots downplaying the impact. If someone disagrees, pray tell us muddle brains how to bypass this on a proprietary OS with locked boot and tpm stored keys.
replies(1): >>protoc+lB9
◧◩
5. protoc+lB9[view] [source] [discussion] 2023-07-29 01:30:25
>>allisd+F8
>If linked with a OS level signing with keys stored on TPM

Is that listed in the article anywhere? Is that part of the proposal?

The proposal does however say that even if the attestation fails, that the user should be allowed to access the website.

Are you upset with the proposal, or some other proposal that you are imagining?

◧◩
6. protoc+vB9[view] [source] [discussion] 2023-07-29 01:31:33
>>nobody+a2
The same proposal suggests that users who fail the attestation still access the content. Which is apparently how the Apple version of this same protocol already works.
[go to top]