zlacker

TPMs with attestation do exactly that. Are you opposed to that as well?

>>endisn+(OP)
Seems like a strange way to make a point to start out with SSL and then shift the argument to TPM/attestation...

>>endisn+(OP)
Yes, I have been opposed to TPM since the start.

>>endisn+(OP)
That's exactly what WEI is supposed to do... And yes, websites should not be able to use the TPM for attesting the user's environment.

>>JohnFe+g
What's your solution then to the problem TPMs solve?

>>rezona+F
why not? how do you want to solve the problem of provenance? if you feel it's not a problem to begin with, then the sites in question can simply choose not to enable it. if they enable and believe it is a problem, then clearly there's a dissonance between the places you choose to visit and their goals, no?

>>endisn+W
WEI does not solve any "problem of provenance"; it's DRM for the web. It asserts things about the browser environment to the website operator, not the other way around.

Are you sure you actually understand these two technologies (WEI and TLS) sufficiently to make these claims?

>>endisn+(OP)
Yes, TPMs have no business being part of the open web. They enable CIOs to make bad decisions like preventing a bank's website from being loaded in non-TPM browsers.

>>endisn+Q
That depends on which problem you're talking about. But this is not the issue at hand.

>>endisn+Q
What do you get from blasting this thread with a bunch of naive one liners that you could answer yourself if you studied the topic on your own for a little bit?

The answer to this one is that the fundamental problem that current TPMs aim to "solve" is that of allowing corporate control and inspection of end users' computers. To continue having a free society where individuals have some autonomy over the devices they purportedly own, this needs to be soundly rejected.

>>endisn+W
> sites in question can simply choose not to enable it.

My problem isn't that I as a developer don't have an option to not implement attestation checks on my own web properties. I already know that (and definitely won't be implementing them).

My problem is that a huge number of websites will, ostensibly as an easier way to prevent malicious automation, spam etc, but in doing so will throw the baby out with the bathwater: That users will no longer have OS and browser choice because the web shackles them to approved, signed, and sealed hardware/software combinations primarily controlled by big tech.

>>endisn+Q
which problem? Some 'problems' TPMs solve should not be solved. Others are perfectly reasonable but a generally a lot less common.

>>endisn+W
> then the sites in question can simply choose not to enable it

Google can reduce the page rank of websites that dont enable it (or just not give any page rank at all) and now everyone who wants to be found has to enable it

>>endisn+W
The problem of provenance is significantly smaller than the problem of monopolistic companies given control over who is and is not an approved user of the web.

Provenance to the extent it is a problem is already handleable and largely handled. Note that "handled" here does not mean it is 100% gone, only that it is contained. Monopolistic control over the web is not containable.

>>endisn+(OP)
I support myself using a TPM to attest if my system has not been tampered

But I oppose others, Google/Microsoft/Facebook/..., attesting if my system is according their specifications

>>endisn+(OP)
Why are you proposing some sort of reverse slippery slope? So because "we" don't oppose a TPM, we shouldn't oppose any form of attestation?

If anything you are just proving the point of the most paranoid.

I don't even have a strong opinion on this but it's so weird to see this argument over and over. It's just calling for even an even more extreme reaction to any effort that goes in this direction, just in case it's used to justify a push for even worse stuff down the line.

>>mindsl+o2
Good idea, we just throw out all the security mechanisms to avoid "corporate control" and even worse anti virus software "inspecting end users' computers". I'm sure people will be very happy about all the mal- and ransomware they receive. Imagine the utopia we would live in.

>>pptr+sd
You're using scare quotes, but I do specifically mean corporate control. Current TPMs were designed around giving centralized parties (eg corporations) privileged keys. TPMs could certainly be designed to not have any baked in privileged keys, instead putting the owner at the trust root. The current crop just wasn't.

Also that you're talking about anti virus shows that you're not really in touch with the gamut of computing. From my perspective, anti virus was something that was relevant two decades ago.

>>rvba+e6
That would clearly be an antitrust violation or deceptive business practice in one or more countries. Though by the time they get penalized for it, the damage would have been done.

>>endisn+(OP)
I am. I've had apps try to use Google Safetynet to prevent me from running them on my phone (which is not running the manufacturer-provided Android build), and I am certainly opposed to that.

I wouldn't mind being able to use the TPM to tell me whether the hardware and software are what I expected them to be, but that's different.

>>endisn+W
Under capitalism (or really any socio-economic system) we engage with services for reasons other than choice all the time. For example, if you're living in an area where just one or two banks exist, and both of them suddenly decide to force DRM because their cyber insurance company told them to, you can suddenly no longer access their sites on Linux. That's pretty fucked up.

The people who want to use DRM to solve their problems should just suck it up and find alternatives.

>>rvba+e6
Google can already do this if they want to. For example, they could increase the page rank of sites use Google Analytics (or any other Google client library). But this would be exceedingly stupid because it would compromise the quality of their search results, and remaining the leader in search should be their highest priority.