786
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 29 Jul 2023
786 points (98.9% liked)
Programming
17662 readers
265 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 2 years ago
MODERATORS
What exactly is the attestation checking? As far as I can tell it is a TPM assertion possibly that you have secure boot enables and that the browser has not been tampered with. Is there anything else? I looked in the Github page but alls that I saw was placeholders. Is this documented somewhere?
I think it's up to the attestor. So in theory it could check anything from what you described (most likely) to requiring that all users have a background image of Ronald McDonald (less likely).
It's TPM based on Android yes from the look of it, their article mentioned the Play Integrity API. So at least on phones it can potentially require a locked bootloader running the vendor's OS completely unmodified.
That makes a lot of sense. Not sure how that would work on Windows where users typically run with admin credentials. Yes, I cannot modify the boot loader, but with admin credentials I can do many malicious things to your traffic in between the browser and the OS, up to and including attaching a debugger to your browser process to see kernel memory.
I know it is possible for Linux to pass secure boot in some cases, so in theory it could be possible for there to attestation on Linux systems, but this suffers from the same flaw as Windows since users have root access.
In the end the only thing this will do is prevent someone from using curl or cli tools to access a site that requires attestation. Will this prevent bots? I am not certain. You could in effect guarantee a 1-1 relationship of users to TPM/Secure Enclaves. This would slow down bot farmers, but not stop them.
Chinese bot farm with 100's of physical smartphones -> https://youtu.be/aSESD6rm54o
IMO, requiring a TPM for any kind of attestation wouldn't do much because they can be procured in the tens of thousands for not much money at all. Then they use an SPI bus to communicate, so you could basically build a cheap device that only multiplexes dozens, hundreds, or thousands of TPM on a single physical host.
The real sham of this, to me, is that Google's talking nonsense about ensuring the client device is "trustworthy" for whatever their criteria means. But in reality the client needs a real assurance that the site it's visiting isn't malicious, serving malicious content, or otherwise collecting data that could be used for malicious purposes. Google has directly failed two of those three for many years, and one of them is their entire business model. Where is our protection from Google?
Maybe Google should use their clout to work against DRM online, and push back on the insatiable corporate greed of most of the content creation corporations? Especially those busy cutting down trees to prevent striking workers from getting shade?
Adding on to this, what of people in sanctioned nations? Google, as a US entity, is compelled to adhere to US law and to sanction nations that the US deems should be sanctioned. What about activists in those nations? What about targeted populations in those countries? What happens when a minority group is targeted by a hostile government and that government demands logs of device tokens accessing information the government doesn't like? This idea is nonsense on so many levels, and such a 180 degree turn from how the internet has developed over its existence.
Here is an alternative Piped link(s): https://piped.video/aSESD6rm54o
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I'm open-source, check me out at GitHub.