Most active commenters
  • Avamander(3)
  • onion2k(3)
  • shuckles(3)

←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 54 comments | 25 Jul 23 14:10 UTC | HN request time: 0.836s | source | bottom
1. Santosh83 ◴[25 Jul 23 14:28 UTC] No.36862751[source]
Maybe I'm wrong but Web Attestation will also be a death knell for Linux devices (not Android/Chrome OS) as far as being able to use them as equal clients to use the Web goes. They're simply too diverse and 'hackable' as a plotform for remote attestation to work reliably and thus they'll be excluded altogether (except a few 'blessed' distros that will then become industry controlled, and not Linux in spirit anymore).
replies(7): >>36862825 #>>36862993 #>>36863025 #>>36863063 #>>36863230 #>>36864206 #>>36865119 #
2. smoldesu ◴[25 Jul 23 14:32 UTC] No.36862825[source]
If this happens, I expect the majority of Windows and Android devices to stop working too. They are also a diverse and hackable platform that is apparently insufficient for a future where I have to attest to owning certain hardware.

> except a few 'blessed' distros that will then become industry controlled, and not Linux in spirit anymore

You know, I hear this a lot but seldom hear the details of how it might happen. Industry-controlled UNIX is the reason Linux exists - if you take the spirit away from Linux, it gets forked into another community project. Unless you're stripping it of it's GPL license, Linux will be "Linux in Spirit" until it stops being used altogether.

replies(4): >>36862879 #>>36862948 #>>36863069 #>>36863354 #
3. Avamander ◴[25 Jul 23 14:35 UTC] No.36862879[source]
Not the majority, just a *lot* of older ones.

New Android phones have hardware-backed SafetyNet, new Windows devices have Trusted Boot (not to be confused with Secure Boot).

Both can and will be used to attest the browser environment. Linux devices will get hit (unless I guess we see locked down signed kernels, Chromebook-like things).

replies(1): >>36863591 #
4. fsniper ◴[25 Jul 23 14:39 UTC] No.36862948[source]
If people can't use their prefered Linux distros to do banking, or can't connect to social networks,email providers, music streaming services and so on this will mean practically they are forced to switch distros. Which would eventually add more control power to some Distros to what goes into development and what not.

You can see systemd and it's history about how it hold power.

replies(2): >>36862963 #>>36863225 #
5. ◴[25 Jul 23 14:40 UTC] No.36862963{3}[source]
6. uwagar ◴[25 Jul 23 14:42 UTC] No.36862993[source]
excluded from browsing the web starts where? my isp wont let me browse the web? or youtube wont serve videos to me?
replies(2): >>36863349 #>>36863451 #
7. onion2k ◴[25 Jul 23 14:44 UTC] No.36863025[source]
I slightly suspect that the only platforms that will actually implement Web Attestation are the ones I'm trying to remove myself from, so I secretly[1] hope this is the catalyst I need to stop going on crappy social networks and video platforms.

I apparently don't have the will power to stop going on these sites so maybe stopping me loading content from the other side is exactly what I need.

[1] Not so secretly now I've mentioned it here I suppose.

replies(3): >>36863057 #>>36863066 #>>36864188 #
8. tomstockmail ◴[25 Jul 23 14:46 UTC] No.36863057[source]
Banks.
replies(2): >>36863207 #>>36863374 #
9. shuckles ◴[25 Jul 23 14:47 UTC] No.36863063[source]
So far, Private Access Tokens are not widely adopted so you can get a feel for the potential Linux experience by browsing the web with iCloud Private Relay enabled. This flags almost every website's anti-spam classifiers, and you end up having to do 3-5 captchas to access anything protected by one. Wikipedia also blocks you from editing: https://meta.wikimedia.org/wiki/Talk:Apple_iCloud_Private_Re....
replies(4): >>36863139 #>>36863163 #>>36863224 #>>36863242 #
10. cjbgkagh ◴[25 Jul 23 14:47 UTC] No.36863066[source]
My strategy is attrition, I avoid developing new sites of habit and over time the old ones get worse and I lose the compulsion to visit.
11. vaxman ◴[25 Jul 23 14:47 UTC] No.36863069[source]
> Industry-controlled UNIX is the reason Linux exists

Linux only exists because it is free and it runs free apps for every category of keyboard-driven task a typical user would want.

The answer to my question of how a predator like IBM is going to take out the other non-RHEL based distros is starting to come into focus. This should help Ubuntu get the Mint monkey off its back too.

12. api ◴[25 Jul 23 14:51 UTC] No.36863139[source]
Playing devils advocate: how else do you prevent spam without requiring a login on every single web page? Especially in the world of AI-powered spam that can be indistinguishable from humans and automated at scale and can solve captchas.

Spam destroys everything. The open web has been at war with it forever, and soon it will win just like it has won in every other domain that is not completely locked down.

I love the fediverse but I fully expect it be destroyed by spam as soon as it gets big and influential enough to be a juicy target.

The Internet is a dark forest. The future is private encrypted networks, private forums, etc.

replies(4): >>36863274 #>>36865133 #>>36865524 #>>36866335 #
13. flangola7 ◴[25 Jul 23 14:53 UTC] No.36863163[source]
How is this different from using Tor or an anonymization VPN?
replies(2): >>36863216 #>>36866260 #
14. N19PEDL2 ◴[25 Jul 23 14:55 UTC] No.36863207{3}[source]
There's a lot of competition in the banking sector, so I don't think banks can afford to start telling customers that they need specific devices to access their online services.
replies(7): >>36863318 #>>36863363 #>>36863432 #>>36863516 #>>36863650 #>>36871174 #>>36874938 #
15. shuckles ◴[25 Jul 23 14:56 UTC] No.36863216{3}[source]
IME, browsing the web with iCloud Private Relay is much better than Tor, since your client is not outright blocked by websites. I have not browsed the web much behind a VPN, so I can't compare the experiences.
16. simonklitj ◴[25 Jul 23 14:56 UTC] No.36863224[source]
Thank you! I’ve been going crazy trying to figure out why I’m completing so many captchas recently.
17. JohnFen ◴[25 Jul 23 14:56 UTC] No.36863225{3}[source]
Or run one of the "blessed" or "compromised" (depending on your point of view) distros in a VM purely for those types of things.
replies(2): >>36863289 #>>36871219 #
18. c0l0 ◴[25 Jul 23 14:57 UTC] No.36863230[source]
Of course, that is the most obvious consequence of this whole mess.
19. cush ◴[25 Jul 23 14:57 UTC] No.36863242[source]
I haven’t noticed anything different with Private Relay enabled
20. shuckles ◴[25 Jul 23 14:59 UTC] No.36863274{3}[source]
I think Private Access Token is a reasonable design, and it should be standardized with multiple attestation providers that any client can use. That seems like it would move the web forward, unlike simply not making headway on the problem of spam and fingerprinting/tracking as an anti-spam measure at all.
21. Avamander ◴[25 Jul 23 14:59 UTC] No.36863289{4}[source]
That's the point where you'd need the VM itself to be attested for it to work. Hyper-V kinda does it already with Shielded Windows VMs.

With the advent of SEV, you won't even be able to look at the stuff your hypervisor is running.

replies(1): >>36863690 #
22. c0l0 ◴[25 Jul 23 15:01 UTC] No.36863318{4}[source]
The banking sector is EXACTLY where "cyber 'security'" and "compliance" will mandate for this to be implemented.

When I worked a bank at $oldjob, compliance mandated we had a full-blown anti virus engine (from Microsoft or McAfee, "at your option") deployed in quasi-ephemeral container images.

It does not have to be reasonable, it doesn't have to be a net positive - it just has to tick some box on some compliance sheet for this to be required, and I will never again be able to perform a banking transaction from my personal computer or degoogled phone again.

replies(1): >>36864400 #
23. unethical_ban ◴[25 Jul 23 15:03 UTC] No.36863349[source]
Per the topic of the article, the latter.
24. voxic11 ◴[25 Jul 23 15:03 UTC] No.36863354[source]
All machines sold with Windows have been required to include a TPM since 2016.
25. Knee_Pain ◴[25 Jul 23 15:04 UTC] No.36863363{4}[source]
They already do: they force you to use the latest Android/iOS versions for "security reasons", which for most people requires a hardware upgrade
26. onion2k ◴[25 Jul 23 15:05 UTC] No.36863374{3}[source]
Given how long it took my bank to launch a mobile app I think I have a few decades before they implement this tech.
replies(1): >>36864605 #
27. bongobingo1 ◴[25 Jul 23 15:08 UTC] No.36863432{4}[source]
https://en.wikipedia.org/wiki/Web_compatibility_issues_in_So...

https://web.archive.org/web/20230309020227/https://www.nytim...

https://www.theregister.com/2020/12/10/south_korea_activex_c... (2020)

> South Korea knew it had an ActiveX problem way back in 2015, because even then the need to use ActiveX to do business on local websites irked outsiders.

> For locals, the requirement to run the code was so annoying that getting rid of it became an election promise at the nation’s 2017 presidential election.

> That promise has now been delivered: the nation’s Ministry of Science and ICT today (2020) annnouced the service’s planned demise.

Banks might not, but the governments may come to a similar idea, and tell the banks to tell you.

28. ooterness ◴[25 Jul 23 15:09 UTC] No.36863451[source]
The latter. Google could easily pressure many sites to adopt this by including ad revenue incentives.

If that catches on, it could rapidly be 90% of websites that won't serve content until they get the magic Google "no-adblock-here" handshake.

29. reaperducer ◴[25 Jul 23 15:13 UTC] No.36863516{4}[source]
I don't think banks can afford to start telling customers that they need specific devices to access their online services.

They already make demands.

Two of the very large national banks I have accounts with restrict your access if you're not even using the right browser version. One puts a warning in every page. The other won't even let you log in.

To make the second one even worse, it requires a very specific version, not just > $version, so if i update my OS too quickly, it won't let me in.

30. treprinum ◴[25 Jul 23 15:18 UTC] No.36863591{3}[source]
It's really slowly boiling frog situation playing out over the past 20 years. Since Aegis bootloader outlined how trusted computing will be created with predictions of allowing Internet access only to attested devices/people, we seem to be at the brink of somebody flipping the switch. Other predictions contained historic data/web changing as politically convenient with nobody being able to access/view the old original anymore due to only attested devices available.
31. bakugo ◴[25 Jul 23 15:22 UTC] No.36863650{4}[source]
As far as I know, it's extremely common for banking apps to implement integrity attestation on android. My bank's app only shows a warning message and doesn't restrict anything otherwise, but I've heard plenty of stories of other banking apps that refuse to run.
32. fsniper ◴[25 Jul 23 15:25 UTC] No.36863690{5}[source]
Also there is no guarantee that "attestation" won't require your software to run on the physical hardware and not on a vm.
replies(1): >>36863945 #
33. Avamander ◴[25 Jul 23 15:40 UTC] No.36863945{6}[source]
True, but virtualization is big enough (including Microsoft's own Windows365 offerings) that passing "trust" down into VMs will be done. And with SEV there isn't even a way to tamper with things after the attestation process has been completed.
34. CodesInChaos ◴[25 Jul 23 15:53 UTC] No.36864188[source]
CDNs are a problem. Half the internet is behind cloudflare, which you already painfully notice when using Tor Browser.
35. wyldfire ◴[25 Jul 23 15:54 UTC] No.36864206[source]
Cory Doctorow's keynote from 28C3 is prescient - "The coming war on general computation" [1]

[1] https://github.com/jwise/28c3-doctorow/blob/master/transcrip...

replies(2): >>36866891 #>>36870315 #
36. delfinom ◴[25 Jul 23 16:03 UTC] No.36864400{5}[source]
Most banks have barely implemented 2FA, and when they have, they implement SMS.

The only financial provider I have that supports anything other than backdoors is Vanguard with U2F support.

Shit, AMEX still lowercases your passwords before (hopefully) hashing them.

We got plenty of time for those mandates to occur ;)

replies(3): >>36864658 #>>36866942 #>>36875477 #
37. freedomben ◴[25 Jul 23 16:13 UTC] No.36864605{4}[source]
So in 30 years, then what? Just hope we've all died?
replies(2): >>36869172 #>>36870204 #
38. freedomben ◴[25 Jul 23 16:16 UTC] No.36864658{6}[source]
So what, let's not worry about it until after it's implemented when it's a 10,000 kg gorilla, instead of trying to nip it in the bud now? Is the world going to end tomorrow so lets just eat, drink and be merry for tomorrow we die?

Now is the time to fight this. It will impossible to unravel it once it's been implemented.

39. intrasight ◴[25 Jul 23 16:38 UTC] No.36865119[source]
I assume that IT departments in most orgs will just swap those attestation tokens for a generic "ACME Corp" token at the network layer. And I expect that home routers will give us that option as well.
40. tjoff ◴[25 Jul 23 16:39 UTC] No.36865133{3}[source]
> how else do you prevent spam without requiring a login on every single web page?

Probably missing something, what can you spam without an account today?

41. r00fus ◴[25 Jul 23 17:00 UTC] No.36865524{3}[source]
Spam even exists where logins ARE required. Look at Reddit or Twitter/X and any web-accessible forum where logins are required. Lots of spam everywhere.

I don’t think attestation will prevent this, it does however, prevent scraping if attestation is required to even view content.

replies(1): >>36891786 #
42. lost_tourist ◴[25 Jul 23 17:41 UTC] No.36866260{3}[source]
VPN works for almost any internet service and not just web browsing

VPN can be bought outside of a 5 eyes company

Tor is much better at making it easier to hide your browser footprint and thus anonymity browsing across sites as long as you reconnect often and don't change default settings.

43. yborg ◴[25 Jul 23 17:46 UTC] No.36866335{3}[source]
Based on where the MAU counts are, by your criteria the Fediverse will be safe from spam forever. Which falls into your last point, it's essentially a set of private forums, that interconnect. It's kind of ironic that the idea of the Fediverse apparently being beyond the neuron activation threshold of most people ends up being an effective filter.
44. PaulDavisThe1st ◴[25 Jul 23 18:15 UTC] No.36866891[source]
Do you think that Doctorow was expecting at least 9 years till this putative war got started?
45. PaulDavisThe1st ◴[25 Jul 23 18:19 UTC] No.36866942{6}[source]
> Most banks have barely implemented 2FA, and when they have, they implement SMS.

One reason I slightly swallow my guilt at having a savings account with Goldman Sachs (marcus.com) is that they offer email-based 2FA. I closed my savings accounts at Chase when they enforced SMS-only 2FA.

BTW, I feel slightly less guilty about saving with these banks instead of my actual credit union after my brother-in-law (who has been in the CU world for decades) told me that if a credit union can't offer competitive savings rates, it means they are lacking in opportunities for significant local lending.

46. onion2k ◴[25 Jul 23 20:44 UTC] No.36869172{5}[source]
Of course not.

I'm hoping for a global catastrophe leading to the end of money and the rise of bartering for fuel in return for food and water with roving motorcycle gangs.

47. lrem ◴[25 Jul 23 21:59 UTC] No.36870204{5}[source]
An airgapped system for doing your banking and other bureaucracy?
48. xorcist ◴[25 Jul 23 22:07 UTC] No.36870315[source]
Or, for a more grim take on the same concept, "We lost the war" from 22C3.
replies(1): >>36875601 #
49. Gazoche ◴[25 Jul 23 23:32 UTC] No.36871174{4}[source]
It's already happening on smartphones with the proliferation of SafetyNet requirements. Once a few generations of Android smartphones have passed and most current devices support the required hardware, all banks can just make SafetyNet a hard requirement and the average non-technical user will be none the wiser.

The same thing can happen on desktop. In fact I'd say it's already happening, with Microsoft making TPM2.0 a hard requirement for Windows. The frog is slowly being boiled.

50. Gazoche ◴[25 Jul 23 23:37 UTC] No.36871219{4}[source]
Even assuming the VM workaround works, this would be catastrophic from an usability standpoint.

Linux has been making giant strides towards increasing accessibility and lowering the friction of adopting it as a daily driver, while preserving the freedom to choose any distro you want.

Forcing new users to babysit a second installation in a special VM would be wiping out decades of progress.

51. account42 ◴[26 Jul 23 09:15 UTC] No.36874938{4}[source]
They'll just lobby the government to make it a requirement.
52. diego_sandoval ◴[26 Jul 23 10:41 UTC] No.36875477{6}[source]
> and when they have, they implement SMS.

That's the problem. They do implement things, and they do them in the worst possible way.

My bank forces me to 2FA trough SMS when I connect from a new IP range. This means that I can't do any banking through them when I'm outside of my country.

I wish they just didn't implement any form of 2FA instead. That would be better than the current situation.

53. lioeters ◴[26 Jul 23 10:57 UTC] No.36875601{3}[source]
https://media.ccc.de/v/22C3-920-en-we_lost_the_war
54. Tokumei-no-hito ◴[27 Jul 23 11:02 UTC] No.36891786{4}[source]
What would prevent bots from using “approved” attester devices to navigate and scrape? Is attestation done by checking what local processes are running?