←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.211s | source
Show context
willcipriano ◴[25 Jul 23 14:25 UTC] No.36862717[source]
Why can't you fake remote attestation? I imagine it's a bit more involved than swapping a user agent but is there some magic mechanism that makes it impossible to spoof?
replies(6): >>36862781 #>>36862809 #>>36862813 #>>36863035 #>>36863106 #>>36871239 #
1. Avamander ◴[25 Jul 23 14:32 UTC] No.36862813[source]
Keys sealed in hardware from the factory. SafetyNet already does this on Android from boot up to apps (that use it, which includes shit like McDonalds...). This would extend it potentially up until a website itself.

Really powerful and useful if you need strong integrity. Really really painful if you want full(er) control over your device.