Most active commenters
  • onion2k(3)

←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 20 comments | 25 Jul 23 14:10 UTC | HN request time: 0.569s | source | bottom
Show context
Santosh83 ◴[25 Jul 23 14:28 UTC] No.36862751[source]
Maybe I'm wrong but Web Attestation will also be a death knell for Linux devices (not Android/Chrome OS) as far as being able to use them as equal clients to use the Web goes. They're simply too diverse and 'hackable' as a plotform for remote attestation to work reliably and thus they'll be excluded altogether (except a few 'blessed' distros that will then become industry controlled, and not Linux in spirit anymore).
replies(7): >>36862825 #>>36862993 #>>36863025 #>>36863063 #>>36863230 #>>36864206 #>>36865119 #
1. onion2k ◴[25 Jul 23 14:44 UTC] No.36863025[source]
I slightly suspect that the only platforms that will actually implement Web Attestation are the ones I'm trying to remove myself from, so I secretly[1] hope this is the catalyst I need to stop going on crappy social networks and video platforms.

I apparently don't have the will power to stop going on these sites so maybe stopping me loading content from the other side is exactly what I need.

[1] Not so secretly now I've mentioned it here I suppose.

replies(3): >>36863057 #>>36863066 #>>36864188 #
2. tomstockmail ◴[25 Jul 23 14:46 UTC] No.36863057[source]
Banks.
replies(2): >>36863207 #>>36863374 #
3. cjbgkagh ◴[25 Jul 23 14:47 UTC] No.36863066[source]
My strategy is attrition, I avoid developing new sites of habit and over time the old ones get worse and I lose the compulsion to visit.
4. N19PEDL2 ◴[25 Jul 23 14:55 UTC] No.36863207[source]
There's a lot of competition in the banking sector, so I don't think banks can afford to start telling customers that they need specific devices to access their online services.
replies(7): >>36863318 #>>36863363 #>>36863432 #>>36863516 #>>36863650 #>>36871174 #>>36874938 #
5. c0l0 ◴[25 Jul 23 15:01 UTC] No.36863318{3}[source]
The banking sector is EXACTLY where "cyber 'security'" and "compliance" will mandate for this to be implemented.

When I worked a bank at $oldjob, compliance mandated we had a full-blown anti virus engine (from Microsoft or McAfee, "at your option") deployed in quasi-ephemeral container images.

It does not have to be reasonable, it doesn't have to be a net positive - it just has to tick some box on some compliance sheet for this to be required, and I will never again be able to perform a banking transaction from my personal computer or degoogled phone again.

replies(1): >>36864400 #
6. Knee_Pain ◴[25 Jul 23 15:04 UTC] No.36863363{3}[source]
They already do: they force you to use the latest Android/iOS versions for "security reasons", which for most people requires a hardware upgrade
7. onion2k ◴[25 Jul 23 15:05 UTC] No.36863374[source]
Given how long it took my bank to launch a mobile app I think I have a few decades before they implement this tech.
replies(1): >>36864605 #
8. bongobingo1 ◴[25 Jul 23 15:08 UTC] No.36863432{3}[source]
https://en.wikipedia.org/wiki/Web_compatibility_issues_in_So...

https://web.archive.org/web/20230309020227/https://www.nytim...

https://www.theregister.com/2020/12/10/south_korea_activex_c... (2020)

> South Korea knew it had an ActiveX problem way back in 2015, because even then the need to use ActiveX to do business on local websites irked outsiders.

> For locals, the requirement to run the code was so annoying that getting rid of it became an election promise at the nation’s 2017 presidential election.

> That promise has now been delivered: the nation’s Ministry of Science and ICT today (2020) annnouced the service’s planned demise.

Banks might not, but the governments may come to a similar idea, and tell the banks to tell you.

9. reaperducer ◴[25 Jul 23 15:13 UTC] No.36863516{3}[source]
I don't think banks can afford to start telling customers that they need specific devices to access their online services.

They already make demands.

Two of the very large national banks I have accounts with restrict your access if you're not even using the right browser version. One puts a warning in every page. The other won't even let you log in.

To make the second one even worse, it requires a very specific version, not just > $version, so if i update my OS too quickly, it won't let me in.

10. bakugo ◴[25 Jul 23 15:22 UTC] No.36863650{3}[source]
As far as I know, it's extremely common for banking apps to implement integrity attestation on android. My bank's app only shows a warning message and doesn't restrict anything otherwise, but I've heard plenty of stories of other banking apps that refuse to run.
11. CodesInChaos ◴[25 Jul 23 15:53 UTC] No.36864188[source]
CDNs are a problem. Half the internet is behind cloudflare, which you already painfully notice when using Tor Browser.
12. delfinom ◴[25 Jul 23 16:03 UTC] No.36864400{4}[source]
Most banks have barely implemented 2FA, and when they have, they implement SMS.

The only financial provider I have that supports anything other than backdoors is Vanguard with U2F support.

Shit, AMEX still lowercases your passwords before (hopefully) hashing them.

We got plenty of time for those mandates to occur ;)

replies(3): >>36864658 #>>36866942 #>>36875477 #
13. freedomben ◴[25 Jul 23 16:13 UTC] No.36864605{3}[source]
So in 30 years, then what? Just hope we've all died?
replies(2): >>36869172 #>>36870204 #
14. freedomben ◴[25 Jul 23 16:16 UTC] No.36864658{5}[source]
So what, let's not worry about it until after it's implemented when it's a 10,000 kg gorilla, instead of trying to nip it in the bud now? Is the world going to end tomorrow so lets just eat, drink and be merry for tomorrow we die?

Now is the time to fight this. It will impossible to unravel it once it's been implemented.

15. PaulDavisThe1st ◴[25 Jul 23 18:19 UTC] No.36866942{5}[source]
> Most banks have barely implemented 2FA, and when they have, they implement SMS.

One reason I slightly swallow my guilt at having a savings account with Goldman Sachs (marcus.com) is that they offer email-based 2FA. I closed my savings accounts at Chase when they enforced SMS-only 2FA.

BTW, I feel slightly less guilty about saving with these banks instead of my actual credit union after my brother-in-law (who has been in the CU world for decades) told me that if a credit union can't offer competitive savings rates, it means they are lacking in opportunities for significant local lending.

16. onion2k ◴[25 Jul 23 20:44 UTC] No.36869172{4}[source]
Of course not.

I'm hoping for a global catastrophe leading to the end of money and the rise of bartering for fuel in return for food and water with roving motorcycle gangs.

17. lrem ◴[25 Jul 23 21:59 UTC] No.36870204{4}[source]
An airgapped system for doing your banking and other bureaucracy?
18. Gazoche ◴[25 Jul 23 23:32 UTC] No.36871174{3}[source]
It's already happening on smartphones with the proliferation of SafetyNet requirements. Once a few generations of Android smartphones have passed and most current devices support the required hardware, all banks can just make SafetyNet a hard requirement and the average non-technical user will be none the wiser.

The same thing can happen on desktop. In fact I'd say it's already happening, with Microsoft making TPM2.0 a hard requirement for Windows. The frog is slowly being boiled.

19. account42 ◴[26 Jul 23 09:15 UTC] No.36874938{3}[source]
They'll just lobby the government to make it a requirement.
20. diego_sandoval ◴[26 Jul 23 10:41 UTC] No.36875477{5}[source]
> and when they have, they implement SMS.

That's the problem. They do implement things, and they do them in the worst possible way.

My bank forces me to 2FA trough SMS when I connect from a new IP range. This means that I can't do any banking through them when I'm outside of my country.

I wish they just didn't implement any form of 2FA instead. That would be better than the current situation.