←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 1.133s | source
Show context
willcipriano ◴[25 Jul 23 14:25 UTC] No.36862717[source]
Why can't you fake remote attestation? I imagine it's a bit more involved than swapping a user agent but is there some magic mechanism that makes it impossible to spoof?
replies(6): >>36862781 #>>36862809 #>>36862813 #>>36863035 #>>36863106 #>>36871239 #
Santosh83 ◴[25 Jul 23 14:31 UTC] No.36862809[source]
Maybe not impossible but my understanding is the TPM and the closed source nature of the system level code will make it difficult enough that 99% of users will not be able to do it, which is what industry wants. They're never worried about diehards and hermits. Those people will be confined to their caves & made irrelevant.
replies(1): >>36863136 #
1. cxr ◴[25 Jul 23 14:51 UTC] No.36863136[source]
That's backwards. It's the diehards (i.e. determined adversaries) they are thinking about. 99% of users are already not doing this stuff. They want a way to continue servicing that 99% and shut out the remainder. That's the whole point.