Most active commenters
  • meandmycode(5)

←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 12 comments | 25 Jul 23 14:10 UTC | HN request time: 0.509s | source | bottom
1. meandmycode ◴[25 Jul 23 14:56 UTC] No.36863228[source]
Some of the takes about why attestation is bad seem purposely false because the author dislikes the feature. If attestation isn't triggered then prior behaviour will happen (captcha etc).. this is a progressive feature.. and the point of the attestation isn't to prove you're using an approved device, it's to prove a human is actually present, of which, a verified software stack is needed, otherwise the feature is useless..
replies(5): >>36863679 #>>36864216 #>>36868839 #>>36869537 #>>36873169 #
2. ◴[25 Jul 23 15:24 UTC] No.36863679[source]
3. Zinu ◴[25 Jul 23 15:54 UTC] No.36864216[source]
> If attestation isn't triggered then prior behaviour will happen

That’s up to the web server to decide, it could just block you instead, and there is incentive to do exactly that.

> attestation isn't to prove you're using an approved device

That’s what it is doing though, so it can and will be used for that.

replies(1): >>36878012 #
4. hellojesus ◴[25 Jul 23 20:25 UTC] No.36868839[source]
Does this progressive feature allow every visitor to a site to be uniquely identified with 100% certainty? Because that doesn't sound very progressive.
replies(1): >>36878056 #
5. dahwolf ◴[25 Jul 23 21:05 UTC] No.36869537[source]
It doesn't prove that a human is present at all.
replies(1): >>36877968 #
6. fruitreunion1 ◴[26 Jul 23 04:40 UTC] No.36873169[source]
The captcha and fingerprinting methods are higher effort compared to attestation, so I think there is an incentive for most sites to get rid of it in favor of attestation.
7. meandmycode ◴[26 Jul 23 14:07 UTC] No.36877968[source]
It actually does, that's entirely it's purpose.. I know it takes a little effort to actually go and research yourself, but here you go https://developer.apple.com/videos/play/wwdc2022/10077/
replies(1): >>36884523 #
8. meandmycode ◴[26 Jul 23 14:10 UTC] No.36878012[source]
Where's the incentive to block your potential customers?
9. meandmycode ◴[26 Jul 23 14:13 UTC] No.36878056[source]
Again, you need only research and find they are designed independently not to allow this https://developer.apple.com/videos/play/wwdc2022/10077/
replies(1): >>36881120 #
10. hellojesus ◴[26 Jul 23 17:09 UTC] No.36881120{3}[source]
If that is the case, what stops people from setting up bot farms to gathering millions of valid keys per origin, and then passing them off to requesting users to use with unapproved devices? Seems like the same choke point still exists, in that captchas may be required to prove the token requestor is human.

And since you also could do it maliciously in the sense that you could fire and forget requests if you didn't care about the token, you could spoof your ip across the range of all residential ips to try and force captcha rate limiting on everyone that requests an attlestation.

11. dahwolf ◴[26 Jul 23 20:31 UTC] No.36884523{3}[source]
You must have never heard of test automation with real devices? No human there, still passes this check.
replies(1): >>36894351 #
12. meandmycode ◴[27 Jul 23 14:42 UTC] No.36894351{4}[source]
Even if that's true (apple is a bit ambiguous here because they say passcode login is enough), this is still connected to a need to login physically, it sets a much higher cost of acquisition for most.. plus this isn't relevant.. the tech is still aimed at proving real human interaction, even if it's not perfect at that today..