←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 2 comments | 25 Jul 23 14:10 UTC | HN request time: 0s | source
Show context
superkuh ◴[25 Jul 23 14:15 UTC] No.36862573[source]
Google/Microsoft/Apple essentially did this with HTTP/3 too. None of their shipped browsers are able to connect to a non-"CA TLS" HTTP/3 endpoint. To host a HTTP/3 website visitable by a random normal person you have to get continued approval (every 3 months min) from a third party CA corporation for your website.
replies(2): >>36862591 #>>36863130 #
agwa ◴[25 Jul 23 14:51 UTC] No.36863130[source]
There are two reasons this is not comparable to the remote attestation proposal that Google is currently proposing:

1. The only things that WebPKI CAs are required to attest to is that domain validation was properly completed and that the private key is not compromised. The system is designed (in both intent and practice) for any website to be able to easily get a certificate, and even the most untrustworthy, undesirable websites can and do get certificates on the regular. In contrast, Google's remote attestation proposal is clearly intended to assess the trustworthiness/desirability of the client.

2. The TLS requirement imposes a burden on website operators but provides a clear benefit for end users, which is totally in line with the Internet's Priority of Constituencies[1]. In contrast, Google's attestation proposal places a burden on end uses for the benefit of website operators, which violates the Priority of Constituencies.

Additionally, I must note that Firefox also requires a TLS certificate for HTTP/3 (as they did for HTTP/2). Not sure why you'd omit Mozilla from your list of browser makers doing this, but it's a misrepresentation to imply that this is something only "mega-corp browsers" do, when there is actually broad agreement that this is a good thing.

[1] https://datatracker.ietf.org/doc/html/rfc8890

replies(2): >>36863474 #>>36870009 #
1. oceanplexian ◴[25 Jul 23 15:10 UTC] No.36863474[source]
All of these proposals are in fact the same thing. They're designed to obfuscate, complexify, and over-engineer the Internet to fuck people over. I don't care if my Magic the Gathering fan site has an auto-rotated 3 month expiry TLS certificate to "protect" the users. Those of us who have been online before the 21st Century see this exactly for what it is. A cash grab and a increasing mechanisms to tighten the screws of monopolies like AWS, Google, Apple, and Microsoft, and to lock down our devices and the web into a walled garden that only the tech giants can control.
replies(1): >>36863666 #
2. Avamander ◴[25 Jul 23 15:23 UTC] No.36863666[source]
> I don't care if my Magic the Gathering fan site has an auto-rotated 3 month expiry TLS certificate to "protect" the users.

You don't based on your threat model. Other people have other threat models. I don't want potentially tampered/malicious content/JavaScript hitting my browser, I can also simply not visit your site. Such a simplification can not be made on the wide (and hostile) web. TLS is trivial enough to be the norm.

We can also draw parallels with food safety. Feel free to cook whatever you wish however you wish at your own home. If you want to offer it to people passing by on the street you have to follow food safety rules.