←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.207s | source
Show context
Santosh83 ◴[25 Jul 23 14:28 UTC] No.36862751[source]
Maybe I'm wrong but Web Attestation will also be a death knell for Linux devices (not Android/Chrome OS) as far as being able to use them as equal clients to use the Web goes. They're simply too diverse and 'hackable' as a plotform for remote attestation to work reliably and thus they'll be excluded altogether (except a few 'blessed' distros that will then become industry controlled, and not Linux in spirit anymore).
replies(7): >>36862825 #>>36862993 #>>36863025 #>>36863063 #>>36863230 #>>36864206 #>>36865119 #
smoldesu ◴[25 Jul 23 14:32 UTC] No.36862825[source]
If this happens, I expect the majority of Windows and Android devices to stop working too. They are also a diverse and hackable platform that is apparently insufficient for a future where I have to attest to owning certain hardware.

> except a few 'blessed' distros that will then become industry controlled, and not Linux in spirit anymore

You know, I hear this a lot but seldom hear the details of how it might happen. Industry-controlled UNIX is the reason Linux exists - if you take the spirit away from Linux, it gets forked into another community project. Unless you're stripping it of it's GPL license, Linux will be "Linux in Spirit" until it stops being used altogether.

replies(4): >>36862879 #>>36862948 #>>36863069 #>>36863354 #
Avamander ◴[25 Jul 23 14:35 UTC] No.36862879[source]
Not the majority, just a *lot* of older ones.

New Android phones have hardware-backed SafetyNet, new Windows devices have Trusted Boot (not to be confused with Secure Boot).

Both can and will be used to attest the browser environment. Linux devices will get hit (unless I guess we see locked down signed kernels, Chromebook-like things).

replies(1): >>36863591 #
1. treprinum ◴[25 Jul 23 15:18 UTC] No.36863591[source]
It's really slowly boiling frog situation playing out over the past 20 years. Since Aegis bootloader outlined how trusted computing will be created with predictions of allowing Internet access only to attested devices/people, we seem to be at the brink of somebody flipping the switch. Other predictions contained historic data/web changing as politically convenient with nobody being able to access/view the old original anymore due to only attested devices available.