←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.336s | source
Show context
sam0x17 ◴[25 Jul 23 14:32 UTC] No.36862821[source]
But signing necessarily is happening on the user's device... what is to stop brave/etc from also signing their outgoing requests with the same key your local Chrome install is using? On a mobile device I can see how this would work but how would this ever work on (non-apple) PCs without exposing the key to anyone willing to poke around a bit?
replies(2): >>36863017 #>>36864099 #
1. freedomben ◴[25 Jul 23 15:48 UTC] No.36864099[source]
> But signing necessarily is happening on the user's device...

No, there is signing from a third party server in the chain too. If iPhone A visits website B, then A must provide to B a token signed by Apple in order for it to be trusted.

It also depends on hardware tamper-protected keys that the user can't get to without destroying the device (or at least the keys) in the process.