←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0s | source
Show context
Santosh83 ◴[25 Jul 23 14:28 UTC] No.36862751[source]
Maybe I'm wrong but Web Attestation will also be a death knell for Linux devices (not Android/Chrome OS) as far as being able to use them as equal clients to use the Web goes. They're simply too diverse and 'hackable' as a plotform for remote attestation to work reliably and thus they'll be excluded altogether (except a few 'blessed' distros that will then become industry controlled, and not Linux in spirit anymore).
replies(7): >>36862825 #>>36862993 #>>36863025 #>>36863063 #>>36863230 #>>36864206 #>>36865119 #
onion2k ◴[25 Jul 23 14:44 UTC] No.36863025[source]
I slightly suspect that the only platforms that will actually implement Web Attestation are the ones I'm trying to remove myself from, so I secretly[1] hope this is the catalyst I need to stop going on crappy social networks and video platforms.

I apparently don't have the will power to stop going on these sites so maybe stopping me loading content from the other side is exactly what I need.

[1] Not so secretly now I've mentioned it here I suppose.

replies(3): >>36863057 #>>36863066 #>>36864188 #
tomstockmail ◴[25 Jul 23 14:46 UTC] No.36863057[source]
Banks.
replies(2): >>36863207 #>>36863374 #
N19PEDL2 ◴[25 Jul 23 14:55 UTC] No.36863207[source]
There's a lot of competition in the banking sector, so I don't think banks can afford to start telling customers that they need specific devices to access their online services.
replies(7): >>36863318 #>>36863363 #>>36863432 #>>36863516 #>>36863650 #>>36871174 #>>36874938 #
c0l0 ◴[25 Jul 23 15:01 UTC] No.36863318[source]
The banking sector is EXACTLY where "cyber 'security'" and "compliance" will mandate for this to be implemented.

When I worked a bank at $oldjob, compliance mandated we had a full-blown anti virus engine (from Microsoft or McAfee, "at your option") deployed in quasi-ephemeral container images.

It does not have to be reasonable, it doesn't have to be a net positive - it just has to tick some box on some compliance sheet for this to be required, and I will never again be able to perform a banking transaction from my personal computer or degoogled phone again.

replies(1): >>36864400 #
delfinom ◴[25 Jul 23 16:03 UTC] No.36864400[source]
Most banks have barely implemented 2FA, and when they have, they implement SMS.

The only financial provider I have that supports anything other than backdoors is Vanguard with U2F support.

Shit, AMEX still lowercases your passwords before (hopefully) hashing them.

We got plenty of time for those mandates to occur ;)

replies(3): >>36864658 #>>36866942 #>>36875477 #
1. PaulDavisThe1st ◴[25 Jul 23 18:19 UTC] No.36866942{3}[source]
> Most banks have barely implemented 2FA, and when they have, they implement SMS.

One reason I slightly swallow my guilt at having a savings account with Goldman Sachs (marcus.com) is that they offer email-based 2FA. I closed my savings accounts at Chase when they enforced SMS-only 2FA.

BTW, I feel slightly less guilty about saving with these banks instead of my actual credit union after my brother-in-law (who has been in the CU world for decades) told me that if a credit union can't offer competitive savings rates, it means they are lacking in opportunities for significant local lending.