←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 1 comments | 25 Jul 23 14:10 UTC | HN request time: 0.47s | source
Show context
codedokode ◴[25 Jul 23 14:56 UTC] No.36863221[source]
Cannot attestation in Chrome be "fixed" by patching an attestation function so that it always returns true (even if there is an adblocker)?
replies(4): >>36863517 #>>36863525 #>>36863820 #>>36865685 #
devsda ◴[25 Jul 23 17:11 UTC] No.36865685[source]
First, there's nothing to patch as it would probably need a cryptographic challenge response flow and not a simple yes or no.

Even if there's a patch, it would be difficult because there are other pieces of attestation that are already in place all the way upto the browser.

You cannot patch executables because os can verify executables via code signing signatures.

You cannot "patch" important parts of your OS (outside any zero days) with secure boot enabled(they can reject user keys for attestation).

replies(1): >>36868995 #
1. codedokode ◴[25 Jul 23 20:34 UTC] No.36868995[source]
> You cannot "patch" important parts of your OS (outside any zero days)

So basically you just need to stop updating OS for 2 weeks and grab a fresh vulnerability to bypass attestation?