←back to thread

Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)
596 points pimterry | 2 comments | 25 Jul 23 14:10 UTC | HN request time: 0s | source
Show context
superkuh ◴[25 Jul 23 14:15 UTC] No.36862573[source]
Google/Microsoft/Apple essentially did this with HTTP/3 too. None of their shipped browsers are able to connect to a non-"CA TLS" HTTP/3 endpoint. To host a HTTP/3 website visitable by a random normal person you have to get continued approval (every 3 months min) from a third party CA corporation for your website.
replies(2): >>36862591 #>>36863130 #
agwa ◴[25 Jul 23 14:51 UTC] No.36863130[source]
There are two reasons this is not comparable to the remote attestation proposal that Google is currently proposing:

1. The only things that WebPKI CAs are required to attest to is that domain validation was properly completed and that the private key is not compromised. The system is designed (in both intent and practice) for any website to be able to easily get a certificate, and even the most untrustworthy, undesirable websites can and do get certificates on the regular. In contrast, Google's remote attestation proposal is clearly intended to assess the trustworthiness/desirability of the client.

2. The TLS requirement imposes a burden on website operators but provides a clear benefit for end users, which is totally in line with the Internet's Priority of Constituencies[1]. In contrast, Google's attestation proposal places a burden on end uses for the benefit of website operators, which violates the Priority of Constituencies.

Additionally, I must note that Firefox also requires a TLS certificate for HTTP/3 (as they did for HTTP/2). Not sure why you'd omit Mozilla from your list of browser makers doing this, but it's a misrepresentation to imply that this is something only "mega-corp browsers" do, when there is actually broad agreement that this is a good thing.

[1] https://datatracker.ietf.org/doc/html/rfc8890

replies(2): >>36863474 #>>36870009 #
superkuh ◴[25 Jul 23 21:45 UTC] No.36870009[source]
Because Mozilla didn't create QUIC or push the QUIC based HTTP/3 through the IETF like Google and Microsoft did. If anything I should've left out Apple, not added Mozilla. But yeah, Mozilla is using the same HTTP/3 libs as everyone else so it's browser is inherently broken too.

But this only becomes a serious problem when HTTP/1.1 support is removed. Mozilla will never remove HTTP/1.1 support from Firefox. Google/Microsoft/Apple are chomping at the bit to remove HTTP/1.1 from their products.

replies(1): >>36871494 #
1. agwa ◴[26 Jul 23 00:15 UTC] No.36871494[source]
Mozilla was the first browser maker to announce an intent to deprecate non-secure HTTP[1]. Even if they keep HTTP/1.1 support, at some point they will require TLS for it, just as they already do for HTTP/2. This is not something new with HTTP/3 nor is it some big-corp conspiracy.

[1] https://blog.mozilla.org/security/2015/04/30/deprecating-non...

replies(1): >>36884425 #
2. superkuh ◴[26 Jul 23 20:24 UTC] No.36884425[source]
Well shit. I'm wrong and things at Mozilla are much worse than I imagined.

re: HTTP/2, yes, everyone is well aware it didn't allow HTTP connections from the start. But there was no risk of HTTP/1.1 going away at that time. And you can technically still use a non-CA self signed cert for the implementations of HTTP/2 in major browsers. But it is also a bad protocol like HTTP/3.

I have no idea what conspiracy theory stuff you're going on about. People just haven't thought through the consequences of these design decisions outside of their work headspace bubble. Much like with WEI.