Apple already shipped attestation on the web, and we barely noticed

(httptoolkit.com)

596 points pimterry | 2 comments | 25 Jul 23 14:10 UTC | HN request time: 0.48s | source

Show context

meandmycode ◴[25 Jul 23 14:56 UTC] No.36863228[source]▶

Some of the takes about why attestation is bad seem purposely false because the author dislikes the feature. If attestation isn't triggered then prior behaviour will happen (captcha etc).. this is a progressive feature.. and the point of the attestation isn't to prove you're using an approved device, it's to prove a human is actually present, of which, a verified software stack is needed, otherwise the feature is useless..

replies(5): >>36863679 #>>36864216 #>>36868839 #>>36869537 #>>36873169 #

hellojesus ◴[25 Jul 23 20:25 UTC] No.36868839[source]▶

>>36863228 #

Does this progressive feature allow every visitor to a site to be uniquely identified with 100% certainty? Because that doesn't sound very progressive.

replies(1): >>36878056 #

1. meandmycode ◴[26 Jul 23 14:13 UTC] No.36878056[source]▶

>>36868839 #

Again, you need only research and find they are designed independently not to allow this https://developer.apple.com/videos/play/wwdc2022/10077/

replies(1): >>36881120 #

2. hellojesus ◴[26 Jul 23 17:09 UTC] No.36881120[source]▶

>>36878056 (TP) #

If that is the case, what stops people from setting up bot farms to gathering millions of valid keys per origin, and then passing them off to requesting users to use with unapproved devices? Seems like the same choke point still exists, in that captchas may be required to prove the token requestor is human.

And since you also could do it maliciously in the sense that you could fire and forget requests if you didn't care about the token, you could spoof your ip across the range of all residential ips to try and force captcha rate limiting on everyone that requests an attlestation.

↑