←back to thread

Unpacking Google’s Web Environment Integrity specification

(vivaldi.com)
756 points dagurp | 2 comments | 26 Jul 23 11:30 UTC | HN request time: 0s | source
Show context
rcxdude ◴[26 Jul 23 18:15 UTC] No.36882331[source]
This is especially rich coming from google's, who's 'safetynet' for android results in a significant reduction in security (contrary to its stated purpose): it locks out 3rd-party up-to-date and secure ROMs while allowing horrificly insecure manufacturer-provided ROMs to still pass, because to disable those would cause a massive user outcry. So it functions as a vendor lock-in but no meaningful increase in security for the average user, while preventing more advanced users from improving their security without needing to buy more hardware. This needs to be called out more to push back against the claim that this kind of attestation somehow has a legitimate benefit for the users.
replies(6): >>36882444 #>>36883913 #>>36884154 #>>36885533 #>>36885781 #>>36890534 #
lern_too_spel ◴[26 Jul 23 20:07 UTC] No.36884154[source]
You're using it wrong. SafetyNet is able to assert that the build the device asserts is what it claims. After you know that, it's up to you to decide whether you trust communications from that build or not. If it's a known-insecure build, you can say that you don't. SafetyNet cannot assert that a third party ROM is what it claims to be, so you have to decide whether you trust communications from that device or not based on not knowing at all what build is on the device.
replies(5): >>36884229 #>>36884517 #>>36884788 #>>36885296 #>>36886555 #
ori_b ◴[26 Jul 23 20:49 UTC] No.36884788[source]
In other words, it's virtually impossible to use right without also being the entity that hands out phones to users.
replies(1): >>36885527 #
lern_too_spel ◴[26 Jul 23 21:44 UTC] No.36885527[source]
Potentially, a manufacturer could make a multibuild phone where the user could switch between an attested build and a non-attested build and have access to services whose security requires attestation with just a reboot. Otherwise, you would use different devices for different purposes, as I do today. It's unfortunate, but if you really need something that isn't supported by the existing Android APIs, that's the only way.
replies(1): >>36886596 #
ori_b ◴[26 Jul 23 23:28 UTC] No.36886596{3}[source]
Or, just don't do remote attestation. The cure is worse than the disease.
replies(2): >>36887093 #>>36887140 #
1. lern_too_spel ◴[27 Jul 23 00:26 UTC] No.36887140{4}[source]
Good luck convincing corp security to allow you to use your device on your corporate network without remote attestation.
replies(1): >>36887915 #
2. ori_b ◴[27 Jul 23 01:58 UTC] No.36887915[source]
I don't use personal devices on corporate networks. If they want a phone with remote attestation, they can pay for it to sit in a drawer.

Though, at this point I am the founder of my own company. Any software we use will not require attestation. I would be willing to switch vendors over that.

As for web attestation: the software I use regularly needs to run on OpenBSD. It's that simple.