| ▲ | userbinator 10 hours ago |
| Hell yes. I was going to post the same comment. I don't give a flying fuck how it's implemented. Remote attestation is inherently evil. I remember the WEI apologists trying to do the same thing to derail the argument. The problem is the goal, not the details. Just say no: DO NOT WANT! |
|
| ▲ | lxgr 10 hours ago | parent | next [-] |
| Remote attestation is a technology, not a policy or a political effort, so it can't be inherently evil. You can disagree with all its known or proposed uses, but then I think it makes more sense to name these. |
| |
| ▲ | xinayder 10 hours ago | parent | next [-] | | DRM is a technology and is inherently evil.
Web attestation is DRM for the web, and is inherently evil.
Age ID is a technology and is inherently evil. We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad. It's not like these technologies were created for the greater good and misappropriated by bad actors. They were proposed by bad actors in the first place, they cannot not be inherently good. | | |
| ▲ | lxgr 9 hours ago | parent | next [-] | | DRM is arguably a specific use of various generic technology ranging from whitebox cryptography to trusted computing. I don't think remote attestation (or even more so its umbrella technology, trusted computing) is nearly as specifically targeted as DRM. > We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Suddenly, we "need" to create new technology that seem to be security features, but are essentially just being used for evil, thus being inherently bad. I agree that requiring remote attestation for generic web use is evil. It's way too heavy-handed an approach better reserved I still don't think this somehow outright disqualifies the technology itself. | |
| ▲ | charcircuit 8 hours ago | parent | prev [-] | | >We have over 30 years of the world wide web and for these more than 3 decades this was never a problem. Are you seriously trying to suggest copyright infringement has not been an issue over the last 30 years? Both of them are solutions to problems that we've had over the last 30 years and were created for the greater good to solve problems that developers were facing. |
| |
| ▲ | pigeons 3 hours ago | parent | prev | next [-] | | I think people are too quick to dismiss the possibility that some technologies are just bad and harmful and we can't shrug off responsibility and say I'm just making a neutral technology and the people using it are the ones causing harm. | |
| ▲ | userbinator 10 hours ago | parent | prev | next [-] | | Then explain why RA was invented? It is inherently against user freedom, just like "secure" boot and the rest of the corporate-authoritarian crap. People have woken up to the truth as the pieces come together. This article from 2022 is fun to look at and see how prescient it was: https://news.ycombinator.com/item?id=29859106 | | |
| ▲ | MadnessASAP 2 hours ago | parent [-] | | I have 2 servers, Alice and Bob, Bob has a secret, I want Bob to be able to share that secret with Alice. However, I want Alice to be able to prove to Bob that it is actually Alice, that it is running the correct AliceOS, and that AliceOS was loaded on bare metal Alice without nefarious pre-book or virtualization hooks. A TPM with measured boot (SecureBoot) does exactly this, remote attestation is how Alice proves to Bob that it is in a trusted configuration and wasn't tampered with. | | |
| ▲ | brabel an hour ago | parent | next [-] | | As someone who wanted to improve users security, that’s exactly why I find this thread fanatical opposition to attestation baffling. Nearly everyone uses a device that supports hardware attestation. It’s the best available tool to protect users from malware. We do implement a fallback that lowers security but lets the few users who have devices not able to attest properly to continue, but that really lowers security since we can’t even know if the device cryptography is itself compromised and hence can’t really trust anything it sends. If you have a different solution, do share it! I would love to use something you guys don’t find abhorrent! But until then I don’t really see the reason for all this negativity. | | |
| ▲ | MadnessASAP 24 minutes ago | parent [-] | | Sadly, the problem isn't the TPM or Remote Attestation. It's Google et al choosing to only talk to devices and software they like without concern for what the user wants or trusts. Compounded by everyone else just going along with it. A TPM where the device owner can't take ownership of the root key is worse then no TPM at all. |
| |
| ▲ | userbinator 41 minutes ago | parent | prev [-] | | That's the academic viewpoint, but in practice it's used for far more hostile purposes. (One argues that since you own both of them, you should simply set up the two servers yourself with a key of your own choosing, asymmetric or otherwise, and then restrict physical access to them.) |
|
| |
| ▲ | nullc 9 hours ago | parent | prev [-] | | "It’s a poor atom blaster that won’t point both ways." |
|
|
| ▲ | zx8080 9 hours ago | parent | prev [-] |
| The biggest problem is banking system. "Don't want - no bank for you". That's the problem. |
| |
| ▲ | Hackbraten 3 hours ago | parent [-] | | Let them know. Write a letter to the CEO. And vote with your wallet and switch banks if you can. There's always a bank willing to offer you a non-app 2FA scheme. | | |
| ▲ | gorgolo an hour ago | parent | next [-] | | Banks don’t do this because of profit. They do it because of decades of laws pushing in this direction. Anti-money laundering, know your customer, digitalised currency, abandoning cash, preventing tax evasion etc… it’s been getting more extensive over time. | | |
| ▲ | Hackbraten 34 minutes ago | parent [-] | | None of the things you mentioned inherently require the user to own (and babysit) an expensive general-purpose computing device produced by tracking-obsessed adtech giants and with software obsolescence built into the product. |
| |
| ▲ | brabel an hour ago | parent | prev [-] | | Do you think banks are using attestation gratuitously? It helps prevent a lot of fraud. You are opposing something that saves people’s savings every day just because you think it takes “freedom” away from a few hobbyists. Do you even have a phone that does not support hardware attestation or is all this posturing about something hypothetical? | | |
| ▲ | Hackbraten 38 minutes ago | parent [-] | | > Do you think banks are using attestation gratuitously? What I'm claiming is that banks have the freedom of offering their customers 2FA other than smartphone apps. > Do you even have a phone that does not support hardware attestation or is all this posturing about something hypothetical? All the phones I own, including my daily driver, run some flavor of Debian. None of them support hardware attestation. I'm in Europe, bound by PSD2, and own a couple of cheap, certified chip-and-TAN devices so I can do banking. |
|
|
|
