Remix.run Logo
Cider9986 a day ago

It can be used for security and used privately [1] but I entirely agree with you, Google's use of it is anti-competitive and terrible.

[1] attestation.app

matheusmoreira a day ago | parent | next [-]

It's all about who owns the keys and who trusts those keys. If you don't have the keys to "your" computer, then you don't own that computer, you're just renting it from the corporation.

And even if our own keys could be used, who's going to trust those attestations? Nobody. They will trust Google's keys, Microsoft's keys, Apple's keys. Not ours.

teravor 18 hours ago | parent [-]

the intent is that no one owns those keys, your silicon should be the only entity in "possession" of those keys.

but no one uses blind signatures for attestation so it can be used to fingerprint your device's serial. they do try to make it hard. but generally you should assume that if whoever you are attesting to colludes with google they will obtain your HWID - and if it's google you are attesting to you should assume they have your HWID.

GOS uses a proxy for attestation, but it does absolutely nothing for this threat model.

PS: DRM is even worse, there is no intermediary and the APIs are open to all apps. you probably need to be a well resourced intel agency to make use of it as you need to source a valid DRM license server certificate. technically, actual license servers are in violation of their agreements with google, apple, etc if they use the license request for fingerprinting. but they do retain the ability to blacklist silicon (invalidate pirate devices from pirated media watermarks).

preisschild a day ago | parent | prev [-]

Yeah same as TPM and Secureboot. They can improve your own personal security (and thereby privacy) drastically, but it has to be controlled by the user.