Google Tries to Defend Its Web Environment Integrity as Critics Slam It as Dangerous - eviltoast

Attacks and doxing make me personally MORE likely to support stronger safety features in chromium, as such acts increase my suspicion that there is significant intimidation from criminals who are afraid this feature will disrupt their illegal and/or unethical businesses, and I don’t give in to criminals or bullies

Kick a puppy
Get attacked for kicking a puppy
“These attacks make me MORE likely to keep kicking puppies, as I don’t give in to intimidation from criminals and bullies that want healthy puppies for their nefarious ends.”

  • xylogx@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    1 year ago

    What exactly is the attestation checking? As far as I can tell it is a TPM assertion possibly that you have secure boot enables and that the browser has not been tampered with. Is there anything else? I looked in the Github page but alls that I saw was placeholders. Is this documented somewhere?

    • festus@lemmy.ca
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      I think it’s up to the attestor. So in theory it could check anything from what you described (most likely) to requiring that all users have a background image of Ronald McDonald (less likely).

    • Max-P@lemmy.max-p.me
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      It’s TPM based on Android yes from the look of it, their article mentioned the Play Integrity API. So at least on phones it can potentially require a locked bootloader running the vendor’s OS completely unmodified.

      • xylogx@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        That makes a lot of sense. Not sure how that would work on Windows where users typically run with admin credentials. Yes, I cannot modify the boot loader, but with admin credentials I can do many malicious things to your traffic in between the browser and the OS, up to and including attaching a debugger to your browser process to see kernel memory.

        I know it is possible for Linux to pass secure boot in some cases, so in theory it could be possible for there to attestation on Linux systems, but this suffers from the same flaw as Windows since users have root access.

        In the end the only thing this will do is prevent someone from using curl or cli tools to access a site that requires attestation. Will this prevent bots? I am not certain. You could in effect guarantee a 1-1 relationship of users to TPM/Secure Enclaves. This would slow down bot farmers, but not stop them.

        Chinese bot farm with 100’s of physical smartphones -> https://youtu.be/aSESD6rm54o

        • Dr. Dabbles@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          1 year ago

          IMO, requiring a TPM for any kind of attestation wouldn’t do much because they can be procured in the tens of thousands for not much money at all. Then they use an SPI bus to communicate, so you could basically build a cheap device that only multiplexes dozens, hundreds, or thousands of TPM on a single physical host.

          The real sham of this, to me, is that Google’s talking nonsense about ensuring the client device is “trustworthy” for whatever their criteria means. But in reality the client needs a real assurance that the site it’s visiting isn’t malicious, serving malicious content, or otherwise collecting data that could be used for malicious purposes. Google has directly failed two of those three for many years, and one of them is their entire business model. Where is our protection from Google?

          Maybe Google should use their clout to work against DRM online, and push back on the insatiable corporate greed of most of the content creation corporations? Especially those busy cutting down trees to prevent striking workers from getting shade?

          Adding on to this, what of people in sanctioned nations? Google, as a US entity, is compelled to adhere to US law and to sanction nations that the US deems should be sanctioned. What about activists in those nations? What about targeted populations in those countries? What happens when a minority group is targeted by a hostile government and that government demands logs of device tokens accessing information the government doesn’t like? This idea is nonsense on so many levels, and such a 180 degree turn from how the internet has developed over its existence.