• CarbonIceDragon@pawb.social
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    Hypothetically, I wonder if it would be possible to spoof this if you also had an actual unmodified attested device. Something like a device in your home network that would, if you have an iPhone as well as an unattested computer that you actually want to use: get request for attestation from a website, send that request to your iphone instead, as if your iphone had opened the page and was receiving the request (or just have the iphone also try to load the page), intercept the signature the iphone sends to the website, and have your computer send it to the website instead.

    • mac@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      There are probably certs and handshakes that get exchanged to ensure the validity of the attestation. Highly doubt this would work

    • WhoRoger@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      1 year ago

      Probably doable on some devices, but also easily blockable, as the authorisation features are generally built into the hardware already. Remember the expectation/worry is that you’d only be able to use closed-source browsers, so any way to go around this would essentially require cracking. So this could end up being a cat and mouse game between the big tech and crackers. Just to visit a web site.