Rendered at 06:08:46 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
imglorp 5 hours ago [-]
We use SPIFFE/SPIRE at work. It works well for our use case, remote embedded workflows that need to phone home. It's very exacting: everything must be exactly right for the attestation to succeed. So it takes extra effort when you commit to that path.
nondescript2887 5 hours ago [-]
>But what about attacks after boot? That’s your EDR’s problem. Trusted boot provides the bedrock to build a bunch of other primitives on top of. Including cryptographic proof your EDR is installed and running (at boot), immutable filesystems (verified at boot), signed upgrades, confidential computing, etc. Without it you can’t trust your hosts themselves and can’t make further security guarantees. Houses built on sand and all that.
Good take - remote attestation doesn't solve all problems on its own but it is a very powerful tool in the platform security toolbox (and very cool "to boot" :P)
davidfiala 2 hours ago [-]
Attestation of any type: A double edged sword, where you are guaranteed to lose freedom. Attestation entrenches, empowers, and enriches other entities that aren't you.
Ironic how this post got upvoted in parallel to polar opposite in the #1 slot: "John Deere owners will get the right to repair equipment under FTC settlement" https://news.ycombinator.com/item?id=48838876
Engineers may debate about what-about-isms of vulnerabilities and counterexamples of TPM failures, but that misses the point: We should be debating about where society will be when devices you paid for serve other masters.
Probably we should just write/vibe/demand better software. Otherwise we're going to end up with a law demanding TPMs that watch more than just your firmware...
1 hours ago [-]
solenoid0937 1 hours ago [-]
You don't understand the use case or audience of this article:
> If your infra consistently enforces mTLS
This is for mutual authentication in corporate infrastructure. Attestation is a critical security property for these environments.
sfdlkj3jk342a 1 hours ago [-]
> Attestation is a critical security property for these environments.
No it's not. Every corporate network to which I've connected worked just fine without it.
fleventynine 36 minutes ago [-]
> Every corporate network to which I've connected worked just fine without it.
Just because it appears to be working fine doesn't mean you are in control of it. Without hardware attestation, how do you know the machines are running the software you think they are?
solenoid0937 1 hours ago [-]
Oh my god. Why does every random non-security person on HN think they understand security? Do you debate vaccines with your doctors too?
> Every corporate network to which I've connected worked just fine without it.
Yes because you work at companies with immature or primitive tech stacks. Or you haven't scaled to a point where this is part of your threat model. Nearly every modern large tech company employs remote attestation with mTLS.
Clients in internal corporate infra have zero expectation of "freedom." Remote attestation is a desirable security property for mutual authn in any corporate network. You want to know exactly what each client is, to make it harder for attackers to smuggle illegitimate clients into your infra, or masquerade as a trusted client.
sfdlkj3jk342a 60 minutes ago [-]
> Do you debate vaccines with your doctors too?
If by "debate", you mean I take their advice into consideration and then make my own decision without blindly trusting them, then yes I do.
solenoid0937 58 minutes ago [-]
I hope you put a lot more research into those debates than you did with this topic! I just don't understand why you'd have this overconfident hot take about a topic you clearly aren't familiar with. Like, try to understand the article subject and audience first?
sfdlkj3jk342a 40 minutes ago [-]
I didn't claim to be an expert in this particular area of security, but I have enough common sense to know that remote attestation is not "critical" for a corporate network. Perhaps it has valuable use cases for very large companies that want complete control over their employee devices, but your claim is far too broad to hold.
solenoid0937 35 minutes ago [-]
It is not just about control, it is also about being able to trust the nodes in your network.
It is not just about employee devices, but about literally every workload or host running in your corporate infrastructure.
gspr 59 minutes ago [-]
> (Make claim that something is "critical".)
> (Get challenged on that.)
> omg you don't know anything, being without the thing is primitive and everyone sophisticated uses it.
You can see how you can be accused of not actually presenting any arguments here, right? If you're gonna appeal to authority, at least back that appeal up with something.
solenoid0937 49 minutes ago [-]
My comment is fine. Appeals to authority are not inherently bad when the person doesn't know what they're talking about. Again, your doctor is more of an authority than you on medicine. It'd be hubris to think you'd understand the field better, no matter how smart you are.
It's not my job to write an essay in the comments about why mutual authn with RA is desirable in corporate networks, and why the complaints about "freedom" are totally and utterly nonsensical in this context. This is something he can look up very quickly.
zb3 5 hours ago [-]
It would be a nice addition if big tech didn't abuse this to shove user-hostile software into devices which the user has paid for (like smartphones).. thanks to this attitude, whenever I see "remote attestation" I associate this with "hostile"..
> Using a TPM, we can remotely, cryptographically prove a couple of things:
Unless there are exploits..
solenoid0937 1 hours ago [-]
> whenever I see "remote attestation" I associate this with "hostile"
HN is bizarre. This is just standard infrastructure security practice at any tech company of meaningful size. You are misunderstanding the target use case and audience of this article.
gspr 58 minutes ago [-]
It is true that it is pretty common in large companies. It is also true that it feels very hostile to some people (myself included).
solenoid0937 54 minutes ago [-]
The audience of this article are people working with infrastructure, not people developing user facing products. See quote: "If your infra consistently enforces mTLS ..."
lcvw 5 hours ago [-]
I mean, all tech can be used in different ways. My experience has been much more on the preventing root kits side, rather then vendor lock in.
Yes, there can be exploits, but hardware exploits over a restricted interface (TPM2) are significantly rarer then normal software vulns. Everything is about risk mitigation, there is no perfect security.
GreenVulpine 5 hours ago [-]
Make no mistake. Shoving user-hostile malware down people's throats is the primary use case for this in the consumer space. Bootloader malware is very esoteric right now. Enterprise might have valid use cases beyond screwing people but none of them make sense for a consumer device.
mjg59 5 hours ago [-]
You say that, and also remote attestation is how Signal knows it's talking to a legitimate SGX enclave running the expected payload
greyface- 4 hours ago [-]
> running the expected payload
SGX does not cryptographically guarantee this. It cryptographically guarantees that the processor contains a legitimate provisioning key signed by Intel. Intel pinky promises that its processor will then only use this provisioning key in certain ways. This promise is essentially unauditable, and previous SGX bugs have shown that Intel isn't really in a position to make it anyway.
gucci-on-fleek 2 hours ago [-]
You are 100% correct, but this is still mostly fine: without SGX, you need to completely trust Signal, since it could trivially modify the server-side code. But with SGX, you only need to trust that Signal and Intel won't both collude.
The most likely attacks on Signal involve trusted insiders or configuration errors, and SGX mostly prevents these, since to exploit it, you'd need to bribe insiders in both Signal and Intel, or find configuration errors in both of their software stacks.
Collusion is certainly still possible, but it's much harder to pull off, since it typically requires nation-state-level resources to exploit. Signal does actually have nation-state adversaries, but the vast majority of other software projects don't.
(I personally think that remote attestation is the single biggest risk to the free software movement, but I begrudgingly accept that Signal is a very good use case for it.)
AnthonyMouse 1 hours ago [-]
> The most likely attacks on Signal involve trusted insiders or configuration errors, and SGX mostly prevents these, since to exploit it, you'd need to bribe insiders in both Signal and Intel, or find configuration errors in both of their software stacks.
Since there have been multiple SGX key extraction vulnerabilities already, all you would have to do is compromise Signal and then use the key extracted from any of those devices, and "compromise Signal" is the same thing you would have to do if they weren't using SGX at all.
greyface- 1 hours ago [-]
The path to compromise that you describe exists, of course. But it's not the only way. For example, a zero-day in SGX combined with privileged access to AWS infrastructure could compromise Signal's SGX setup without any knowledge or collusion by Signal or Intel. As you note, it is not unreasonable for a project of Signal's stature to expect to face adversaries with such capabilities.
Zak 3 hours ago [-]
There's some value in that, but Signal's main security proposition is that you don't have to trust the infrastructure. E2EE means even compromised server software can't read message contents.
gruez 3 hours ago [-]
He's talking about contact discovery, which can't be solved by just slapping e2ee on it
lcvw 5 hours ago [-]
I definitely want to do a post on confidential computing as well. Super cool stuff.
throwaway7679 4 hours ago [-]
Maybe you could do a post on... remote attestation.
That is, the thing that people are actually talking about when they use that term: The means for companies and governments to usurp the ownership of consumer devices.
bobbiechen 35 minutes ago [-]
Oh yeah, just like all cryptography is just a way for bad people to hide their criminal activity.
I'd read the confidential computing post! (used to work in this space myself)
mindslight 4 hours ago [-]
Being able to come up with compelling use cases for a technology does not redeem that technology from creating a terrible power imbalance that incentives will mean is inevitably abused. Whenever anyone hears "remote attestation", they should think of the already-pervasive Cloudflare CAPTCHA nagwalls, and then think of those becoming something you can only get past by buying a new computer running a proprietary locked-down OS and browser.
The only way to make remote attestation into a neutral technology is to prohibit privileged keys being loaded (and retained) by device manufacturers. This would make it impossible for arbitrary protocol counterparties to know if their attestation requests are being answered by hardware, or merely emulated in software. This approach is the only way to preserve computing freedom (ie the very concept of protocols that mediate between mutually-untrusting parties) in the presence of this technology.
Rohansi 3 hours ago [-]
> none of them make sense for a consumer device.
One of the valid use cases on consumer devices is video game anti-cheat software. Theoretically remote attestation can enable them to be less invasive.
AnthonyMouse 14 minutes ago [-]
That's the use case it can't really work for.
With enterprise devices you can enroll a specific device and only allow its key. Someone who finds a vulnerability in a different device model, or even the same device model when they don't have one of your actual devices, can't use it because it's not enrolled. (That doesn't actually require remote attestation, the same works without any kind of TPM, but it mitigates a gaping hole that remote attestation has otherwise.)
Because in the video game case the cheater can choose whatever device they want, so they choose one with a vulnerability, which the developers can't prevent without blocking the millions of innocent people who have the same hardware. It's also the solution to yesterday's problem because cheaters are now using cheat hardware that acts as a user input device, and then attesting to what software is running buys you nothing because the cheating is happening in hardware.
lcvw 5 hours ago [-]
I think consumer devices should have opt-outs for sure. But personally I am much more comfortable with myself and my family having fully locked down apple phones then anything else on the market right now, precisely because of how difficult it is to get persistent malware into that ecosystem.
ls612 4 hours ago [-]
I get this argument and tell my parents (who know nothing about tech) to get iPhones for this reason but as an economist it is obvious to me the political economy equilibrium implications of this technology are an extreme centralization of power. We are one Covid-like crisis/moral panic away from a regime of only government licensed devices with identity and software integrity attestation can use the internet, and the masses will cheer on the prosecution of the tech nerds who try to circumvent it.
zb3 4 hours ago [-]
Out of curiosity, do you like ads? I assume you don't.. so how would you react if Apple followed Google and prohibited ad blocking apps + removed that capability from web browsers?
I'd not be able to put up with that, but more importantly, I'd not want to be in the position where I can't even protest anything because there's no alternative to switch to..
what 1 hours ago [-]
When did google prohibit ad blocking in their browser?
It's a nice idea, but I wouldn't design any system on the assumption that a TPM needs to stay secure for the system to be safe. There's been so many exploits. We can consider the iphone as an R & D platform for doing blackbox computations. In that nothing is allowed to run that Apple doesn't want. Protecting that is apples bread and butter and they care about it enough to value critical exploits in the millions. Yet people still find them all the time. I feel like if a company that invests millions in the concept can't make it secure then the concept probably isn't that great.
Gigachad 3 hours ago [-]
The iPhone is actually working really well. There has never been a widespread malware attack on the iphone. Only highly targeted attacks on individuals. And Apple even has an answer for this as well with Lockdown mode which renders all of those previous exploits impossible.
There's also Memory Integrity Enforcement on the iPhone 17 chips which makes all memory exploits detectable by the OS so it can trigger a reboot and report the bug to Apple.
And even when exploits are found, the boot chain attestation means rebooting your iphone always clears out any malware that made it past normal sandboxing. Particularly at risk individuals should enable lockdown mode and periodically reboot.
AnthonyMouse 1 hours ago [-]
Now explain how any of that requires remote attestation.
Uptrenda 2 hours ago [-]
there are private exploits built into devices like Cellebrite that the police have access to. The system isn't as infallible as you think. Would not be surprised if the NSA and various hacking groups have stockpiles, too.
Gigachad 2 hours ago [-]
The iPhone has two main security systems to counter this, one being lockdown mode which disables USB data while the device is locked, and the other is the iPhone will reboot itself if it hasn't been unlocked for long enough. This puts the device in Before First Unlock state where the encryption keys are wiped from memory. This means no software bug can unlock the device because the encryption keys are derived from the users password.
The main attack left is brute forcing the lock screen password and bypassing the cooldown timer. This seems to be the method most used for getting access to phones. This is defeated by having an actual text password rather than the 6 digit password.
So yes they have advanced hacking tech, but the iphone security is remarkably effective and as a user there are a couple of simple measures that make it pretty much unbreakable.
If you believe you are at risk of having your phone taken and plugged in to a Cellebrite like device, enable Lockdown Mode, set a good password and if possible hit the power button 5 times to disable face id.
klausa 3 hours ago [-]
By that metric we should just pack it all up and call it a day on computing in general; because even despite literal trillions of dollars being spent on it, we still haven't found a way to make it secure.
gmueckl 1 hours ago [-]
Not all computing that is useful must also be absolutely secure. Maybe we just have overextended the use of computers into areas where using them generates too much risk? If so, where is the boundary?
Uptrenda 2 hours ago [-]
You can make software secure though since it can be patched. How do you patch hardware if it has design flaws? The whole claim behind these hardware cages is they can't be accessed from outside the cage, period. So IMO, seeing multiple failings of this sort kind of makes me not want to trust it.
userbinator 2 hours ago [-]
This is the dream of corporate authoritarians everywhere. The dystopian nightmare we all warned about because we saw it coming. "Security" is the "think of the children" fearmongering of the current environment.
As one of our Founding Fathers put it: "Those who give up freedom for security deserve neither."
Remote Attestation: Just Say No.
gmueckl 50 minutes ago [-]
Remote Attestation has valid use cases. I assume that you see problems with e.g. RA backed DRM or tamper protection on consumer devices like smartphones. In an ideal world, a political decision would have to be made about allowed use cases for RA that sets up limits where it conflicts with consumer protections. This isn't a technical problem.
stingraycharles 2 hours ago [-]
Could you elaborate on why this is so evil?
Ensuring our remote employees’ machines are secure is a serious problem for us, and it’s absolutely impossible to require employees to be diligent. We require attestation upon connection to our corporate VPN that checks for basic things such as latest security patches, certain tools installed, etc.
AnthonyMouse 1 hours ago [-]
When you access a service with your own device, you control what your device does with what they send. You can block ads or malware, inspect code they send you or network traffic you send them to see if it's exfiltrating your private data, extract the data to analyze or keep as evidence when the service is violating a law or contract, write or use third party code to process the data when the service is trying to force a dark pattern interface on you, etc.
If your device will attest that it's running their code then they refuse access to the service under any other conditions, and then you can't do any of those things because their code won't allow it.
It's also a huge antitrust problem because it precludes new independent platforms from being used, since it cements the chicken and egg problem that people won't use a device that can't access existing services and the services won't support a system nobody uses. In other words, WINE is banned and Firefox is banned and everyone is stuck with IE/Edge on Windows forever.
fooqux 2 hours ago [-]
It's a tool. Remote attestation isn't "evil" in the same way a knife isn't inherently evil. It's how they're used.
It's not that remote attestation can't be used for good. Obviously it can. It's that there's so many ways we can use it for evil, and given the track the world is on, it's quite obvious it will be.
tzs 2 hours ago [-]
And those who give up security for freedom soon have neither. You need a balance.
Ben Franklin understood that and so included qualifiers in the quote, which was "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety".
solenoid0937 1 hours ago [-]
Please stop bashing on things you don't understand. This is standard practice for workload authentication in corporate fleets. The article makes the target audience clear:
> If your infra consistently enforces mTLS
michaelmrose 2 hours ago [-]
Waiting for when one can't boot Windows without running snitch software which analyzes everything you do first to ensure you aren't a pedophile then that you aren't a terrorist then that aren't disloyal or un-American.
You won't be able to send email or bank if you aren't running the snitch or any configuration where you could defeat it.
Hell in a boring dystopia run by adults this could theoretically be a good thing! Never miss the next obvious school shooter!
Good take - remote attestation doesn't solve all problems on its own but it is a very powerful tool in the platform security toolbox (and very cool "to boot" :P)
Ironic how this post got upvoted in parallel to polar opposite in the #1 slot: "John Deere owners will get the right to repair equipment under FTC settlement" https://news.ycombinator.com/item?id=48838876
Engineers may debate about what-about-isms of vulnerabilities and counterexamples of TPM failures, but that misses the point: We should be debating about where society will be when devices you paid for serve other masters.
Probably we should just write/vibe/demand better software. Otherwise we're going to end up with a law demanding TPMs that watch more than just your firmware...
> If your infra consistently enforces mTLS
This is for mutual authentication in corporate infrastructure. Attestation is a critical security property for these environments.
No it's not. Every corporate network to which I've connected worked just fine without it.
Just because it appears to be working fine doesn't mean you are in control of it. Without hardware attestation, how do you know the machines are running the software you think they are?
> Every corporate network to which I've connected worked just fine without it.
Yes because you work at companies with immature or primitive tech stacks. Or you haven't scaled to a point where this is part of your threat model. Nearly every modern large tech company employs remote attestation with mTLS.
Clients in internal corporate infra have zero expectation of "freedom." Remote attestation is a desirable security property for mutual authn in any corporate network. You want to know exactly what each client is, to make it harder for attackers to smuggle illegitimate clients into your infra, or masquerade as a trusted client.
If by "debate", you mean I take their advice into consideration and then make my own decision without blindly trusting them, then yes I do.
It is not just about employee devices, but about literally every workload or host running in your corporate infrastructure.
> (Get challenged on that.)
> omg you don't know anything, being without the thing is primitive and everyone sophisticated uses it.
You can see how you can be accused of not actually presenting any arguments here, right? If you're gonna appeal to authority, at least back that appeal up with something.
It's not my job to write an essay in the comments about why mutual authn with RA is desirable in corporate networks, and why the complaints about "freedom" are totally and utterly nonsensical in this context. This is something he can look up very quickly.
> Using a TPM, we can remotely, cryptographically prove a couple of things:
Unless there are exploits..
HN is bizarre. This is just standard infrastructure security practice at any tech company of meaningful size. You are misunderstanding the target use case and audience of this article.
Yes, there can be exploits, but hardware exploits over a restricted interface (TPM2) are significantly rarer then normal software vulns. Everything is about risk mitigation, there is no perfect security.
SGX does not cryptographically guarantee this. It cryptographically guarantees that the processor contains a legitimate provisioning key signed by Intel. Intel pinky promises that its processor will then only use this provisioning key in certain ways. This promise is essentially unauditable, and previous SGX bugs have shown that Intel isn't really in a position to make it anyway.
The most likely attacks on Signal involve trusted insiders or configuration errors, and SGX mostly prevents these, since to exploit it, you'd need to bribe insiders in both Signal and Intel, or find configuration errors in both of their software stacks.
Collusion is certainly still possible, but it's much harder to pull off, since it typically requires nation-state-level resources to exploit. Signal does actually have nation-state adversaries, but the vast majority of other software projects don't.
(I personally think that remote attestation is the single biggest risk to the free software movement, but I begrudgingly accept that Signal is a very good use case for it.)
Since there have been multiple SGX key extraction vulnerabilities already, all you would have to do is compromise Signal and then use the key extracted from any of those devices, and "compromise Signal" is the same thing you would have to do if they weren't using SGX at all.
That is, the thing that people are actually talking about when they use that term: The means for companies and governments to usurp the ownership of consumer devices.
I'd read the confidential computing post! (used to work in this space myself)
The only way to make remote attestation into a neutral technology is to prohibit privileged keys being loaded (and retained) by device manufacturers. This would make it impossible for arbitrary protocol counterparties to know if their attestation requests are being answered by hardware, or merely emulated in software. This approach is the only way to preserve computing freedom (ie the very concept of protocols that mediate between mutually-untrusting parties) in the presence of this technology.
One of the valid use cases on consumer devices is video game anti-cheat software. Theoretically remote attestation can enable them to be less invasive.
With enterprise devices you can enroll a specific device and only allow its key. Someone who finds a vulnerability in a different device model, or even the same device model when they don't have one of your actual devices, can't use it because it's not enrolled. (That doesn't actually require remote attestation, the same works without any kind of TPM, but it mitigates a gaping hole that remote attestation has otherwise.)
Because in the video game case the cheater can choose whatever device they want, so they choose one with a vulnerability, which the developers can't prevent without blocking the millions of innocent people who have the same hardware. It's also the solution to yesterday's problem because cheaters are now using cheat hardware that acts as a user input device, and then attesting to what software is running buys you nothing because the cheating is happening in hardware.
I'd not be able to put up with that, but more importantly, I'd not want to be in the position where I can't even protest anything because there's no alternative to switch to..
There's also Memory Integrity Enforcement on the iPhone 17 chips which makes all memory exploits detectable by the OS so it can trigger a reboot and report the bug to Apple.
And even when exploits are found, the boot chain attestation means rebooting your iphone always clears out any malware that made it past normal sandboxing. Particularly at risk individuals should enable lockdown mode and periodically reboot.
The main attack left is brute forcing the lock screen password and bypassing the cooldown timer. This seems to be the method most used for getting access to phones. This is defeated by having an actual text password rather than the 6 digit password.
So yes they have advanced hacking tech, but the iphone security is remarkably effective and as a user there are a couple of simple measures that make it pretty much unbreakable.
If you believe you are at risk of having your phone taken and plugged in to a Cellebrite like device, enable Lockdown Mode, set a good password and if possible hit the power button 5 times to disable face id.
As one of our Founding Fathers put it: "Those who give up freedom for security deserve neither."
Remote Attestation: Just Say No.
Ensuring our remote employees’ machines are secure is a serious problem for us, and it’s absolutely impossible to require employees to be diligent. We require attestation upon connection to our corporate VPN that checks for basic things such as latest security patches, certain tools installed, etc.
If your device will attest that it's running their code then they refuse access to the service under any other conditions, and then you can't do any of those things because their code won't allow it.
It's also a huge antitrust problem because it precludes new independent platforms from being used, since it cements the chicken and egg problem that people won't use a device that can't access existing services and the services won't support a system nobody uses. In other words, WINE is banned and Firefox is banned and everyone is stuck with IE/Edge on Windows forever.
It's not that remote attestation can't be used for good. Obviously it can. It's that there's so many ways we can use it for evil, and given the track the world is on, it's quite obvious it will be.
Ben Franklin understood that and so included qualifiers in the quote, which was "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety".
> If your infra consistently enforces mTLS
You won't be able to send email or bank if you aren't running the snitch or any configuration where you could defeat it.
Hell in a boring dystopia run by adults this could theoretically be a good thing! Never miss the next obvious school shooter!
Then look at who actually runs our country.