• Redezem@infosec.pub
    link
    fedilink
    arrow-up
    12
    ·
    1 year ago

    Question for anyone with more understanding of the implementation…

    Doesn’t this still presume the browser tells the truth to the third party attester? Could we not build something that just straight up lies to the attester? Says I’m a good Google chrome user with no extensions please serve me ads sir?

    • donnachaidh@lemmy.world
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      My understanding was that the browser vendor itself would be the attester. So if Google says it’s Google Chrome, it probably is. Unless you somehow reverse engineer how Google decides that it’s Google Chrome and spoof that or something…

    • koper@feddit.nl
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      This system would use cryptography and hardware to make sure that you are unable to lie about any of this. Basically, there is a chip inside your CPU that contains special keys installed by the manufacturer. However, this chip only activates itself when it detects that your device is running the approved software. Furthermore, it is made (almost) impossible to open this chip and retrieve the keys without destroying it.