Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

86% Positive

Analyzed from 304 words in the discussion.

Trending Topics

#boot#remote#attestation#right#security#user#hostile#exploits#malware#consumer

Discussion (9 Comments)Read Original on HackerNews

imglorp24 minutes ago
We use SPIFFE/SPIRE at work. It works well for our use case, remote embedded workflows that need to phone home. It's very exacting: everything must be exactly right for the attestation to succeed. So it takes extra effort when you commit to that path.
nondescript288743 minutes ago
>But what about attacks after boot? That’s your EDR’s problem. Trusted boot provides the bedrock to build a bunch of other primitives on top of. Including cryptographic proof your EDR is installed and running (at boot), immutable filesystems (verified at boot), signed upgrades, confidential computing, etc. Without it you can’t trust your hosts themselves and can’t make further security guarantees. Houses built on sand and all that.

Good take - remote attestation doesn't solve all problems on its own but it is a very powerful tool in the platform security toolbox (and very cool "to boot" :P)

zb3about 1 hour ago
It would be a nice addition if big tech didn't abuse this to shove user-hostile software into devices which the user has paid for (like smartphones).. thanks to this attitude, whenever I see "remote attestation" I associate this with "hostile"..

> Using a TPM, we can remotely, cryptographically prove a couple of things:

Unless there are exploits..

lcvwabout 1 hour ago
I mean, all tech can be used in different ways. My experience has been much more on the preventing root kits side, rather then vendor lock in.

Yes, there can be exploits, but hardware exploits over a restricted interface (TPM2) are significantly rarer then normal software vulns. Everything is about risk mitigation, there is no perfect security.

GreenVulpine22 minutes ago
Make no mistake. Shoving user-hostile malware down people's throats is the primary use case for this in the consumer space. Bootloader malware is very esoteric right now. Enterprise might have valid use cases beyond screwing people but none of them make sense for a consumer device.
mjg5912 minutes ago
You say that, and also remote attestation is how Signal knows it's talking to a legitimate SGX enclave running the expected payload
lcvw13 minutes ago
I think consumer devices should have opt-outs for sure. But personally I am much more comfortable with myself and my family having fully locked down apple phones then anything else on the market right now, precisely because of how difficult it is to get persistent malware into that ecosystem.