Comment by jofla_net
1 month ago
All this theatre is turning out to be nothing more than giving up the agency we have today (nice things), for a risk averse kneejerk runaround with glaring ulterior motives...just like the scan your face+id push for services.
Would YOU be willing to use a bank that refused to use TLS? I didn't think so. How is you refusing to accept remote attestation and the bank refusing to connect to you any different?
Because Banking has existed and operated fine for countless decades without it(attestation).
Also, as there is ample discussion elsewhere, having attestation does NOT eliminate the ability for your account to become compromised.
As restated.
"If the user's device isn't compromised then everything is fine regardless of whether or not it can pass attestation. If the user's device is compromised, the device doesn't need to pass attestation to run a fake bank app and steal the user's credentials. Once the attacker has the user's credentials they can use them to transfer money regardless of whether or not they have to use a different device that can pass attestation.
It doesn't really provide any security."
IT DOES however completely rewrite the paradigm of general purpose computing in very asymmetrical ways.
Stop ignoring my question. If it is OK for YOU to refuse to use a bank that doesn't use TLS then why isn't it OK for a bank to refuse you as a customer if you refuse to agree to remote attestation? Both parties have the right to specify reasonable security postures and either mutually agree or not.
1 reply →
Because it's not about security, and bank doesn't own my device. If it was, I should be able to supply the bank my own attestation keys.