Comment by ece
1 day ago
Vastly superior security doesn't make you give up freedoms for security. But do tell me how successful the war against scams has been for the average user.
1 day ago
Vastly superior security doesn't make you give up freedoms for security. But do tell me how successful the war against scams has been for the average user.
I am not sure what you are trying to say.
Convincing a user to give their password will always be an issue, that's fundamental. But because phishing exists does not mean that security does not matter.
Without security, there is no need to phish, because the system does not protect anything. Once you have a good security, then the best attack is phishing because it's easier to trick the human than the system. This means that the security is good, not bad.
I think one of the points is that all this attestation stuff does not protect against the majority of the ways users are compromised. Its just remote control with real security benefits, just those benefits largely accrue to companies and at the expense of the user.
If my system is signed and verified at every boot, doesn't that guarantee that my system hasn't been tampered with? Meaning that no malware has found a way to get root access and modify it. I find this valuable.
4 replies →
That's the same fallacy as seeing that no one dies of certain diseases, so the vaccines against them don't work.
1 reply →
This level of security exists on open as well as closed platforms, the problem is the closed platforms not allowing you to do things that aren't giving your password away (like installing fdroid or using beeper easily). I just have a hard time believing this is superior in any way.
I think you're confused.
I you run GrapheneOS, it is an open source platform built on top of AOSP (the Android Open Source Project). Part of the security model is that you don't run as root. I am an advanced user and I don't want to run as root on my phone, I am happy with GrapheneOS as it is distributed.
Now if you want to be root, you can install an OS that allows you to be root. Just like I unlocked my bootloader, installed GrapheneOS and relocked my bootloader, you can do that and install whatever you please. I will keep using GrapheneOS because that is the most secure OS I can find for my phone.
The problem, IMO, is not that "some OS are opinionated and don't give you root access while other OSes do give you root access". The problem is that on many phones, you are not free to install the goddam OS you want (e.g. because you can't unlock or relock the bootloader).
5 replies →
You can't provide a passkey to a malicious site without writing your own web browser. And the "password" is a 128-bit integer.
It completely solves the phishing-password-stealing problem.
That was an example, I was talking about phishing in general. Phishing will always exist: as long as a human has a right to do something, someone else can trick this human into doing it for them.
Passkeys are great, and they do improve the situation. But they won't remove phishing as a concept.