Comment by jorvi
3 days ago
Weird rant. TPMs are great. The modern computing landscape needs a safe place to put secrets. It's what made the iPhone (Secure Enclave is effectively a TPM) years ahead of Android in terms of security.
The problem isn't the TPM, but attestation. As soon as the TPM is required to not be under your control to get access to Y, bad things happen.
Hell, in actuality, the problem isn't even attestation, its policy. The EU Parliament (the one the people vote for, the Commission are cronies) might eventually force corporations into something more citizen-friendly. Neither Apple, Google or Microsoft is going to drop a market that big.
Requiring "tokens" stored in "trusted modules" and 7-factor-auth for everything is not progress, it's theater. The biggest achievement of the security orthodoxy was locking me out of my email, by requiring me to read a code sent to my email to log into my email.
I -- literally -- do not care about a single "account" in any "service" I use aside from my email and bank account. Most people would add a few social media accounts to that list.
You don't need a "place to put secrets". Your iPhone app does not do anything important enough to require a "trusted chain" of cryptographic bullshit, just use a password and Google/Apple login.
Your accounts are valuable, even if they're not valuable to you.
An old account with typical activity patterns can be extended some level of trust. If you sign up for an email address and immediately send a message with 100 recipients in CC, you're probably a spammer, so you get blocked. If you've used the account for years, ehh it's probably invitations to your high-school reunion or a donation drive for your Church, let's let this one through.
You can only extend this level of trust if you prevent your gullible users from constantly getting hacked; 2FA is one way to do that.
Passkeys are better passwords. They need a TPM.
> Passkeys are better passwords. They need a TPM.
Passkeys absolutely do not need TPM.
You can get passkey support in any browser with a simple 1password plugin without any TPM hardware.
The same way you could get a TOTP app on your phone without any TPM.
TPMs are just an extra security layer for most usages.
They are mainly a necessity for some shady business like DRMs.
11 replies →
Run vaultwarden locally. Install bitwarden. Now you have software-only implementation of passkey. Dig into vaultwarden sqlite database and you'll find passkey data there. Extract and save it on disk and you have exportable passkey. See, it's all security theater without remote attestation.
I had an idea to create blatantly insecure passkey browser extension. Maybe I should do that.
What about Apple Wallet?
The reality is that there is software dependent on the user being unable to modify it. This safeguards the server against fraudulent users.
The one that's so incredibly broken that Apple and Visa keep blaming eachother when they get a report that you can steal any amount by making yourself pass as a transit card ? Cool security theater. https://hackernoon.com/veritasium-stole-$10000-from-mkbhds-l...
1 reply →
Never trust user input. The users already can't modify the server.
And what actual applications did you have in mind that warrant throwing everybody under the bus? (by that I mean some applications (allegedly) need it, so it gets forced on everyone)
3 replies →
Attestation isn't even the problem. I'd love to be able to verify that my server's kernel hasn't been tampered with.
The problem lies in companies like Apple/Google/Microsoft rejecting attestation that they do not control.
People confusing big tech's policy choices with tech features have made "I want my laptop's auth token to only be usable on my laptop" a controversial opinion.
>The modern computing landscape needs a safe place to put secrets.
Does it? Why waste time on developing exploits when you can just call up grandma and get her give you the money by her "own" volition - using her secure device - by pretending to be the bank/IRS/her grand daughter using AI voice/etc.
> TPMs are great.
TPMs are a fucking mess. TPM 2 at least, I’ve worked with it for a few months. I love me some hardware security module, but I want to control it. And if it must be a standard, please please to something like the TKey, so it can be both much simpler than current ad-hoc standards and future proof.
https://loup-vaillant.fr/articles/hsm-done-right
TPMs add security against a narrow case of evil maid attacks. They might be useful for corporate computing (for cargo cult compliance purposes more than actual security) but they trojan horse more of "not owning the device you bought" with it to people that don't and shouldn't care about evil maid attacks at all.
Adding brute force resistance to consumer hardware is pretty useful. Now your password can be John1985 without fear of getting brute forced within seconds.
"I don't use a TPM in my computer so it shouldn't exist" has always sounded like a weird argument against the tech in my opinion.
Many Android phones have their secret storage implemented as a virtual machine rather than a TPM. The lack of a TPM doesn't suddenly give me any more freedom, although it does come with security downsides.
TPMs can also be based on free software and our own keys. It works well with Heads and Librem Key.
Agreed. Trying to limit progress because it may be misused is attacking the wrong part of the problem and will not work.