Mastodawn

Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!Jul 22, 2023

This is scary. It's (strong) SafetyNet for websites.

Every now and then I run into another Android app I can no longer run because someone decided my phone, running an official build of my choice of OS, that isn't even rooted, is "not trustable".

Now they want to start doing that for websites.

This kills open Linux on the desktop (including Asahi Linux). It kills alternative browsers. It is a backdoor to kill ad blockers.

No. Just no. Please.

https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md

Web-Environment-Integrity/explainer.md at main · RupertBenWiser/Web-Environment-Integrity

Contribute to RupertBenWiser/Web-Environment-Integrity development by creating an account on GitHub.

GitHub

Show thread

Tᴀᴋᴀɴᴀsʜɪ Hᴏʀᴏ Jul 22, 2023

@lina I love how people keep claiming that their arbitrary websites and apps need to know exactly the software you are running "for your own good" while even some bank apps (like the ones I use) don't care about attesting client-side integrity.

Show thread

Ryan Jul 22, 2023

@PeterCxy @lina imo the people who are running detectable unofficial software are the people who (are more likely to) know what they're doing

developers who do stuff like this: maybe focus your efforts on protecting your platform from people doing undetectable things instead?

Show thread

ellzumem Jul 22, 2023

@ryanc @PeterCxy @lina It’s pretty much always a “don’t want to support” instead of a “cannot support” from the website’s company/underfinanced development team… There’s not really a reason why your webapp wouldn’t run in an environment other than Chromium-based, except if you only developed for and tested against that…

Show thread

Andreas K Jul 22, 2023

@lm1 @ryanc @PeterCxy @lina It's usually not the development team.

It's management, the legal department, …

Show thread

Andreas K Jul 23, 2023

@lm1 @ryanc @PeterCxy @lina There is also this ugly illusion that I call “security by legal contract”.

Lawyers swear by it. Actually they should know best how irrelevant contracts are, and a bankruptcy court can give the stinky finger in very polite words.

So let's start with company A. For whatever legal reasons, they need a single-signon solution that is capable to nuke their devices on demand remotely. Their devices BTW, that are full disc encrypted by policy for years now.

Show thread

Andreas K Jul 23, 2023

@lm1 @ryanc @PeterCxy @lina
Now setting up such a solution by the IT department, on-premises or on A's slice of cloud heaven, would be expensive. A would need admins trained to set it up and run it, software licences, hardware, …

Now how lucky for A, there are company (as this is a new field, relative young ones, 🤷 ) that other to run your single sign on service for you on the internet as a fully maintained service. Cool.

Pay less what a developer or two cost per month to solve the issue!

Show thread

Andreas K

@lm1 @ryanc @PeterCxy @lina
And that SaaS style provider (although they actually sell not a specific software but their own proprietary cooking), pinky swears that it is all 100% secure in the contract.

While they advertise how many Fortune 500 companies and general customers are using their services. ⇽ this BTW does not paint a huge hair cross on their back, for any malware peddler on the planet: “hack here to get instant admin-level access to the IT of 1000s of juicy corporate targets”.

Show thread

Andreas K Jul 23, 2023

@lm1 @ryanc @PeterCxy @lina So let's analyse what A did from a legal point of view: they improved their security, their IT insurance will give them a discount because they have a central single signon system.

Senior engineers just roll eyes, that's what happens daily in corporate IT. Not only with single sign on, but critical core functionality is outsourced, and replaced with a contract. Without any consideration, that if your contract partner fails to deliver you might be out of business,

Show thread

Andreas K Jul 23, 2023

@lm1 @ryanc @PeterCxy @lina Sure the bankruptcy court might be able to recover some damages from the service provider that failed you.

In some cases. In others, the service provider will also be bankrupt.

But let's think what did A do technicaly:
- they installed agents of the SaaS company that run with root/admin on all computers of the company. (needed to manage users on the computers)
- that listen to remote control servers.

It's the RAT and C&C pattern.

Show thread

Andreas K Jul 23, 2023

@lm1 @ryanc @PeterCxy @lina
Only the contract that A's legal dept reviewed and said it's okay keeps the SaaS from doing stupid things with A's IT.

I think I mentioned that this concentration juicy targets that can be accessed by breaking into one office might attract predators from tiny to big, including state level predators.

Oh. How exactly are you making sure that the hacking team of the home team does not show in the office of the SaaS company?