Conversation

Replying to

See attestation.app/about if you're interested in it. I built github.com/GrapheneOS/Aud and github.com/GrapheneOS/Att to provide a way for users to use hardware-based attestation with Trust-On-First-Use pairing. It does bootstrap with the root, but that's an incredibly weak check.

github.com

GitHub - GrapheneOS/AttestationServer: attestation.app remote attestation server. Server code for...

attestation.app remote attestation server. Server code for use with the Auditor app: https://github.com/GrapheneOS/Auditor. It provides two services: submission of attestation data samples and a re...

Replying to

Verification based on the attestation root is essentially only useful for implementing anti-cheat / DRM. It can be fooled by anyone able to compromise a single TEE / SE on any device, including one without updated firmware. Bunch of companies also have access to valid batch keys.

Replying to

I don't see another way of doing it for use cases like this with the current implementation. It would certainly be better than not using any hardware-based attestation at all, but unless the devices are going to have pairing done before being distributed to users it's very weak.

Replying to

Thanks for this thread. What I think I'm hearing is that the sort of attestation that would be a meaningful lower bar for a voting app isn't going to happen any time soon for most Android devices.

Replying to

In a less unpopular opinion than I initially expressed, I’d argue that SafetyNet / DeviceCheck may be Good Enough (TM) in practice. What is an individual jailbreaking/rooting their phone able to achieve?

Replying to

You want to know: . No app is overdrawing the voting app (switching candidates), or otherwise compromising integrity or privacy . The real app is running on a real phone (not some attacker in the cloud) Separately, you to authenticate the voter, maybe bind to the phone.

Replying to

If the device was paired using hardware-based attestation when it wasn't compromised, it gives a very strong assurance that it has the latest security patch level and isn't compromised. The inclusion of the patch level is a big deal. Chained trust to the app allows other checks.

Replying to

Even ignoring the bootstrapping issue, I don't think it's good enough for serious voting. Even 0.1% of devices being compromised in a widespread attack is a massive problem. There are other problems beyond the actual security of devices too. Voting has more to it than just this.

Replying to

The *perception* of security and *trust* in the system matters. The public needs to believe in the system and have a full understanding of why it's trustworthy. Think about a president refusing to give up power because they claim that the election results were compromised.

Replying to

If you have online voting, it becomes very plausible that it was compromised. Even if you have some incredibly secure system that's formally verified with special software / hardware distributed to every citizen, that's not good enough.

Replying to

The public can understand paper ballots + everything done under the supervision of people representing each candidate, which is how our federal elections work in Canada across the board, until they decide to ruin it. Also, secrecy of ballots and prevention of coercion matters.

5:34 AM · Mar 5, 2020Twitter Web App

Replying to

Consider a spouse, employer, etc. forcing someone to vote a certain way or someone being paid to vote a certain way. Proper secret ballots mitigate those things, imperfectly, but far better than vote-by-mail or voting online. Also, we have this: elections.ca/content.aspx?s. *shrug*