Web-Environment-Integrity
SupplyChainAttacks
Web-Environment-Integrity | SupplyChainAttacks | |
---|---|---|
54 | 15 | |
536 | 227 | |
- | 0.4% | |
10.0 | 3.3 | |
6 months ago | about 2 months ago | |
- | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Web-Environment-Integrity
-
Google apparently backs off on WEI
Repo has be archived - "NOTE: This proposal is no longer pursued."
https://github.com/RupertBenWiser/Web-Environment-Integrity
-
The boiling frog of digital freedom
[2] - https://github.com/RupertBenWiser/Web-Environment-Integrity/...
-
It's time we do a uno reverse to Web Integrity API
I think the best issue raised is: Why would I, as a user, want this?
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
- Issues / Web-Environment-Integrity
-
EFF denounces Google's WEI proposal
There were proposals for protecting against this in the WEI explainer under "Open Questions" https://github.com/RupertBenWiser/Web-Environment-Integrity/...
-
Web Environment Integrity: Google strikes again
The Web Environment Integrity is yet another Google proposal for making the web worse for everyone but them.
-
Google’s Plan to DRM the Web Goes Against Everything Google Once Stood For
Point me to anything which would give websites access to that information via WEI. There is nothing. I have seen nothing except FUD. Aside from that, this only attests for the device. Ad-blockers can be external. This does nothing for external ad-blockers.
Explicit non-goals for WEI:
"Enforce or interfere with browser functionality, including plugins and extensions."
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
-
With merge of this pull request, Brave Browser disables WebEnvironmentIntegrity
That also applies to Javascript, or being forced to use some form of an up-to-date browser. What is different with WEI?
I didn't see many people debating the actual text of the WEI explainer[0] on the HN posts about WEI, and that's probably because they were links to articles about WEI. The HN post for the explainer with the most upvotes only has 89[1], likely because most of HN treats the upvote as "I agree/like this" instead of "boost this topic for discussion".
0: https://github.com/RupertBenWiser/Web-Environment-Integrity/...
1: https://news.ycombinator.com/item?id=36785516
-
Adtech is built on a privacy fault line
> If you don't want my browser to render content as it sees fit, don't serve the content over a protocol where that dynamic is inherent.
to play the devil's advocate, this is why google proposed the WEI (https://github.com/RupertBenWiser/Web-Environment-Integrity/...). Be careful what you wish for...
-
The Right to Lie and Google’s “Web Environment Integrity”
https://github.com/RupertBenWiser/Web-Environment-Integrity/...
I stopped reading after the explainer’s intro section. The first example is making it easier for websites to sell adds (lmao) and the other 3 are extremely questionable whether if the proposed remedy even helps. And it’s presented as a benevolent alternative to browser fingerprinting, as if we must choose between these two awful choices. It’s an absolute joke of a proposal.
SupplyChainAttacks
-
Web Environment Integrity Explainer
Why should anyone trust a remove server providing a signed statement of authenticity when Intel[1], MSI[2], Lenovo[3], NVIDIA[4], Microsoft and others keep losing their keys? Even if they haven't lost their keys recently, technology companies don't have a great track record of producing foolproof hardware designs (e.g. recent case of [5]), if foolproof was ever a reasonable expectation. For starters, it's assuming technology such as ptychographic X-ray computed tomography and focused ion beam machining won't become more commonplace and commercially viable to readily break TPM attestation schemes. Or that with wider use of TPM attestation, more effort will be expended into breaking it whereas for the current state with minimal adoption, few people care.
The issue client-side is that if a single vendor or TPM design is compromised, your threat actors have more motive, resources and ability to exploit this compromised hardware than you do. And critically, you as a user are blocked by your own choice of TPM attestation technology from discovering attacks and auditing your own system security, as you ceded control of your own systems. Instead, your systems are controlled by a few technology companies that have a proven terrible track record of fulfilling their alleged intent of keeping your systems and data secure. Why should they care if it doesn't lead to a higher profit at the end of the year.
[1] https://github.com/binarly-io/SupplyChainAttacks/blob/main/M...
[2] https://github.com/binarly-io/SupplyChainAttacks/blob/main/M...
[3] https://github.com/binarly-io/SupplyChainAttacks/blob/main/L...
[4] https://news.ycombinator.com/item?id=30565985
[5] https://arxiv.org/abs/2304.14717
-
Money Message Ransomware Group Uploads Stolen MSI Data to Dark Web
Money Message has this week claimed that MSI has refused to meet their demands - as a result, an upload of stolen data started on Thursday with files appearing on the group's own website, and spreading to the dark web soon after. Binarly, a cybersecurity firm, has since analyzed the leaked files and discovered the presence of many private code signing keys within the breached data dump. Alex Matrosov, Binarly's CEO states via Twitter: "Recently, MSI USA announced a significant data breach. The data has now been made public, revealing a vast number of private keys that could affect numerous devices. FW Image Signing Keys: 57 products (and) Intel Boot Guard BPM/KM Keys: 166 products." Binary has provided a list of affected MSI devices (gaming laptops & mobile workstations) on their GitHub page.
-
1200 € high fps 1440p gaming build
lol, yes. but not their mobos... mainly laptops: https://github.com/binarly-io/SupplyChainAttacks/blob/main/MSI/MsiImpactedDevices.md
-
Hackers Leak Intel BootGuard & OEM Image Signing Keys for 200+ Products and Vendors
Binarly also posted another set of keys that were apparently leaked in the MSI breach. These aren't Boot Guard keys, but are instead orange unlock keys for Gemini Lake and Apollo Lake systems. Intel CPUs expose various sets of debug capabilities to debug production systems; there are several levels of debug access that are supported, with higher levels requiring authentication. Red unlock is the most powerful state - it lets you access much more than just architectural x86 state, including microarchitectural state [such as the decrypted microcode sequencer ROM]; it also can be used to execute undocumented instructions. It even lets you debug the Intel ME x86 core!
- Are people overreacting towards Asus issue or it should really be avoided?
-
are ASRock the best for AM5 right now?
Link: Binarly GitHub
- Boot Guard Keys From MSI Hack Posted, Many PCs Vulnerable
- Leaked and Detected In-The-Wild Intel Keys from Lenovo/LCFC/AlderLake Leak - Intel Alder Lake BIOS code leak
- Hackers Leak Private Keys for MSI Products… PRIVATE SIGNING KEYS!
-
Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security
Or the GitHub link below
https://github.com/binarly-io/SupplyChainAttacks/blob/main/M...
What are some alternatives?
use-cases - Uses Cases for the Anti-Fraud CG
dillo-plus - A lightweight web browser based on Dillo but with many improvements, such as: support for http, https, gemini, gopher, epub, reader mode and more...
BrowserBoxPro - :cyclone: BrowserBox is Web application virtualization via zero trust remote browser isolation and secure document gateway technology. Embed secure unrestricted webviews on any device in a regular webpage. Multiplayer embeddable browsers, open source! [Moved to: https://github.com/BrowserBox/BrowserBox]
bikeshed - :bike: A preprocessor for anyone writing specifications that converts source files into actual specs.
encrypted-media - Encrypted Media Extensions
nyxt - Nyxt - the hacker's browser.
standards-positions
chromium - The official GitHub mirror of the Chromium source
kilian.io - :wave: my personal homepage
nativefier - Make any web page a desktop application
ipa - Interoperable Private Attribution (IPA) - A Private Measurement Proposal