undefined | Better HN

0 pointsTeknoman1174y ago0 comments

That, or hackers would just use a TPM compatible device you can reassign the keys on. Not necessarily useful from a security point of view, but would get you around bans by hardware id.

0 comments

3 comments · 1 top-level

no_time4y ago· 2 in thread

Does not work like that. The keys are signed by the vendor of the hardware. You are essentially paying for the hardware AND the signed keys within it. The server can choose to only trust vendor signed keys.

Teknoman117OP4y ago

And how long until one of those vendor keys is compromised? Can't exactly revoke the signed key for everyone's hardware. All it takes is a single malicious actor or nasty breach at one of the issuing companies and it's all over.

It doesn't appear to have been a big target thus far, but if we get to the point where companies are perma-banning devices, It's not hard to imagine those becoming target #1 for various blackhat groups.

no_time4y ago

It's probably a similar infra to root CAs that sign TLS keys. I don't recall a root CA compromise in recent memory.

j / k navigate · click thread line to collapse