[jdsnape]

I agree with you for devices where the user should be considered 'trusted' - I like to tinker too.

But I think there are use-cases where this is legitimate, for example, ticket readers mounted on public transport where anyone could tamper with them out-of-hours, or a utility meter installed in my house where I might want to change the way it records consumption to get out of paying. Likewise, a payment terminal taking card payments in a restaurant - as a diner I'd quite like some assurance that someone couldn't tamper with it to record card details for example.

[ryukafalz]

>ticket readers mounted on public transport where anyone could tamper with them out-of-hours

The owner of the ticket reader is the public transport authority.

>a utility meter installed in my house where I might want to change the way it records consumption to get out of paying

The owner of the utility meter is typically the company providing the utility.

In both of these cases, I would expect the owner of the device to have full control over it and not, say, only the manufacturer. If my city's government installs ticket readers in every subway station and is then perpetually beholden to a single private company to upgrade/maintain/improve them, that feels like a problem.

Note that this doesn't have to mean that someone with temporary access to the device should have full control over it! There's still a place for secure boot-style systems; it's all about who controls the keys.

>a payment terminal taking card payments in a restaurant - as a diner I'd quite like some assurance that someone couldn't tamper with it to record card details for example

This one is maybe a bit more concerning since it's a card issued by a separate authority, you don't have the ability to confirm transaction amounts on a device you trust, etc... but sure, in this case, I'd be fine with the hardware vendor or payment processor controlling the hardware.

(Though long-term I think this is a bit silly in the first place considering approximately everyone is walking around with computers in their pockets that would be perfectly capable of letting you confirm transaction amounts on a display you trust. Card payments currently are effectively handing someone your account details and saying "pretty please only take as much as you say you will.")

[bleepblorp]

> Though long-term I think this is a bit silly in the first place considering approximately everyone is walking around with computers in their pockets that would be perfectly capable of letting you confirm transaction amounts on a display you trust.

This is how China's new-generation payment systems work.

[elcritch]

It's a conundrum. I prefer to have devices that are open to user modification or fixes, but that inherently means bad actors could also readily modify the device. Though even devices locked with DRM can be rooted, so perhaps it's a false sense of security.

It'd be great if one could build on zero knowledge proofs with something like monero that could let you verify the firmware of a device. Or rather, your phone/credit card queries the device with a ZKP (or something), then uses a public blockchain to verify the devices firmware signature chain. A user could possibly then use a "adblock" like software to warn of manufacturers that have been breached, etc.

[tpxl]

A random third party owning the trust root doesn't help you in any of those situations.

[jlokier]

Yes it does, because it's not a random third party.

It's the device manufacturer.

Everyone is already dependent on some level of integrity by the device manufacturer, whether they're happy with this or not, because there is no other option.

That integrity might be checked. The manufacturer may be audited. Their processes and people may be background checked. Their hiring practices subject to a standard. Some of their devices may be selected at random, scrutinised, picked apart, checked by third parties, just to be sure. It's not done much, but perhaps it should be. Anyway, if that's done there is some higher level of justification in trusting the manufacturer's integrity, even if it remains a weak point.

If we already have to trust the device manufacturer and/or their auditors, that makes them owning the software trust root a very different proposition compared with anyone else owning it.

[tpxl]

>That integrity might be checked

It might also be broken and they don't care for you and you're screwed.

Also, as was shown many a time, the manufacturer will prevent you from doing whatever you please with your own hardware, if you chose to do so. In that case, their integrity is broken by design.

[jlokier]

That's all true, but the context here is things like payment terminals, ticket machines and energy charging meters, and whether it makes sense for third parties to easily modify the software running on them.

That hardware is not "your own". It is deployed to facilitate and protect a transaction between you and someone else.

The certainly exists a possibility that the manufacturer of those devices doesn't care about protecting them, with the result that you the user get over-charged, have your card details stolen etc.

But it's hard to see how making it easy for "anyone" to modify the software on those kinds of devices in an unconstrained way doesn't pose strictly greater risks of the above kind to you the user (being over-charged etc).

Surely you would rather have to trust just a few entities in control of the device, who have some kind of quality control legal obligation through the usual network of contracts and liabilities, than trust the 100s of entities that have had some contact at some point with the device, any of whom could have modified the software on it?

Any ideas on how to solve this problem which don't involve trusted roots?

[tpxl]

I see there was a misunderstanding. The owner of the payment terminal has to be the trusted root, not the manufacturer.