Hacker News new | ask | show | jobs
by gmlenovo22 309 days ago
I don't buy this.

They could run one secure enclave runningng the legit version of code and one insecure hardware running insecure software.

Then they put a load balancer in front of both.

When people ask for the attestation the LB sends traffic to the secure enclave, so you get the attestation back and all seems good.

When people send vpn traffic the loadbalancer sends them to the insecure hardware with insecure software.

So sgx proves nothing..
2 comments
kachapopopow 309 days ago
That's not what they;re trying to prove. Only one server is give the certificate to authenticate with you, you connect to that server, every message with that server is authenticated with that certificate.

They are proving that they are the ones hosting the VPN server - not some server that stole their software and are running a honeypot and that the hosting company has not tampered with it.

So in the end you still have to trust the company that they are not sharing the certificates with 3rd parties.

link
jiveturkey 309 days ago
While there are many ways to subvert this, that isn't one of them. Only the attested software can decrypt the traffic you send.
link