Hacker News new | past | comments | ask | show | jobs | submit login

How about, trusted peripherals should speak DTLS over their USB/Thunderbolt PHY, and the OS should keep a certificate store for recognizing them?

This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices... but how about if vendors just create a little USB dongle that wraps whatever's plugged into it in "authentication" using DTLS? Ship the dongle with the laptop; tell people that if they want to install a new OS, they have to plug a USB keyboard in through the dongle.




> This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices...

Or only allow completely unauthenticated devices as a fallback when there is no other available authenticated device.

A computer not having any keyboard is a rare case. Most of the time you have what is built-in (and should be authenticated) or what came with the computer (and should be authenticated).

Allowing unauthenticated keyboards only on detection of no authenticated ones probably covers 99.9% of all use cases and increases security dramatically.


Aren’t we trying to prevent an attacker with physical access? They could simply unplug everything first.


maybe not the exact correct solution (some of those MCUs are wayyyyy too tiny, slow, and stupid for something as complicated as DTLS), but this is not a horrid thought. The bootstrapping problem can be resolved via Microsoft's secureboot certificate and letting the firmware sort out the initial "trusted boot USB sticks" or however.

hell, simply through acquisition and acquiescence, the market already accepted locked-down platforms. at this point, we ought to have more benefits from this instead of just making these platforms hard to install Linux on.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: