Comment by do_not_redeem

Comment by do_not_redeem 15 days ago

9 replies

View on Hacker News

Siblings are being more charitable about this, but I just don't think what you're suggesting is even possible.

An HTTP client sends a request. The server sends a response. The request and response are made of bytes. Any bytes Chrome can send, curl-impersonate could also send.

Chromium is open source. If there was some super secret handshake, anyone could copy that code to curl-impersonate. And if it's only in closed-source Chrome, someone will disassemble it and copy it over anyway.

gruez 15 days ago

>Chromium is open source. If there was some super secret handshake, anyone could copy that code to curl-impersonate. And if it's only in closed-source Chrome, someone will disassemble it and copy it over anyway.

Not if the "super secret handshake" is based on hardware-backed attestation.

Reply View 1 reply
  • do_not_redeem 15 days ago

    True, but beside the point.

    GP claims the API can detect the official chrome browser, and the official chrome browser runs fine without attestation.

    Reply View 0 replies
dist-epoch 15 days ago

> someone will disassemble it and copy it over anyway.

Not if Chrome uses homomorphic encryption to sign a challange. It's doable today. But then you could run a real Chrome and forward the request to it.

Reply View 6 replies
  • do_not_redeem 15 days ago

    No, even homomorphic encryption wouldn't help.

    It doesn't matter how complicated the operation is, if you have a copy of the Chrome binary, you can observe what CPU instructions it uses to sign the challenge, and replicate the operations yourself. Proxying to a real Chrome is the most blunt approach, but there's nothing stopping you from disassembling the binary and copying the code to run in your own process, independent of Chrome.

    Reply View 5 replies
    • dist-epoch 15 days ago

      > you can observe what CPU instructions it uses to sign the challenge, and replicate the operations yourself.

      No you can't, that's the whole thing with homomorphic encryption. Ask GPT to explain it to you why it's so.

      You have no way of knowing the bounds of the code I will access from the inside the homomorphic code. Depending on the challenge I can query parts of the binary and hash that in the response. So you will need to replicate the whole binary.

      Similar techniques are already used today by various copy-protection/anti-cheat game protectors. Most of them remain unbroken.

      Reply View 4 replies
      • fc417fc802 15 days ago

        I don't believe this is correct. Homomorphic encryption enables computation on encrypted data without needing to decrypt it.

        You can't use the result of that computation without first decrypting it though. And you can't decrypt it without the key. So what you describe regarding memory addresses is merely garden variety obfuscation.

        Unmasking an obfuscated set of allowable address ranges for hashing given an arbitrary binary is certainly a difficult problem. However as you point out it is easily sidestepped.

        You are also mistaken about anti-cheat measures. The ones that pose the most difficulty primarily rely on kernel mode drivers. Even then, without hardware attestation it's "just" an obfuscation effort that raises the bar to make breaking it more time consuming.

        What you're actually witnessing there is that if a sufficient amount of effort is invested in obfuscation and those efforts carried out continuously in order to regularly change the obfuscation then you can outstrip the ability of the other party to keep up with you.

        Reply View 0 replies
      • do_not_redeem 15 days ago

        You're just describing ordinary challenge-response. That has nothing to do with homomorphic encryption and there are plenty of examples from before homomorphic encryption became viable, for example https://www.geoffchappell.com/notes/security/aim/index.htm

        Homomorphic encryption hides data, not computation. If you've been trying to learn compsci from GPT, you might have fallen victim to hallucinations. I'd recommend starting from wikipedia instead. https://en.wikipedia.org/wiki/Homomorphic_encryption

        And btw most games are cracked within a week of release. You have way too much faith in buzzwords and way too little faith in bored Eastern European teenagers.

        Reply View 2 replies