Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

you can keep verified boot on custom roms. play services expose you to googles nsa'd taps we'll hear about in 5y.

source: im another google engineer



https://source.android.com/security/verifiedboot/verified-bo...

How do you propose a custom rom can establish hardware root of trust without being signed by the device manufacturer?


I believe the point is that such a signature is useless since the software signed as safe is actually unsafe, while a self-signed rom at least has a chance to be safe.


this reminds me of when team-teso had their stuff on their website directly accessible over https.. so they used a self-signed cert, so that no govt or corporation could require a MITM with a valid signed cert from any trusted CA.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: