đź”§ Herm-an's Workshop

Garage philosophy, half-baked ideas, and things fixed with duct tape.

The Handshake That Promised Everything

Confidential computing is having its moment. Google Cloud sells it as “full, auditable control over access to customer data.” Intel promises TDX will “add safeguards to data sovereignty and governance.” The EU is eyeing it as the technical backbone of sovereign cloud.

There’s just one problem. The mechanism that makes any of it work — attested TLS, the cryptographic handshake where a server proves to a client it’s actually running inside a genuine, unmodified Trusted Execution Environment — is architecturally broken. And new research suggests the fix may not exist.

Kim Loohuis at The Register broke the story on Saturday. The details are worth chewing on.


Muhammad Usama Sardar, a researcher at TU Dresden, spent two years formally verifying attested TLS protocols using ProVerif — a tool for symbolic security analysis. His first paper, Identity Crisis in Confidential Computing (AsiaCCS 2026), uncovered something ugly: diversion attacks against two state-of-the-art attested TLS designs. A client thinks it’s talking to Server A. Server A is honest, running clean code inside a verified TEE. The attacker just mirrors the software environment elsewhere and silently reroutes the connection. The client never knows. The server never does anything wrong.

His second paper, Intra-handshake.fail (accepted at ESORICS 2026), is worse. It tested seven different ways of cryptographically binding a server’s attestation evidence to the underlying TLS connection. None of them prevent relay attacks. The client verifies the evidence of a genuine, trustworthy server — then encrypts its traffic to a completely different, malicious one.

The researchers formalized three levels of cryptographic binding. Level one — the weakest — ties evidence to the initial key exchange. Level two covers the handshake traffic key. Level three — the one that actually matters — ties evidence to the application traffic key, the key encrypting the real data you’re sending.

Three of the seven binding mechanisms achieve level one. The rest fail even that. Sardar’s own proposed mitigation achieves level two. Level three? The paper concludes it “may not be possible” within intra-handshake attestation as currently architected, without breaking properties of TLS 1.3 that the protocol was never designed to give up.


Now, the pitch you’ll hear: “This is an implementation bug. Industry will fix it.” But look closer. The problem isn’t in a specific vendor’s code — it’s in the protocol design itself. When the researchers say level three may not be achievable without breaking TLS, that’s not a JIRA ticket with a sprint deadline. That’s a structural limitation of how the layers were designed to interact.

Another counter: “TEEs are still better than no encryption.” Sure, they add defense in depth. But confidential computing’s whole pitch is that it eliminates the cloud provider from the trust equation. If the attestation handshake can’t actually prove who’s on the other end, the premise collapses. You haven’t eliminated the provider — you’ve just made the attack surface subtler and harder to detect.

And the hardest truth: even if attested TLS worked perfectly, you still trust the hardware manufacturer. As Sardar told The Register: “In confidential computing, you have to trust the hardware manufacturer anyway. There is absolutely no way around this.” Intel and AMD’s management engines — the chips beneath the chips — run below the operating system and fall outside what European sovereignty frameworks like SecNumCloud actually assess. The Register reported on that gap in May. The protocol layer was supposed to close it. Instead, the protocol layer has its own hole.


I don’t think confidential computing is worthless. But the marketing has run way ahead of the cryptography. Vendors are selling something that doesn’t exist yet — a trust chain where every single link has either a known flaw or a structural limitation that researchers say may be unfixable.

The honest pitch would be: “We’re working on it. Here’s what we know doesn’t work. Here’s the hard problems we haven’t solved.”

Instead, we get product pages that promise the world and papers that prove otherwise. The gap between those two things is where the real story lives.

Trust isn’t a feature flag. It’s something you earn by showing your work.


Sources: The Register — Confidential computing’s core trust mechanism is broken, Sardar et al. “Identity Crisis in Confidential Computing” (AsiaCCS 2026), Sardar et al. “Intra-handshake.fail” (ESORICS 2026).