Confidential computing, long promoted by major cloud vendors as the bedrock of secure data processing in Europe, has suffered a significant blow. New, independently verified research from TU Dresden has exposed fundamental weaknesses in attested TLS, the cryptographic protocol designed to prove that a server is running inside a genuine, unmodified Trusted Execution Environment (TEE).
The research, led by Muhammad Usama Sardar and presented at the AsiaCCS 2026 and ESORICS 2026 conferences, demonstrates that attested TLS protocols can be exploited through diversion and relay attacks. In a diversion attack, a connection intended for one server is silently redirected to a compromised machine running identical software, anywhere in the world, without the client detecting the switch. The intended server has done nothing wrong; the attacker simply exploits the fact that the protocol checks software integrity, not location.
Sardar's team examined intra-handshake attestation, where cryptographic evidence is generated during the TLS handshake itself. They tested seven different methods of binding that evidence to the underlying connection. None of them prevented relay attacks, in which a client verifies the evidence of a genuine, trustworthy AI agent or server but ends up encrypting its traffic to an entirely different, malicious one. The paper, titled Intra-handshake.fail, concludes that the starting assumption—that the hardware itself can be trusted—remains a critical vulnerability.
For UK businesses, the implications are stark. Confidential computing is increasingly marketed as a solution for regulated sectors such as finance, healthcare, and legal services, where data sovereignty and auditability are paramount. The UK Information Commissioner's Office (ICO) has previously signalled that technologies like TEEs could help organisations meet accountability obligations under UK GDPR. However, if the protocol layer cannot reliably prove where data is processed, those assurances collapse. The EU AI Act also places emphasis on robust technical safeguards for high-risk AI systems, many of which rely on confidential computing infrastructure.
Intel's TDX and Google Cloud's confidential computing offerings have been positioned as enablers of 'full, auditable control over access to customer data'. The new research suggests that promise may be premature. Sardar noted: 'In confidential computing, you have to trust the hardware manufacturer anyway. There is absolutely no way around this.' With that root of trust accepted, the protocol layer was supposed to provide everything else. His research shows it provides far less than assumed.
Experts caution that the findings do not mean confidential computing is worthless, but they do demand urgent attention from standards bodies, cloud providers, and regulators. The UK's National Cyber Security Centre (NCSC) has yet to issue specific guidance on attested TLS, but the research is likely to prompt a review. For now, organisations relying on confidential computing for sensitive workloads should seek additional verification mechanisms and remain aware that the protocol's trust guarantees are weaker than advertised.