this post was submitted on 04 Sep 2024
87 points (100.0% liked)

Technology

37719 readers
75 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] chemicalwonka@discuss.tchncs.de 15 points 2 months ago* (last edited 2 months ago) (2 children)

This is the problem of the security model by obscurity, if they had opted for an open source model both in hardware and firmware (like Nitrokey) maybe they wouldn't be having this problem.

[–] Godort@lemm.ee 20 points 2 months ago

I'm not sure I necessarily agree. Your assessment is correct, but I don't really think this situation is security by obscurity. Like most things in computer security, you have to weight the pros and cons to each approach.

Yubico used components that all passed Common Criteria certification and built their product in a read-only configuration to prevent any potential shenanigans with vulnerable firmware updates. This approach almost entirely protects them from supply-chain attacks like what happened with ZX a few months back.

To exploit this vulnerability you need physical access to the device, a ton of expensive equipment, and an incredibly deep knowledge in digital cryptography. This is effectively a non-issue for your average Yubikey user. The people this does affect will be retiring and replacing their Yubikeys with the newest models ASAP.

[–] sweng@programming.dev 1 points 2 months ago

Is Yubico actually claiming it is more secure by not being open source?