I have an hard time to believe that it would be practical or profitable even if the device is cheap enough since once a device has been compromised it has been compromise and that only takes a single bug or an discovered entry to an deliberately implemented backdoor by the manufacturer ( go closed source go ). Yubico decision to go the closed route ( which yubico effectively managed to paint a big fat crackers bullseye on their back in the process since there is no challenge or honor in cracking open devices and open software ) they no longer have any trust since security concerned actors no longer can properly verify the security properties of Yubico software and firmware and devices.Ĭonsumers should immediately start migrating away from Yubico to another hardware authentication device manufactured which is entirely open regarding their device designs and firmware/software and are responsive to consumer feedback, reports and patches since Yubico is no longer secure ( since it no longer has any trust ) thus effectively has been in this line of business. ( unless you intend to freely distribute new hardware with new software to all affected consumers once bugs/exploits have been found ) No written software is bug free and thus never static hence you always need updates ( firmware/software ) with some form of verification process of those updates once bugs have been found and fixed. The fact is security is based on trust and chances ( neither which can be achieved with closed doors of any kind ). Yubico blog post is nothing more than a poor excuse/justification for implementing security through obscurity.
0 kommentar(er)
