| An ideal HSM serve only one purpose: store secrets (privatekeys/passwords) and give specific access (sign/spend/login). > Most companies consider MITM an external compromise since the malicious actor is not on the machine itself or has no-longer access to the machine(s). Securing HSM+Laptop is impossible compared to HSM. If laptop is secure, why even need HSM ? > Even most 'dedicated' systems do NOT have a direct link to the input terminals most of the times since they are simple usb keypads. Some smartcard readers for PC have pin-pads but this is rarely the case and they are way more expensive than a keyboard and a regular reader. If usbkeypad is not connected to a network and not attacked by evil maid, HSM+usbkeypad is still secure. But laptop is complex system, always connected to internet and has loosly regulated physical access. > HSMs are not "MITM proof", the system at-large has to be. Again if whole system is secure why need HSM ? If user satisfy few conditions of using HSM, such as being rubberhose attack proof, the secrets MUST be secure irregardless of how insecure the larger system is. |