|
|
|
|
|
|
by anfedorov
2930 days ago
|
|
|
Was there some work-around I'm missing or did they literally go "yeah this website can send anything to the YK device directly, waht could go wrong?". Because the folks at Google Security are definitely smart and many orders of magnitude more experienced than me, and that's a vuln even I can understand / see the problem with so something institutional must have gone way wrong if WebUSB shipped on the stable release without some kind of block-U2F-forgery filter. As far as Yubico, I get that they are doing something pretty hard in the hardware / product-market-fit domains, and I respect that and I want them to succeed, but they appear to be seriously dropping the ball on the software part of their product [1], as well as "simplicity breeds security". They could do so much better on the actual UI/UX if they piece-by-piece copied the setup UX of a "smart" vacuum cleaner. 1. I emailed & on-site support ticket submitted them days ago about some of their certs having expired on 2017-05-10, and have gotten not a peep in response & no fix in sight. Did nobody set a team calendar reminder and is nobody responsible for checking it on a monthly / quarterly / at the very least end-of-year cycle? That seems pretty elementary "underwear goes inside the pants" kind of security competence. https://i.imgur.com/bOCfXJ2.png
https://developers.yubico.com/yubikey-neo-manager/Releases/y... |
|
|
[1] https://developers.google.com/web/updates/images/2016-03-02-...