Bad News: Two-Factor Authentication Pioneer YubiKey Drops Open Source PGP For Proprietary Version
from the not-good dept
If you want to be secure on the internet these days, multi-factor authentication is a must. Don't believe me? Just ask Betty White:That's why it's fairly disappointing to learn that Yubico, the company that makes them, has decided to drop an open source implementation in its latest offering. After some people started asking about this on GitHub a few days ago, Yubico's Engineering Lead Dain Nilsson explained:
The implementation is not open source, that is correct. We have both internal and external review of our code to ensure that it is secure. It's important to remember that open source code is no guarantee that bugs/vulnerabilities will be detected as the bug you've linked to demonstrates quite well. The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code. It was interaction with the device itself which led to its discovery.While I'm sure that Yubico's intentions were good here, this has raised a lot of concerns and has led to other former fans of YubiKeys withdrawing their endorsements of the devices. Encryption is tricky. There are almost always vulnerabilities and bugs -- a point we've been making a lot lately. But the best way to fix those tends to be getting as many knowledgeable eyes on the code as possible. And that's not possible when it's closed source.
We're all for open source, and we try to open source as much of our code as possible when and where it makes sense, but in this case it was determined not to be so. One reason is that on the YubiKey NEO, each applet runs in its own sandbox, isolated from the rest of the system and can be audited/reasoned about on its own. This is not the case on the YubiKey 4, where each part of the system interacts with several others. Another reason that ykneo-openpgp was implemented as an open source project (aside from being able to leverage an existing project) was that it was useful for others, as it can run on a variety of devices. Again, this is not the case for the implementation running on the YubiKey 4.
Yubico, also, doesn't seem to have reacted well to people complaining. After one commenter was marginally aggressive, saying "Everyone that does not have shit for brains knows that security through obscurity doesn't work..." Nilsson closed down the thread and noted: "Further hostility against the company or our users will not be tolerated in this forum, and will be met with bans." That seems... tone deaf, at best, and it makes the company sound unwilling to listen to the concerns of its customers.
While there may be legitimate reasons that Yubico made this switch, it quite reasonably has many former supporters more worried about using its solution, and many are now looking at alternatives. Yubico had been so associated with this market for a long time that it was becoming basically "the" provider of these kinds of keys. But it may have just helped the competition quite a bit.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: multi-factor authentication, open source, pgp, two factor authentication, yubikey
Companies: yubico
Reader Comments
Subscribe: RSS
View by: Time | Thread
1)TLAs
2)Backdoors.
[ link to this | view in chronology ]
Re:
1. For the children!
2. Golden Keys
It is best to edit for potential thoughtcrime before clicking Submit.
Why do you think the button is called 'submit' instead of something like question authority?
[ link to this | view in chronology ]
Re: Re:
As for for the children, those TLAs act like children when they cannot look over every-bodies shoulders all the time regardless of which country the person lives in.
Sneaking about in the shadows, and going in via backdoors is what those agencies do.
[ link to this | view in chronology ]
Explanation is no explanation at all
If I understand correctly, the so-called reason is "on our new platform open-source isn't so useful".
Fine. But that's not a reason to drop open-source at all. That's only a reason why people shouldn't care.
Which is not the same thing.
So it sounds like they're dropping open-source for no reason that they're willing to articulate.
Which is pretty suspicious.
[ link to this | view in chronology ]
In unrelated news .....
[ link to this | view in chronology ]
"While there may be legitimate reasons that Yubico made this switch"
Pretty generous considering their reaction to criticism is "Shut Up or we'll make you"
Black Box security: "Trust Us, it's fine."
[ link to this | view in chronology ]
Showstopper
[ link to this | view in chronology ]
Re: Showstopper
Can you also verify that there are no bugs in the compiler that lead to vulnerabilities on the device?
How many devices that you own are you going to repeat this process for, and what policies should you have for responding to patches? Should everyone audit their own device independently, or should we all rely on (and trust) audits conducted by other people? Does any of that mean that my 80-year-old mother in law can't use these things?
I mean, I understand. These devices are part of a framework of trust that are intended to allow other services to be offered with a particular level of security; if this device turns out to be insecure, then so is everything that relies on it. It deserves a higher level of scrutiny... then again, "The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code."
Offering an open source software version of the device as well as the physical device seems like a compromise - if the software primed with the same key always provides the same results as the device, then the device is likely to be as secure as the software can be proven to be. But I suspect even that logic has holes that a small truck full of criminals could drive through...
[ link to this | view in chronology ]
Re: Re: Showstopper
It's not that open source is inherently flawless, it's just that being able to validate the security is better than not being able to.
It's probably quite a bit more difficult for the company though. I imagine the company would prefer to be able to pretend they didn't know about holes that are bothersome / expensive to fix when some big leak happens.
[ link to this | view in chronology ]
Re: Re: Showstopper
It's not that open source is inherently flawless, it's just that being able to validate the security is better than not being able to.
It's probably quite a bit more difficult for the company though. I imagine the company would prefer to be able to pretend they didn't know about holes that are bothersome / expensive to fix when some big leak happens.
[ link to this | view in chronology ]
Re: Re: Showstopper
"We have both internal and external review of our code to ensure that it is secure." ....... "The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code."
Ok... So they did audits on the code and DID NOT FIND THE BUG, but hold on, they are talking about the bug right? So where did they find out about it?
"It's important to remember that open source code is no guarantee that bugs/vulnerabilities will be detected as the bug you've linked to demonstrates quite well."
To me it sure sounds like having some open source helped, or maybe I am reading into this a bit too much?
Either way, The point of open source is not necessarily that everyone has to audit the code themselves. The point is that anyone CAN audit the code. This means you have a lot more than two small audit groups looking at it. It also makes it MUCH harder to hide a backdoor or anything of that nature. If you add bad code then your auditors that you are paying will ignore it, an independent security researcher auditing the code will not be so kind.
[ link to this | view in chronology ]
Re: Re: Showstopper
That said, closed source is far worse. With closed source, you have exactly no assurance that the code is good. With open source, it is at least possible to get some level of assurance, as imperfect as it may be.
In other words, open source does not automatically equal more secure, but close source does automatically equal reduced security due to the impossibility of confirmation.
[ link to this | view in chronology ]
Re: Re: Re: Showstopper
Closed source automatically equals NO security. It's software snake-oil, peddled by liars who embrace fraud as their business model.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
So in trying to show open source doesn't help, he also bashed their code reviews.
While I don't have a Yubikey, this is enough to make sure I don't get one. I'll look to another provider, as I just don't find Yubico trustworthy now. The explanation for why doesn't actually explain why. It comes across as nothing but a justification for a decision made for other reasons. I notice the very first comment is suggesting Yubico's been forced to put in a backdoor. It's really hard to dismiss that type of thing as paranoia nowadays and Yubico's handling of this is not doing anything to reduce people's paranoia.
[ link to this | view in chronology ]
Historically their internal review sucked.
Upon setting it up I discovered and responsibly disclosed that their authentication product was logging users passwords IN PLAIN TEXT in the WEB SERVER logs!
They did fix it then soon after discontinued YubiRadius.
That code was a total mess, it should have never made it through any sort of internal review but it did. Does not give me much confidence in any future reviews.
I hope they realize that less open means less people will be interested in their product.
[ link to this | view in chronology ]
Apples and Yubcos
[ link to this | view in chronology ]
Alternatives?
Can anyone recommend a good competitor? I'm in need of something like the nano as a PGP keystore for my laptop. It needs the standard features, wipe on too many bad attempts, and anti-tamper protection.
Youbikey would have worked, but they didn't make it easy. Well, now to do research...
[ link to this | view in chronology ]
Re: Alternatives?
[ link to this | view in chronology ]
They should be applying the same for the opensource code, and by contributing patches back, helped to make it more secure than any proprietary code, where fewer people review and test the code.
[ link to this | view in chronology ]
Yubikey 4 is obviously going to make a flawed attempt at security (because everything is flawed). The only thing that can have changed is that those flaws are no longer being made in good faith, I guess...
[ link to this | view in chronology ]
Security through obscurity cannot work when you're basically handing the (compiled) algorithm to potential attackers.
I'm pretty sure an industrious hacker could buy the device and reverse engineer the algorithm, and the flaws would then be hidden for quite some time.
[ link to this | view in chronology ]
So now we know that Yubico's engineering lead is either (a) ignorant and incompetent or (b) lying. There are no other possibilities.
We also now know that Yubico finds it acceptable to create and sell products deliberately based on a fraudulent development process.
I'll be instructing our purchasing department to permanently blacklist Yubico in 14 minutes when they arrived for work today. I will also be removing all Yubico devices from service by close-of-business today. This is going to be disruptive and inconvenient, but I don't do business with idiots, liars, and frauds.
[ link to this | view in chronology ]
Re: “We're all for open source”
[ link to this | view in chronology ]
Re: “We're all for open source”
[ link to this | view in chronology ]
Over-reacting
[ link to this | view in chronology ]
Re: Over-reacting
[ link to this | view in chronology ]
Betty White
[ link to this | view in chronology ]
Re: Betty White could sell me herpes.
[ link to this | view in chronology ]
Canary
[ link to this | view in chronology ]
Re: Canary
In this case, though, we're talking about a security product. It's clear to me that the safest course of action is to interpret this move as a kind of canary.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Confused as hell...
How does that work? How does that work out for them?
I read that they had some new investment. Was that a Troll, or was that for reals? 'cuz, for reals, could mean it might be leading to them moving to a private/public business model, meaning they're going the way of product development and sales.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Yubikey may become "dead" in the minds of individuals who care about their own security, but they may be richer than ever if they start selling to major entities.
[ link to this | view in chronology ]