New bootloader, programmer, and metadata all working together for the first time.pic.twitter.com/5OkimI7yGp
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
My proposal isn't for exfiltrating keys from real U2F devices (which they are really supposed to defend against). I'm proposing building a new piece of hardware that isn't a crypto device at all (think an Arduino) but just abuses the protocol to transfer arbitrary data to JS.
Right. The key idea was that the browser should be validating that the data returned from the U2F device is a legitimate signature for the pubkey.
If I'm reading the specs correctly (again, I still need to actually go test this) the browser isn't guaranteed to even have the pubkey available. The pubkey is only returned when initially registering a dongle and not if you only ever abuse "authenticate" messages.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.