but also how did they pass the certification to begin with
Whoops, @Yubico just scored 31% on the Sony PS3 Epic Fail scale. Collect three signatures from a FIPS Yubikey and you can calculate the private key.https://www.yubico.com/support/security-advisories/ysa-2019-02/ …
-
-
-
Because FIPS certification is a joke.
- Show replies
New conversation -
-
-
that brings back good memories LMAO
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
this is depressing :(
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
How does this affect a user who generated keys on an offline machine and transferred these to the yubikey subsequently?
-
If they are ECDSA keys then they are still compromised. If they are RSA keys they are fine.
End of conversation
New conversation -
-
-
I don't trust Yubico since they told me that "accidental" session hijacking in their webshop was "not a problem"
-
Are there any other SSH/OpenPGP/U2F compatible USB tokens that are not crap? I know of several open source projects, but stuff using random (non-secure) microcontrollers isn't really serious.
- Show replies
New conversation -
-
-
Do I understand correctly that if deterministic signature algorithm was chosen, this problem wouldn't be that huge?
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.