Bad News: Two-Factor Authentication Pioneer YubiKey Drops Open Source PGP For Proprietary Version
from the not-good dept
If you want to be secure on the internet these days, multi-factor authentication is a must. Don’t believe me? Just ask Betty White:
That’s why it’s fairly disappointing to learn that Yubico, the company that makes them, has decided to drop an open source implementation in its latest offering. After some people started asking about this on GitHub a few days ago, Yubico’s Engineering Lead Dain Nilsson explained:
The implementation is not open source, that is correct. We have both internal and external review of our code to ensure that it is secure. It’s important to remember that open source code is no guarantee that bugs/vulnerabilities will be detected as the bug you’ve linked to demonstrates quite well. The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code. It was interaction with the device itself which led to its discovery.
We’re all for open source, and we try to open source as much of our code as possible when and where it makes sense, but in this case it was determined not to be so. One reason is that on the YubiKey NEO, each applet runs in its own sandbox, isolated from the rest of the system and can be audited/reasoned about on its own. This is not the case on the YubiKey 4, where each part of the system interacts with several others. Another reason that ykneo-openpgp was implemented as an open source project (aside from being able to leverage an existing project) was that it was useful for others, as it can run on a variety of devices. Again, this is not the case for the implementation running on the YubiKey 4.
While I’m sure that Yubico’s intentions were good here, this has raised a lot of concerns and has led to other former fans of YubiKeys withdrawing their endorsements of the devices. Encryption is tricky. There are almost always vulnerabilities and bugs — a point we’ve been making a lot lately. But the best way to fix those tends to be getting as many knowledgeable eyes on the code as possible. And that’s not possible when it’s closed source.
Yubico, also, doesn’t seem to have reacted well to people complaining. After one commenter was marginally aggressive, saying “Everyone that does not have shit for brains knows that security through obscurity doesn’t work…” Nilsson closed down the thread and noted: “Further hostility against the company or our users will not be tolerated in this forum, and will be met with bans.” That seems… tone deaf, at best, and it makes the company sound unwilling to listen to the concerns of its customers.
While there may be legitimate reasons that Yubico made this switch, it quite reasonably has many former supporters more worried about using its solution, and many are now looking at alternatives. Yubico had been so associated with this market for a long time that it was becoming basically “the” provider of these kinds of keys. But it may have just helped the competition quite a bit.
Filed Under: multi-factor authentication, open source, pgp, two factor authentication, yubikey
Companies: yubico
Comments on “Bad News: Two-Factor Authentication Pioneer YubiKey Drops Open Source PGP For Proprietary Version”
Two thoughts
1)TLAs
2)Backdoors.
Re: Re:
Don’t you think you should rephrase that, comrade?
1. For the children!
2. Golden Keys
It is best to edit for potential thoughtcrime before clicking Submit.
Why do you think the button is called ‘submit’ instead of something like question authority?
Re: Re: Re:
Comrade? No, just a non US citizen pissed of at being screwed over by the US government yet again.#
As for for the children, those TLAs act like children when they cannot look over every-bodies shoulders all the time regardless of which country the person lives in.
Sneaking about in the shadows, and going in via backdoors is what those agencies do.
Explanation is no explanation at all
The lack of explanation of any reason for dropping open source seems suspicious in itself.
If I understand correctly, the so-called reason is “on our new platform open-source isn’t so useful”.
Fine. But that’s not a reason to drop open-source at all. That’s only a reason why people shouldn’t care.
Which is not the same thing.
So it sounds like they’re dropping open-source for no reason that they’re willing to articulate.
Which is pretty suspicious.
Re: In unrelated news .....
In other news, Yubikey announces a new round of investment in the company.
“While I’m sure that Yubico’s intentions were good here”,
“While there may be legitimate reasons that Yubico made this switch”
Pretty generous considering their reaction to criticism is “Shut Up or we’ll make you”
Black Box security: “Trust Us, it’s fine.”
Showstopper
Proprietary crypto is dangerous crypto. If they won’t show you the code, don’t use it.
Re: Showstopper
How do you confirm that the code that you are shown is the same as the instructions on the device you’re using?
Can you also verify that there are no bugs in the compiler that lead to vulnerabilities on the device?
How many devices that you own are you going to repeat this process for, and what policies should you have for responding to patches? Should everyone audit their own device independently, or should we all rely on (and trust) audits conducted by other people? Does any of that mean that my 80-year-old mother in law can’t use these things?
I mean, I understand. These devices are part of a framework of trust that are intended to allow other services to be offered with a particular level of security; if this device turns out to be insecure, then so is everything that relies on it. It deserves a higher level of scrutiny… then again, “The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code.”
Offering an open source software version of the device as well as the physical device seems like a compromise – if the software primed with the same key always provides the same results as the device, then the device is likely to be as secure as the software can be proven to be. But I suspect even that logic has holes that a small truck full of criminals could drive through…
Re: Re: Showstopper
Compiler is also open source and able to be scrutinized. You could compile the program onto the device yourself if it’s really warranted.
It’s not that open source is inherently flawless, it’s just that being able to validate the security is better than not being able to.
It’s probably quite a bit more difficult for the company though. I imagine the company would prefer to be able to pretend they didn’t know about holes that are bothersome / expensive to fix when some big leak happens.
Re: Re: Showstopper
Compiler is also open source and able to be scrutinized. You could compile the program onto the device yourself if it’s really warranted.
It’s not that open source is inherently flawless, it’s just that being able to validate the security is better than not being able to.
It’s probably quite a bit more difficult for the company though. I imagine the company would prefer to be able to pretend they didn’t know about holes that are bothersome / expensive to fix when some big leak happens.
Re: Re: Showstopper
I would first like to point out a few things stated by Yubico’s engineer.
“We have both internal and external review of our code to ensure that it is secure.” ……. “The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code.”
Ok… So they did audits on the code and DID NOT FIND THE BUG, but hold on, they are talking about the bug right? So where did they find out about it?
“It’s important to remember that open source code is no guarantee that bugs/vulnerabilities will be detected as the bug you’ve linked to demonstrates quite well.”
To me it sure sounds like having some open source helped, or maybe I am reading into this a bit too much?
Either way, The point of open source is not necessarily that everyone has to audit the code themselves. The point is that anyone CAN audit the code. This means you have a lot more than two small audit groups looking at it. It also makes it MUCH harder to hide a backdoor or anything of that nature. If you add bad code then your auditors that you are paying will ignore it, an independent security researcher auditing the code will not be so kind.
Re: Re: Showstopper
I think the point you’re trying to make here is that open source is no security panacea — and I agree with this point 100%.
That said, closed source is far worse. With closed source, you have exactly no assurance that the code is good. With open source, it is at least possible to get some level of assurance, as imperfect as it may be.
In other words, open source does not automatically equal more secure, but close source does automatically equal reduced security due to the impossibility of confirmation.
Re: Re: Re: Showstopper
In other words, open source does not automatically equal more secure, but close source does automatically equal reduced security due to the impossibility of confirmation.
Closed source automatically equals NO security. It’s software snake-oil, peddled by liars who embrace fraud as their business model.
…and a venture capitalist firm named In-Q-Tel becomes a prominent investor.
So in trying to show open source doesn't help, he also bashed their code reviews.
I know he was trying to show that being open source doesn’t find all bugs, but he also proved that their “internal and external review of [their] code to ensure that it is secure” is ALSO not good enough when he said that particular bug “was NOT detected by any audit of the source code” So ditching open source is an improvement how exactly? All he “proved” there was security is hard, and that less people will be looking for bugs now. That certainly sounds less secure than the previous version by any measure.
While I don’t have a Yubikey, this is enough to make sure I don’t get one. I’ll look to another provider, as I just don’t find Yubico trustworthy now. The explanation for why doesn’t actually explain why. It comes across as nothing but a justification for a decision made for other reasons. I notice the very first comment is suggesting Yubico’s been forced to put in a backdoor. It’s really hard to dismiss that type of thing as paranoia nowadays and Yubico’s handling of this is not doing anything to reduce people’s paranoia.
Historically their internal review sucked.
They used to have product called YubiRadius.
Upon setting it up I discovered and responsibly disclosed that their authentication product was logging users passwords IN PLAIN TEXT in the WEB SERVER logs!
They did fix it then soon after discontinued YubiRadius.
That code was a total mess, it should have never made it through any sort of internal review but it did. Does not give me much confidence in any future reviews.
I hope they realize that less open means less people will be interested in their product.
Apples and Yubcos
Maybe they got the apple treatment accompanied with a gag order.
Alternatives?
I was going to buy one of these, but not with that attitude.
Can anyone recommend a good competitor? I’m in need of something like the nano as a PGP keystore for my laptop. It needs the standard features, wipe on too many bad attempts, and anti-tamper protection.
Youbikey would have worked, but they didn’t make it easy. Well, now to do research…
Re: Alternatives?
The link in the article about people withdrawing their endorsements suggests Nitro Key instead. It’s probably worth a look.
They should be applying the same for the opensource code, and by contributing patches back, helped to make it more secure than any proprietary code, where fewer people review and test the code.
Evidently earlier, open versions of Yubikey made flawed, but good-faith attempts at security.
Yubikey 4 is obviously going to make a flawed attempt at security (because everything is flawed). The only thing that can have changed is that those flaws are no longer being made in good faith, I guess…
This stinks of 3 letter agency meddling. Either that or some “superstar” CEO way out of the loop who still places value on security through obscurity.
Security through obscurity cannot work when you’re basically handing the (compiled) algorithm to potential attackers.
I’m pretty sure an industrious hacker could buy the device and reverse engineer the algorithm, and the flaws would then be hidden for quite some time.
We’re all for open source, and we try to open source as much of our code as possible when and where it makes sense, but in this case it was determined not to be so.
So now we know that Yubico’s engineering lead is either (a) ignorant and incompetent or (b) lying. There are no other possibilities.
We also now know that Yubico finds it acceptable to create and sell products deliberately based on a fraudulent development process.
I’ll be instructing our purchasing department to permanently blacklist Yubico in 14 minutes when they arrived for work today. I will also be removing all Yubico devices from service by close-of-business today. This is going to be disruptive and inconvenient, but I don’t do business with idiots, liars, and frauds.
Re: “We're all for open source”
Re: “We're all for open source”
We have nothing against open source. Some of our best friends are open source…
Over-reacting
2FA is about risk mitigation. Yubikey accomplishes this with excellent usability, using open protocols. I think you are all over-reacting. My company Gluu is an open source security vendor, so few are more dogmatic about openness then us. For a hardware key (which can’t be updated), does open source mitigate risk? Not neccessarily in the current version. There are a million ways for the NSA to break into your account without hacking your hardware token. That just makes no sense.
Re: Over-reacting
So is closing off the transparency that is open source something that you (Gluu) are considering/planning?
Betty White
Betty White could sell me herpes.
Re: Betty White could sell me herpes.
Not just her peas, try her beans as well.
Canary
Can switching a security product from open source to closed source be considered a form of Canary?
Re: Canary
Past projects have been taken closed source for non-nefarious reasons (always centered around courting corporations in some form), so it’s not automatic.
In this case, though, we’re talking about a security product. It’s clear to me that the safest course of action is to interpret this move as a kind of canary.
Yubico’s Blog/Statement on this was published yesterday – https://www.yubico.com/2016/05/secure-hardware-vs-open-source/
Re: Re:
That statement is no better than their original one. Their message remains clear as day: YubiKey 4 and beyond is an unacceptable product.
Re: Re: Re:
I wish I read that before I posted… Mea culpa
Re: Re: Re: Re:
WRONG THREAD REPLIED TO…
Confused as hell...
I don’t get it. So, instead of getting rid of the real problem; the hired professionals who screwed the pooch in the first place, Yubnub is getting rid of the free talent, and being openly hostile to dedicated fans/users/subscribers of what was essentially a good product?
How does that work? How does that work out for them?
I read that they had some new investment. Was that a Troll, or was that for reals? ‘cuz, for reals, could mean it might be leading to them moving to a private/public business model, meaning they’re going the way of product development and sales.
YubiKey is dead.
Re: Re:
I don’t think so. From reading YubiKey’s statements, the impression that I get is that they’re doing this because they want to sell their product to governments and major corporations, and this is what those guys require.
Yubikey may become “dead” in the minds of individuals who care about their own security, but they may be richer than ever if they start selling to major entities.