Bad News: Two-Factor Authentication Pioneer YubiKey Drops Open Source PGP For Proprietary Version

from the not-good dept

If you want to be secure on the internet these days, multi-factor authentication is a must. Don't believe me? Just ask Betty White:
By now, hopefully, you've turned on multi-factor authentication on various social media/email accounts, where they either text you an extra code or you have an app like Authy that supplies you with an extra code. But another super handy mutli-factor authentication system is the YubiKey setup, which is a little USB key with a finger sensor. It's basically a bit of hardware that you can keep on you, which blocks anyone else from logging into your accounts if they don't have it. We actually distributed YubiKeys at our inaugural Copia Institute summit, and I've been using YubiKeys for a while now to better protect certain accounts.

That's why it's fairly disappointing to learn that Yubico, the company that makes them, has decided to drop an open source implementation in its latest offering. After some people started asking about this on GitHub a few days ago, Yubico's Engineering Lead Dain Nilsson explained:
The implementation is not open source, that is correct. We have both internal and external review of our code to ensure that it is secure. It's important to remember that open source code is no guarantee that bugs/vulnerabilities will be detected as the bug you've linked to demonstrates quite well. The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code. It was interaction with the device itself which led to its discovery.

We're all for open source, and we try to open source as much of our code as possible when and where it makes sense, but in this case it was determined not to be so. One reason is that on the YubiKey NEO, each applet runs in its own sandbox, isolated from the rest of the system and can be audited/reasoned about on its own. This is not the case on the YubiKey 4, where each part of the system interacts with several others. Another reason that ykneo-openpgp was implemented as an open source project (aside from being able to leverage an existing project) was that it was useful for others, as it can run on a variety of devices. Again, this is not the case for the implementation running on the YubiKey 4.
While I'm sure that Yubico's intentions were good here, this has raised a lot of concerns and has led to other former fans of YubiKeys withdrawing their endorsements of the devices. Encryption is tricky. There are almost always vulnerabilities and bugs -- a point we've been making a lot lately. But the best way to fix those tends to be getting as many knowledgeable eyes on the code as possible. And that's not possible when it's closed source.

Yubico, also, doesn't seem to have reacted well to people complaining. After one commenter was marginally aggressive, saying "Everyone that does not have shit for brains knows that security through obscurity doesn't work..." Nilsson closed down the thread and noted: "Further hostility against the company or our users will not be tolerated in this forum, and will be met with bans." That seems... tone deaf, at best, and it makes the company sound unwilling to listen to the concerns of its customers.

While there may be legitimate reasons that Yubico made this switch, it quite reasonably has many former supporters more worried about using its solution, and many are now looking at alternatives. Yubico had been so associated with this market for a long time that it was becoming basically "the" provider of these kinds of keys. But it may have just helped the competition quite a bit.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 16 May 2016 @ 3:40pm

    Two thoughts
    1)TLAs
    2)Backdoors.

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 17 May 2016 @ 5:49am

      Re:

      Don't you think you should rephrase that, comrade?
      1. For the children!
      2. Golden Keys

      It is best to edit for potential thoughtcrime before clicking Submit.

      Why do you think the button is called 'submit' instead of something like question authority?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 17 May 2016 @ 7:05am

        Re: Re:

        Comrade? No, just a non US citizen pissed of at being screwed over by the US government yet again.#

        As for for the children, those TLAs act like children when they cannot look over every-bodies shoulders all the time regardless of which country the person lives in.

        Sneaking about in the shadows, and going in via backdoors is what those agencies do.

        reply to this | link to this | view in chronology ]

  • icon
    OldMugwump (profile), 16 May 2016 @ 4:09pm

    Explanation is no explanation at all

    The lack of explanation of any reason for dropping open source seems suspicious in itself.

    If I understand correctly, the so-called reason is "on our new platform open-source isn't so useful".

    Fine. But that's not a reason to drop open-source at all. That's only a reason why people shouldn't care.

    Which is not the same thing.

    So it sounds like they're dropping open-source for no reason that they're willing to articulate.

    Which is pretty suspicious.

    reply to this | link to this | view in chronology ]

  • icon
    crade (profile), 16 May 2016 @ 4:20pm

    "While I'm sure that Yubico's intentions were good here",
    "While there may be legitimate reasons that Yubico made this switch"

    Pretty generous considering their reaction to criticism is "Shut Up or we'll make you"

    Black Box security: "Trust Us, it's fine."

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 16 May 2016 @ 4:23pm

    Showstopper

    Proprietary crypto is dangerous crypto. If they won't show you the code, don't use it.

    reply to this | link to this | view in chronology ]

    • icon
      MrTroy (profile), 16 May 2016 @ 8:00pm

      Re: Showstopper

      How do you confirm that the code that you are shown is the same as the instructions on the device you're using?

      Can you also verify that there are no bugs in the compiler that lead to vulnerabilities on the device?

      How many devices that you own are you going to repeat this process for, and what policies should you have for responding to patches? Should everyone audit their own device independently, or should we all rely on (and trust) audits conducted by other people? Does any of that mean that my 80-year-old mother in law can't use these things?

      I mean, I understand. These devices are part of a framework of trust that are intended to allow other services to be offered with a particular level of security; if this device turns out to be insecure, then so is everything that relies on it. It deserves a higher level of scrutiny... then again, "The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code."

      Offering an open source software version of the device as well as the physical device seems like a compromise - if the software primed with the same key always provides the same results as the device, then the device is likely to be as secure as the software can be proven to be. But I suspect even that logic has holes that a small truck full of criminals could drive through...

      reply to this | link to this | view in chronology ]

      • icon
        crade (profile), 16 May 2016 @ 10:06pm

        Re: Re: Showstopper

        Compiler is also open source and able to be scrutinized. You could compile the program onto the device yourself if it's really warranted.

        It's not that open source is inherently flawless, it's just that being able to validate the security is better than not being able to.

        It's probably quite a bit more difficult for the company though. I imagine the company would prefer to be able to pretend they didn't know about holes that are bothersome / expensive to fix when some big leak happens.

        reply to this | link to this | view in chronology ]

      • icon
        crade (profile), 16 May 2016 @ 10:06pm

        Re: Re: Showstopper

        Compiler is also open source and able to be scrutinized. You could compile the program onto the device yourself if it's really warranted.

        It's not that open source is inherently flawless, it's just that being able to validate the security is better than not being able to.

        It's probably quite a bit more difficult for the company though. I imagine the company would prefer to be able to pretend they didn't know about holes that are bothersome / expensive to fix when some big leak happens.

        reply to this | link to this | view in chronology ]

      • icon
        Machin Shin (profile), 17 May 2016 @ 5:29am

        Re: Re: Showstopper

        I would first like to point out a few things stated by Yubico's engineer.

        "We have both internal and external review of our code to ensure that it is secure." ....... "The bug was inherited from the upstream project which ykneo-openpgp is based on, and was NOT detected by any audit of the source code."

        Ok... So they did audits on the code and DID NOT FIND THE BUG, but hold on, they are talking about the bug right? So where did they find out about it?

        "It's important to remember that open source code is no guarantee that bugs/vulnerabilities will be detected as the bug you've linked to demonstrates quite well."

        To me it sure sounds like having some open source helped, or maybe I am reading into this a bit too much?

        Either way, The point of open source is not necessarily that everyone has to audit the code themselves. The point is that anyone CAN audit the code. This means you have a lot more than two small audit groups looking at it. It also makes it MUCH harder to hide a backdoor or anything of that nature. If you add bad code then your auditors that you are paying will ignore it, an independent security researcher auditing the code will not be so kind.

        reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 17 May 2016 @ 6:18am

        Re: Re: Showstopper

        I think the point you're trying to make here is that open source is no security panacea -- and I agree with this point 100%.

        That said, closed source is far worse. With closed source, you have exactly no assurance that the code is good. With open source, it is at least possible to get some level of assurance, as imperfect as it may be.

        In other words, open source does not automatically equal more secure, but close source does automatically equal reduced security due to the impossibility of confirmation.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 17 May 2016 @ 6:23am

          Re: Re: Re: Showstopper

          In other words, open source does not automatically equal more secure, but close source does automatically equal reduced security due to the impossibility of confirmation.

          Closed source automatically equals NO security. It's software snake-oil, peddled by liars who embrace fraud as their business model.

          reply to this | link to this | view in chronology ]

  • identicon
    doggerdig, 16 May 2016 @ 4:41pm

    ...and a venture capitalist firm named In-Q-Tel becomes a prominent investor.

    reply to this | link to this | view in chronology ]

  • icon
    Manabi (profile), 16 May 2016 @ 5:42pm

    So in trying to show open source doesn't help, he also bashed their code reviews.

    I know he was trying to show that being open source doesn't find all bugs, but he also proved that their "internal and external review of [their] code to ensure that it is secure" is ALSO not good enough when he said that particular bug "was NOT detected by any audit of the source code" So ditching open source is an improvement how exactly? All he "proved" there was security is hard, and that less people will be looking for bugs now. That certainly sounds less secure than the previous version by any measure.

    While I don't have a Yubikey, this is enough to make sure I don't get one. I'll look to another provider, as I just don't find Yubico trustworthy now. The explanation for why doesn't actually explain why. It comes across as nothing but a justification for a decision made for other reasons. I notice the very first comment is suggesting Yubico's been forced to put in a backdoor. It's really hard to dismiss that type of thing as paranoia nowadays and Yubico's handling of this is not doing anything to reduce people's paranoia.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 May 2016 @ 6:16pm

    Historically their internal review sucked.

    They used to have product called YubiRadius.

    Upon setting it up I discovered and responsibly disclosed that their authentication product was logging users passwords IN PLAIN TEXT in the WEB SERVER logs!

    They did fix it then soon after discontinued YubiRadius.

    That code was a total mess, it should have never made it through any sort of internal review but it did. Does not give me much confidence in any future reviews.

    I hope they realize that less open means less people will be interested in their product.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 May 2016 @ 8:29pm

    Apples and Yubcos

    Maybe they got the apple treatment accompanied with a gag order.

    reply to this | link to this | view in chronology ]

  • icon
    Arthur Moore (profile), 16 May 2016 @ 9:41pm

    Alternatives?

    I was going to buy one of these, but not with that attitude.

    Can anyone recommend a good competitor? I'm in need of something like the nano as a PGP keystore for my laptop. It needs the standard features, wipe on too many bad attempts, and anti-tamper protection.

    Youbikey would have worked, but they didn't make it easy. Well, now to do research...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 May 2016 @ 10:40pm

    We have both internal and external review of our code to ensure that it is secure.

    They should be applying the same for the opensource code, and by contributing patches back, helped to make it more secure than any proprietary code, where fewer people review and test the code.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2016 @ 2:07am

    Evidently earlier, open versions of Yubikey made flawed, but good-faith attempts at security.
    Yubikey 4 is obviously going to make a flawed attempt at security (because everything is flawed). The only thing that can have changed is that those flaws are no longer being made in good faith, I guess...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2016 @ 2:31am

    This stinks of 3 letter agency meddling. Either that or some "superstar" CEO way out of the loop who still places value on security through obscurity.

    Security through obscurity cannot work when you're basically handing the (compiled) algorithm to potential attackers.
    I'm pretty sure an industrious hacker could buy the device and reverse engineer the algorithm, and the flaws would then be hidden for quite some time.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2016 @ 4:47am

    We're all for open source, and we try to open source as much of our code as possible when and where it makes sense, but in this case it was determined not to be so.

    So now we know that Yubico's engineering lead is either (a) ignorant and incompetent or (b) lying. There are no other possibilities.

    We also now know that Yubico finds it acceptable to create and sell products deliberately based on a fraudulent development process.

    I'll be instructing our purchasing department to permanently blacklist Yubico in 14 minutes when they arrived for work today. I will also be removing all Yubico devices from service by close-of-business today. This is going to be disruptive and inconvenient, but I don't do business with idiots, liars, and frauds.

    reply to this | link to this | view in chronology ]

  • identicon
    Michael Schwartz, 17 May 2016 @ 4:49am

    Over-reacting

    2FA is about risk mitigation. Yubikey accomplishes this with excellent usability, using open protocols. I think you are all over-reacting. My company Gluu is an open source security vendor, so few are more dogmatic about openness then us. For a hardware key (which can't be updated), does open source mitigate risk? Not neccessarily in the current version. There are a million ways for the NSA to break into your account without hacking your hardware token. That just makes no sense.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 17 May 2016 @ 5:14am

      Re: Over-reacting

      So is closing off the transparency that is open source something that you (Gluu) are considering/planning?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2016 @ 5:31am

    Betty White

    Betty White could sell me herpes.

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 17 May 2016 @ 5:51am

    Canary

    Can switching a security product from open source to closed source be considered a form of Canary?

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 17 May 2016 @ 6:22am

      Re: Canary

      Past projects have been taken closed source for non-nefarious reasons (always centered around courting corporations in some form), so it's not automatic.

      In this case, though, we're talking about a security product. It's clear to me that the safest course of action is to interpret this move as a kind of canary.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 May 2016 @ 6:48am

    Yubico's Blog/Statement on this was published yesterday - https://www.yubico.com/2016/05/secure-hardware-vs-open-source/

    reply to this | link to this | view in chronology ]

  • icon
    Monday (profile), 17 May 2016 @ 10:53am

    Confused as hell...

    I don't get it. So, instead of getting rid of the real problem; the hired professionals who screwed the pooch in the first place, Yubnub is getting rid of the free talent, and being openly hostile to dedicated fans/users/subscribers of what was essentially a good product?

    How does that work? How does that work out for them?

    I read that they had some new investment. Was that a Troll, or was that for reals? 'cuz, for reals, could mean it might be leading to them moving to a private/public business model, meaning they're going the way of product development and sales.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 May 2016 @ 1:57pm

    YubiKey is dead.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 19 May 2016 @ 4:49pm

      Re:

      I don't think so. From reading YubiKey's statements, the impression that I get is that they're doing this because they want to sell their product to governments and major corporations, and this is what those guys require.

      Yubikey may become "dead" in the minds of individuals who care about their own security, but they may be richer than ever if they start selling to major entities.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.