I must, sadly, withdraw my endorsement of yubikey 4 devices (and perhaps all newer yubikeys), as apparently Yubico has replaced all open-source components that made yubikey NEOs so awesome with proprietary closed-source code in Yubikey 4s:
https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368
Our team will be evaluating NitroKey Pros as devices to replace yubikeys (https://www.nitrokey.com/) and I will follow up here with the results and general recommendations once our testing is complete.
If you are already using yubikeys, there is no need to replace them, as this will not result in a net improvement in security -- especially if you are only using them for one-time password functionality (press the button to emit a 6-digit code). If you are looking to get a device for storing your private PGP keys, I recommend against using Yubikey 4 devices -- but NEOs are okay, as they still use open-source code.
I strongly believe that all security devices must be powered by libre software and I am saddened at the steps taken by Yubico to make yubikey 4 a black-box platform.
https://github.com/Yubico/ykneo-openpgp/issues/2#issuecomment-218446368
Our team will be evaluating NitroKey Pros as devices to replace yubikeys (https://www.nitrokey.com/) and I will follow up here with the results and general recommendations once our testing is complete.
If you are already using yubikeys, there is no need to replace them, as this will not result in a net improvement in security -- especially if you are only using them for one-time password functionality (press the button to emit a 6-digit code). If you are looking to get a device for storing your private PGP keys, I recommend against using Yubikey 4 devices -- but NEOs are okay, as they still use open-source code.
I strongly believe that all security devices must be powered by libre software and I am saddened at the steps taken by Yubico to make yubikey 4 a black-box platform.
View 40 previous comments
A few things I don't like about the Nitrokey:
- bulky
- it uses a cap that will get lost
- only the U2F model supports U2F
Why did Yubico have to take this step? :-(Dec 14, 2016
+John C Agreed it's a good counter argument.
Whilst in an ideal world the hardware would be open source this is unlikely for the foreseeable future.47w
Finally we start to see some physical RISC V MCU on the market, making possible to have completely open key, down to the silicium. Of course chip verification require specialized laboratories but hopefully nothing out of reach of university.
Is someone working on that?47w
Is this still the case? Is it in all Yubikeys or just the Neo? Is this still closed source after this amount of time and press?14w- You have to look into it, but AFAIK older model are still open, newer o think they continue with the closed stuff14w
I realize this is an old thread, but I am puzzled by the OP's emphatic response. A overwhelming majority of the code in the Yubikey NEO is closed-source:
* JCOP (the virtual machine that runs the java code), along with any GlobalPlatform code, is closed source.
* The U2F applet is closed source.
* The PIV applet is closed source.
* The Yubikey applet (for button-press HOTP) is closed source.
* The source code to the other microcontroller (in charge of USB, LED and the button) is closed source.
So the OP was already putting a great deal of trust into the implementations of JCOP, U2F, and PIV. You could say that you never use the PIV or U2F applets, but you can't get around trusting the code running on the other microcontroller or (more importantly) JCOP—and no matter what way you slice it JCOP has ALL the keys to the kingdom.
In any case, you can't get around trusting Yubico. They make these things, they put the software on them, and they lock them down. They could say they were putting open-source software on them, but how would you know they didn't (perhaps unknown to them) add a few extra lines of code that adds a back door? By the OP's own stated reasoning, he never even should have recommended the Yubikey NEO.
While I'd much rather most all of this stuff be open-source, I'm puzzled why the OP would consider this decision such a material breach of trust by Yubico that it warrants a public admonition and spreading of FUD.7w
Add a comment...