Dear Yubico.

I've read your open letter (, and, frankly, I'm disappointed. Your arguments basically boil down to the following

1. Building secure hardware is hard. We've gone out of our way to improve security on Yubikey 4, and believe that disclosing how it works internally will do more harm than good by allowing attackers craft better attacks. (To quote you directly, "the attacker’s job becomes much easier as the code to attack is fully known and the attacker owns the hardware freely").

I was hoping you wouldn't use "security through obscurity" as a bona fide argument, but you did. The reason obscurity arguments are invalid in security circles is because we must always assume that attackers will find ways of getting their hands both on the source code and on full hardware implementation details. They will be stolen, leaked, or subpoenaed (and then stolen or leaked). Security through obscurity always benefits malicious actors to a much greater degree than defenders.

2. Ever since non-developer NEOs, which disallowed uploading applets, there was no way to verify that what is running on the device is the actual source code we publish, so what's the point anyway?

Publishing the source code was a very good indication of openness and good will on the part of Yubico. When it comes to any hardware, we must at some point trust the manufacturer -- unless we have very large budgets that would allow us to fully monitor every step of the manufacturing process. In the absence of such large budgets, we must base our trust on the company's prior record and their willingness to work with the community to show that their hands are clean and their intentions are pure. Putting out a blackbox proprietary device after all the good will you have built up with NEOs sends the exact opposite message. Doing so after all the crypto scandals and at the height of the Burr-Feinstein government backdoor controversy is just feeding the frenzy.

3. "Considering a utopian scenario with an open-and-fully-transparent-and-proven-secure-ip-less chip, given the complexity and astronomical costs of chip development, who would make it?"

Finally, we get to the bottom of it. You had to choose between making an improved-security yubikey-4 available, or making it affordable. As a company operating on the market you must be able to compete, and when faced with a decision of whether to continue with your commitment to open source and open platforms, or whether to remain profitable, you went with the latter. I don't fault you for this decision, but I also leave it entirely on your conscience.

Please fight. Fight with the silicon manufacturers. Fight with IP people who put their stock with NDAs and other three-letter entities. It's not too late. You have built up a faithful following of people who believe that security devices must be fully open and auditable. These people are not utopian idealists -- they are security professionals who know that any alternative is inherently insecure. You know you are in the wrong here, hence your open letter that reads like an apology.

Please fight. On our side. We need you to.
Shared publiclyView activity