top | item 46392441

(no title)

while you are right, security is generally not cheap.

you can get that $5 china fido key, but are you sure it's you who owns it?

I was recently looking for a security key, and eventually I did pay the yubico tax, because saving $20 by getting another one seemed unwise given the stakes.

discuss

gruez|2 months ago

>you can get that $5 china fido key, but are you sure it's you who owns it?

Seems like a moot point because it'd be very difficult for a rogue fido key to exfiltrate data. I'd be far more concerned about random chinese IOT gadgets, which most people don't have a problem with.

wkat4242|2 months ago

Hmm yes but it's possible to compromise private key generation to only create a very small predictable subset of keys. In fact some smartcards from Infineon suffered from this as a bug. And thus they can be brute forces. It requires some serious crypto chops to determine if this is the case. Obviously it's not like the first 60 bits being zero or something. And the private key is made to not be extracted in this kind of device making it even harder.

petee|2 months ago

One issue i see is that it's a sealed package; it wouldn't be immediately apparent if someone added extra hardware/functionality.

More likely though I'd expect you'd just get some form of a clone device

the8472|2 months ago

Couldn't they ship pre-compromised? Storing the RNG seed and private key at the factory.