Bonum Certa Men Certa

A FIDO/FIDO2 False Sense of Security for Premium Prices

Military-grade nonsense that is proprietary and untrustworthy (monopolised by the likes of Google and Microsoft)

Manifestation against missileSummary: From the attack on software freedom (including Richard Stallman and other leaders/luminaries) we've seen a shift to attacks on privacy itself, e.g. auditable encryption; today we discuss the troubling developments in the FIDO/FIDO2 space

THE ESSENCE of Free/libre software is control, liberty, autonomy, independence, security, decentralisation and sometimes privacy too. Those are all just words that convey concepts in English. It's better understood in the absence of those things (when one lacks or loses freedom). As RMS puts it, to paraphrase a bit, either the user controls the program or the program is an instrument by which some corporation (or government) controls the user. It's really that simple. To alleviate that unjust leverage of power (developers or developers' employer) over computer users we need freedom-respecting software that is audited by many and forked if mischief occurs. This helps ensure that the public interest is prioritised, not the bottom line of some business/es. That does not mean that no business can exist; many businesses are based around distributing and supporting Free software. Perfectly moral and ethical business practices are compatible with the Four Freedoms.



"Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt..."With all that in mind, we've grown cynical if not deeply concerned about the Linux Foundation. The institution itself is a misnomer (it promotes operating systems other than Linux), its biggest players (leadership) are monopolistic proprietary software companies, it advocates mass surveillance, and it works for Microsoft (which in turn works to undermine Linux).

Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt, which is connected to the Linux Foundation and hosted/coded on Microsoft servers. These certificates were later revoked, but there was no transparency about what had happened. Can we trust one CA to manage so many certificates? Look at its backers and sponsors. These certificates aren't free; if they seem to be free, it's because someone foots the bill to gain something, such as the US government receiving back door access to undermine encryption (by access to private keys or similar). They're already done that even inside Switzerland, covertly of course! So do we trust Let’s Encrypt? Not really, even less so after that incident. There was never clarity and now even an explanation of what was done, who the culprit was and so on.

But this article isn't about Let’s Encrypt. It's about FIDO2. The patterns may be similar, at least some salient points. "I don't know if you've been keeping up with the developments in hardware security tokens," one reader told us this week, "but I have been very alarmed with the developments that are happening with regards to FIDO2. I feel like this is another attempt to stomp out competition just like TLS CAs did before Let's Encrypt was a thing."

"We use GnuPG a great deal here in Techrights. Most of our messages are encrypted."The reader is a bit of an expert in that domain. Also remember how the founder of Ubuntu originally amassed his wealth. "Right now," the reader noted, "companies that make products like Yubikey and Titan Security Key are selling obscenely overpriced hardware just because it has a "FIDO2 Certified" logo on it. I feel like hardware security tokens are going to end up in the same situation that happened with TLS CAs where a few bodies monopolise the system and dictate who gets to be a "trusted provider". A FIDO2 certification costs about $6500 USD, last time I checked. As someone that uses GnuPG and its open ecosystem of hardware, it pains me to see the monopolisation and profiteering that's happening around the security space."

We use GnuPG a great deal here in Techrights. Most of our messages are encrypted.

"I hope you can share this message with the right people," our reader appealed, "to combat the monopolisation and anti-competitive attempts by organisations like FIDO Alliance. There's nothing open about the FIDO Alliance. The firmware for most of those devices are closed-source and the only reason people are duped into buying them is because of the "FIDO2 Certified" seal on those products. I feel like this is a turning point in cybersecurity history and we need to kill this attempt at monopolisation before we end up with the tragedy that happened with TLS CAs."

"A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society."How many billions of dollars were washed down the drain because of these? And we ended up with "trusted" CAs that are mostly in bed with the world's biggest spying operation. Which means they might be worse than useless...

"We decide who to trust with our OpenPGP certificates," our reader noted. "We don't let other bodies make that decision for us. Let's work together to make sure we nip this FIDO nonsense in the bud. We've got the platforms and people. The WebAuthn W3C steering members are stuffed with Google, Microsoft, and (surprise) Yubico people. I'm almost certain that they're using embedded cryptography MCUs in their closed proprietary products and then making a eye-watering profit margin."

Notice that their stuff is controlled partly by Microsoft and the NSA (in GitHub). So they clearly do not value or grasp basic security.

Our reader noted: "The OpenSK project on GitHub (by Google, I believe) uses an overpriced board and there's a nice disclaimer at the bottom that OpenSK is not FIDO certified (this is blatant FUD). They aren't even using the embedded crypto MCUs on the Nordic chip. They have gone with the excuse that their software-driven crypto is "research quality" code. OpenSK is a blatant attempt to spread FUD about uncertified FIDO hardware. Yubico are in on it as well.

"We might be the first site to touch this subject, but there's more on the way for sure.""Nitrokey has a FIDO2 product and I think it's uncertified by the looks of things. I know Nitrokey people are very closely linked to GnuPG devs because I've been around GnuPG dev a lot recently. I'm pretty sure the folks at Nitrokey see the dangers of monopolisation but they're keeping it quiet (probably in fear of the media pull Google et al have). I would also prefer remaining anonymous, thanks for allowing that..."

A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society. Those who undermine the encryption basically maintain keys to the castle. They've long attempted to put back doors (or back door access, e.g. via third parties) to everything. Sometimes the media describes that as "weakening" encryption, but that actually means breaking; weak means broken.

We might be the first site to touch this subject, but there's more on the way for sure. "Wanted you to be the first to throw a punch though," our reader noted, "because people in the community trust you on these things."

But there's lots more on the way. Stay tuned.

Recent Techrights' Posts

Hate Mail From Anonymous Cowards
if this persists, we'll need to escalate
Informal Open Letter to the Lawyer of the Microsofters (on Who's Funding the SLAPPs Against Techrights)
Whenever I ask about the funding they try to change the subject and act all aggressive
Microsoft Lunduke is Just Provoking People for Provocation's Sake
Be forewarned and remember where this guy came from: Microsoft
 
After Shutting Down Studios, Divisions, Applications (e.g. Skype) Microsoft is Also Shutting Down 'Apps'
Cuts all around as layoffs persist this month, Microsoft tries to get many people to resign, and debt skyrockets
Most of Geminispace Can Probably Fit on a CD-ROM or a DVD (the Textual Part)
If one excludes very large capsules and ones that contain non-textual contenty
Eventually UEFI 'Secure Boot' Will be Dropped (Users Will Demand Its Removal and Boycott Its Pushers)
we expect OEMs will just listen to users
The Register MS: We Know Slop is a Bubble and Mindless Hype, But We Get Paid to Participate
Call out the culprits
There Are Probably Over a Million Pages in Geminispace
there are two many limitations which merit a mention when it comes to assessing magnitude
Besieged by Plagiarists Who Play With LLMs and Image Fusions
We really need to exercise or use our collective voice to oppose Serial Sloppers
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, August 08, 2025
IRC logs for Friday, August 08, 2025
Gemini Links 09/08/2025: Water Painting and Political Violence
Links for the day
Slopwatch: LLM Sloppers in Google News, LinuxSecurity, and More
they also perpetuate some falsehoods as the LLMs lack any comprehension
Links 08/08/2025: China King of Plastics and US Dictator Plans to Meet Russian Dictator
Links for the day
Gemini Links 08/08/2025: Cracking a Family Member's Password and Overdose of Slop
Links for the day
Red Hat's Latest Talent Hunt, Day Ahead of Mass Layoffs, is Yet Another Microsoft Executive
Red Hat will apparently commence mass layoffs early this coming Monday
Links 08/08/2025: "Quit Facebook" and High Cost of Microsoft/Windows Shown Again ("BlackSuit")
Links for the day
Good Morning, Readers of The Register MS
Things The Register MS could (but does not) cover this morning
Why Gemini Protocol Has a Bright Future
Maybe Gemini Protocol's promise becomes more appealing as the Web turns to slop and bloat
It's a Lot Easier to Participate in the Unethical System Than to Oppose Injustices in It
Going after powerful and high-budget interests is never easy
Microsofters Filed Two SLAPPs Against Us, Now They Cannot Keep Up With Judges' Orders
For over 4 months already their facilitator in London has been under investigation by British authorities because of what's being done to my wife and I
Censorship Regarding Red Hat Layoffs
Talk about this? They'd rather not.
Struggling to Cut Costs, Microsoft Continues Shutting Down and Cancelling Stuff This Month
There are August layoffs at Microsoft
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, August 07, 2025
IRC logs for Thursday, August 07, 2025
Fake 'Linux' Articles, Written by Bots to Take Traffic Away From Real Articles
LLM slop helps replace information with junk or misinformation
When Google's Googlebombing of "Gemini" Was Not Enough; They Now Also Googlebomb "Gemini Space"?
We know GAFAM not only worries about Gemini Protocol but also attempts to 'infiltrate' Geminispace
The Register MS Promotes Microsoft Slop, Assumes All Readers Use Microsoft Windows
Microsoft really dominates the site
Gemini Links 08/08/2025: KDE/Qt Development and What's Missing From "Retro"
Links for the day
Links 07/08/2025: US Punishes India Instead of Russia, Attacks Law Firms to Prevent Scrutiny
Links for the day
Read Us in Geminispace as Well
it's definitely a lot simpler than using a Web browser
Once a Site About BSD and GNU/Linux, and After Months of Silence, LinuxBSDos.com Comes Back Only as a Slopfarm
very frustrating
Links 07/08/2025: Hardware Wars, Mass Recall of Colgate Total Clean Mint, More Microsoft Holes Found
Links for the day
Gemini Links 07/08/2025: "Right To Manage" and LoRa Analysis
Links for the day
For the First Time in a Month OSI's "OpenSource.org" Blogs and It's Basically a Microsoft Blog Post (Microsoft Controls OSI)
For the first time in a month OSI writes something and it is Microsoft propaganda composed by a Microsoft-salaried operative
Microsoft, Already Borrowing 3 Billion Dollars a Month, is Trying to Cause Many People to Resign
MSN (i.e. Microsoft) and others openly admit it
GAFAM 'Says' is Front Page "News"
The point of journalism is to check and assess facts, not parrot what people and companies merely claim
Links 07/08/2025: Apple Makes False Promises, More Trouble for Microsoft
Links for the day
OSS Didn't Always Mean Open Source Software
"oligarchs all the way down"
The Register MS Does More Microsoft Sez or GitHub Sez (Says) Pieces
60 minutes ago
They Want Activists to Just Barely Walk and Eat, Not Do Activism Anymore
It's sort of like the ending of '1984'
Quit Perpetuating the Narrative of Gemini Protocol 'Dying' (It's False)
The "whisper campaign" against Gemini Protocol
Criticising Social Control Media in Social Control Media
Many people are quitting Social Control Media (fewer of them announce this in public)
Non-Free JavaScript Programs in Banks Aren't Even the Biggest Problem
Technology was supposed to make life easier; in practice, however, for most of us the opposite effect can be observed
Slopfarms Are Typically Fake News
Slopfarms typically relay falsehoods
Gemini Links 06/08/2025: Replacing a Pocket Watch and Buying in Bulk
Links for the day
IBM is Obliterating Fedora
"Fedora releases were shipping with an increasing number of bugs on launch day even while I was using it for a several year stretch."
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, August 06, 2025
IRC logs for Wednesday, August 06, 2025