Bonum Certa Men Certa
ClearlyDefined is Just Microsoft Land Grab (Which the OSI Now Actively Participates in) | Links 15/10/2020: Parted Magic Leaves OpenBox, US Congress Urged to Choose Free Software

A FIDO/FIDO2 False Sense of Security for Premium Prices

Military-grade nonsense that is proprietary and untrustworthy (monopolised by the likes of Google and Microsoft)

Manifestation against missileSummary: From the attack on software freedom (including Richard Stallman and other leaders/luminaries) we've seen a shift to attacks on privacy itself, e.g. auditable encryption; today we discuss the troubling developments in the FIDO/FIDO2 space

THE ESSENCE of Free/libre software is control, liberty, autonomy, independence, security, decentralisation and sometimes privacy too. Those are all just words that convey concepts in English. It's better understood in the absence of those things (when one lacks or loses freedom). As RMS puts it, to paraphrase a bit, either the user controls the program or the program is an instrument by which some corporation (or government) controls the user. It's really that simple. To alleviate that unjust leverage of power (developers or developers' employer) over computer users we need freedom-respecting software that is audited by many and forked if mischief occurs. This helps ensure that the public interest is prioritised, not the bottom line of some business/es. That does not mean that no business can exist; many businesses are based around distributing and supporting Free software. Perfectly moral and ethical business practices are compatible with the Four Freedoms.



"Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt..."With all that in mind, we've grown cynical if not deeply concerned about the Linux Foundation. The institution itself is a misnomer (it promotes operating systems other than Linux), its biggest players (leadership) are monopolistic proprietary software companies, it advocates mass surveillance, and it works for Microsoft (which in turn works to undermine Linux).

Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt, which is connected to the Linux Foundation and hosted/coded on Microsoft servers. These certificates were later revoked, but there was no transparency about what had happened. Can we trust one CA to manage so many certificates? Look at its backers and sponsors. These certificates aren't free; if they seem to be free, it's because someone foots the bill to gain something, such as the US government receiving back door access to undermine encryption (by access to private keys or similar). They're already done that even inside Switzerland, covertly of course! So do we trust Let’s Encrypt? Not really, even less so after that incident. There was never clarity and now even an explanation of what was done, who the culprit was and so on.

But this article isn't about Let’s Encrypt. It's about FIDO2. The patterns may be similar, at least some salient points. "I don't know if you've been keeping up with the developments in hardware security tokens," one reader told us this week, "but I have been very alarmed with the developments that are happening with regards to FIDO2. I feel like this is another attempt to stomp out competition just like TLS CAs did before Let's Encrypt was a thing."

"We use GnuPG a great deal here in Techrights. Most of our messages are encrypted."The reader is a bit of an expert in that domain. Also remember how the founder of Ubuntu originally amassed his wealth. "Right now," the reader noted, "companies that make products like Yubikey and Titan Security Key are selling obscenely overpriced hardware just because it has a "FIDO2 Certified" logo on it. I feel like hardware security tokens are going to end up in the same situation that happened with TLS CAs where a few bodies monopolise the system and dictate who gets to be a "trusted provider". A FIDO2 certification costs about $6500 USD, last time I checked. As someone that uses GnuPG and its open ecosystem of hardware, it pains me to see the monopolisation and profiteering that's happening around the security space."

We use GnuPG a great deal here in Techrights. Most of our messages are encrypted.

"I hope you can share this message with the right people," our reader appealed, "to combat the monopolisation and anti-competitive attempts by organisations like FIDO Alliance. There's nothing open about the FIDO Alliance. The firmware for most of those devices are closed-source and the only reason people are duped into buying them is because of the "FIDO2 Certified" seal on those products. I feel like this is a turning point in cybersecurity history and we need to kill this attempt at monopolisation before we end up with the tragedy that happened with TLS CAs."

"A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society."How many billions of dollars were washed down the drain because of these? And we ended up with "trusted" CAs that are mostly in bed with the world's biggest spying operation. Which means they might be worse than useless...

"We decide who to trust with our OpenPGP certificates," our reader noted. "We don't let other bodies make that decision for us. Let's work together to make sure we nip this FIDO nonsense in the bud. We've got the platforms and people. The WebAuthn W3C steering members are stuffed with Google, Microsoft, and (surprise) Yubico people. I'm almost certain that they're using embedded cryptography MCUs in their closed proprietary products and then making a eye-watering profit margin."

Notice that their stuff is controlled partly by Microsoft and the NSA (in GitHub). So they clearly do not value or grasp basic security.

Our reader noted: "The OpenSK project on GitHub (by Google, I believe) uses an overpriced board and there's a nice disclaimer at the bottom that OpenSK is not FIDO certified (this is blatant FUD). They aren't even using the embedded crypto MCUs on the Nordic chip. They have gone with the excuse that their software-driven crypto is "research quality" code. OpenSK is a blatant attempt to spread FUD about uncertified FIDO hardware. Yubico are in on it as well.

"We might be the first site to touch this subject, but there's more on the way for sure.""Nitrokey has a FIDO2 product and I think it's uncertified by the looks of things. I know Nitrokey people are very closely linked to GnuPG devs because I've been around GnuPG dev a lot recently. I'm pretty sure the folks at Nitrokey see the dangers of monopolisation but they're keeping it quiet (probably in fear of the media pull Google et al have). I would also prefer remaining anonymous, thanks for allowing that..."

A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society. Those who undermine the encryption basically maintain keys to the castle. They've long attempted to put back doors (or back door access, e.g. via third parties) to everything. Sometimes the media describes that as "weakening" encryption, but that actually means breaking; weak means broken.

We might be the first site to touch this subject, but there's more on the way for sure. "Wanted you to be the first to throw a punch though," our reader noted, "because people in the community trust you on these things."

But there's lots more on the way. Stay tuned.

ClearlyDefined is Just Microsoft Land Grab (Which the OSI Now Actively Participates in) | Links 15/10/2020: Parted Magic Leaves OpenBox, US Congress Urged to Choose Free Software

Recent Techrights' Posts

How to Tackle Corruption Effectively and Gradually
In my personal, humble experience
European Patent Office (EPO) Series: A Tale of Two Antónios
"Campaign for the Re-Appointment of the President"
Trusting Microsoft is Foolish
Mr. Rossmann says they "gaslight customers" in their Web site, but it goes a lot further than this
SLAPP Censorship - Part 94 Out of 200: SLAPP by Garrett's Litigation Buddy Started 20 Months Ago, He Has Not Even Put in His Defence Yet!
This is what happens when one deals with incels and misogynists who promote slop and Microsoft
 
Rust is a Disaster for Both GNU and Linux, But 'Linux' Foundation (GKH) Keeps Promoting It Despite the Problems
And non-GPL licences
IBM's CEO and his "pump and dump scheme" ("Arvind's lies about quantum")
Don't be misled by Wall Street
Gemini Links 01/06/2026: Xylophone Essay, Ham Radio, and Slop Contaminating USENET/Newsgroups
Links for the day
Links 01/06/2026: Patent Applicant Disclosures Drop After the January 2025 IDS Surcharge, "China Exports Surveillance"
Links for the day
Links 01/06/2026: Irreversible GAFAM Bans and "The Pirate Bay Remains Resilient"
Links for the day
Running and Writing Sites for People, Not Bots (Including Search Engines)
Had those sites spent more time focusing on RSS feeds (not social control media "games") and less on SEO (trying to game search engines), they wouldn't be sobbing now
SBB, the Swiss Railroads, Want to Hear Richard Stallman
Can Dr. Stallman persuade key decision makers to adopt not only "Linux" but also Software Freedom (not the same thing), as he did in South American before? Or like he did in Kerala?
Resumes and Vanity Pages
Wikipedia is fast becoming a glorified marketing company
Techrights in a Nutshell, in Very Generic Terms
"for dummies"
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, May 31, 2026
IRC logs for Sunday, May 31, 2026
Gemini Links 01/06/2026: Buckingham Palace Garden Party, TUI Annoyances, Lateral Thinking with Withered Technology
Links for the day
Links 31/05/2026: Heat Wave Grips France and Edgar Morin Dies
Links for the day
Gemini Links 31/05/2026: Backup vs. Mirror, Year of the Death of a Euphemism, Slop Makes Only Yet Another (Untested) Calculator
Links for the day
IBM Red Hat Has a Long History or Track Record of Misusing Trademarks to Send Lawyers to Try to Take Down Pages and Web Sites of Critics
Red Hat claims to own words; IBM thinks it owns names
Richard Stallman is Coming Back to Bern to Give a Talk Next Month
another big talk coming up
Gravitating Towards What Your Role in Society May Be (or What You're Truly Good At)
Many IBMers already realise that they spent years if not decades of their lives working on mostly meaningless products/projects
900 Days Later
900 days is a very long time (almost 1,000)
Cybershow Requires Free Software to Record Shows
Cybershow is run by people who understand that without Software Freedom there can be no sovereignty
Losses at Microsoft's GitHub Seem to be Deepening
How many billions of dollars has Microsoft lost by betting on the false prediction that it can somehow "monetise" public code by LLMs?
Links 31/05/2026: Slop 'Code' (Junk) "Increasingly Leads to Production Failures" and "Huge Slop Costs With No Clear Benefits"
Links for the day
European Patent Office Strikes Intensify Tomorrow, Huge Strikes Planned for June, 10,000 Strike Participations Registered
Campinos may well be ousted soon
SLAPP Censorship - Part 93 Out of 200: A Blueprint of Reckless Lawfare in the UK, Waged and Funded by Americans (in Another Continent)
Lawfare powered by slop companies (including Microsoft) from America, targetting British people who consistently oppose slop because it's objectively terrible
Links 31/05/2026: Watershed Moment, Traveller RPG Book Binding, and GUI Annoyances
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, May 30, 2026
IRC logs for Saturday, May 30, 2026
IBM CEO Can Become a Billionaire by Laying Off Tens of Thousands of Workers (or Buying Companies Using Borrowed Money, Only to Lay off Thousands in Them)
Like he did Confluent recently
Reminder That Linuxiac is a Slopfarm or Hybrid of Bobby and His LLMs
LLM fetishist that claims to cover Linux
BetaNews is Still Publishing Fake Articles, Sometimes Fake News, or LLM Slop Disguised as 'Journalism'
Slop isn't yet a thing of the past, but hopefully we'll get close to that by the end of this year
Gemini Links 30/05/2026: Writer's Block, Evil GAFAM (Google), and Scepticism of Slop
Links for the day
Links 30/05/2026: Fairphone 6, China’s Rise in Drug Development, Slop Wastes Money Without Delivering Value
Links for the day
Links 30/05/2026: Alarm Over Large Companies Cancelling Slop Contracts, Ozzy Osbourne Resurrection as Slop Draws Ire
Links for the day
Red Hat Exodus or RAs (or PIPs) in 2026 Not Limited to China, IBM is Doing Well at Hiding Layoffs
All we need to know is, does IBM hand out lots of PIPs?
SLAPP Censorship - Part 92 Out of 200: A Spouse Cannot be Turned "On" and "Off" Like a Faucet
Today's part will be very short because we keep the parts shorter in weekends and summer is officially around the corner (June on Monday)
The Register MS Has Just Published Fake Article That Mentions "AI" 23 Times. "Sponsored by Arm." It Does This Every Day.
A lot of the time we see this term everywhere in "the news" simply because slop pushers are paying for it
SQLite Under DDoS Attack by Slop Reports or Fake 'Bugs' (Just Like cURL and Many Other Projects)
Even Linus Torvalds is starting to talk about this
IBM: The B Turns From "Business" to "Bailouts" to "Buybacks" ("IBM is the Next Intel")
Trying to shore up the falling share price/stocks while veteran workers and Vice President (with high salaries) are cut off
Links 30/05/2026: More GAFAM (Amazon) Mass Layoffs, Peter Schiff Warns of Trillion-Dollar Slop Bubble Waiting to Implode
Links for the day
Slop is Plagiarism
Trillions of dollars down the drain, invested in a dud
Gemini Links 30/05/2026: Rehabilitation and Taming Emacs Cache and Temporary Files
Links for the day
Richard Stallman (RMS) Talks and Secure Transmission of Private Communications in Formats Everybody Can Access With Free Software
Maybe the FSF should step up a bit the campaign to use Free software to communicate with one another
General Consultative Committee (GCC) Discusses Working Conditions of Employees of the European Patent Office (EPO)
On the agenda: Salary Erosion Procedure, Breastfeeding Policy, New Amicale Framework, Public Holidays 2027
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, May 29, 2026
IRC logs for Friday, May 29, 2026