Bonum Certa Men Certa
ClearlyDefined is Just Microsoft Land Grab (Which the OSI Now Actively Participates in) | Links 15/10/2020: Parted Magic Leaves OpenBox, US Congress Urged to Choose Free Software

A FIDO/FIDO2 False Sense of Security for Premium Prices

Military-grade nonsense that is proprietary and untrustworthy (monopolised by the likes of Google and Microsoft)

Manifestation against missileSummary: From the attack on software freedom (including Richard Stallman and other leaders/luminaries) we've seen a shift to attacks on privacy itself, e.g. auditable encryption; today we discuss the troubling developments in the FIDO/FIDO2 space

THE ESSENCE of Free/libre software is control, liberty, autonomy, independence, security, decentralisation and sometimes privacy too. Those are all just words that convey concepts in English. It's better understood in the absence of those things (when one lacks or loses freedom). As RMS puts it, to paraphrase a bit, either the user controls the program or the program is an instrument by which some corporation (or government) controls the user. It's really that simple. To alleviate that unjust leverage of power (developers or developers' employer) over computer users we need freedom-respecting software that is audited by many and forked if mischief occurs. This helps ensure that the public interest is prioritised, not the bottom line of some business/es. That does not mean that no business can exist; many businesses are based around distributing and supporting Free software. Perfectly moral and ethical business practices are compatible with the Four Freedoms.



"Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt..."With all that in mind, we've grown cynical if not deeply concerned about the Linux Foundation. The institution itself is a misnomer (it promotes operating systems other than Linux), its biggest players (leadership) are monopolistic proprietary software companies, it advocates mass surveillance, and it works for Microsoft (which in turn works to undermine Linux).

Earlier this year there was a major incident, which saw millions of rogue certificates being issued by Let’s Encrypt, which is connected to the Linux Foundation and hosted/coded on Microsoft servers. These certificates were later revoked, but there was no transparency about what had happened. Can we trust one CA to manage so many certificates? Look at its backers and sponsors. These certificates aren't free; if they seem to be free, it's because someone foots the bill to gain something, such as the US government receiving back door access to undermine encryption (by access to private keys or similar). They're already done that even inside Switzerland, covertly of course! So do we trust Let’s Encrypt? Not really, even less so after that incident. There was never clarity and now even an explanation of what was done, who the culprit was and so on.

But this article isn't about Let’s Encrypt. It's about FIDO2. The patterns may be similar, at least some salient points. "I don't know if you've been keeping up with the developments in hardware security tokens," one reader told us this week, "but I have been very alarmed with the developments that are happening with regards to FIDO2. I feel like this is another attempt to stomp out competition just like TLS CAs did before Let's Encrypt was a thing."

"We use GnuPG a great deal here in Techrights. Most of our messages are encrypted."The reader is a bit of an expert in that domain. Also remember how the founder of Ubuntu originally amassed his wealth. "Right now," the reader noted, "companies that make products like Yubikey and Titan Security Key are selling obscenely overpriced hardware just because it has a "FIDO2 Certified" logo on it. I feel like hardware security tokens are going to end up in the same situation that happened with TLS CAs where a few bodies monopolise the system and dictate who gets to be a "trusted provider". A FIDO2 certification costs about $6500 USD, last time I checked. As someone that uses GnuPG and its open ecosystem of hardware, it pains me to see the monopolisation and profiteering that's happening around the security space."

We use GnuPG a great deal here in Techrights. Most of our messages are encrypted.

"I hope you can share this message with the right people," our reader appealed, "to combat the monopolisation and anti-competitive attempts by organisations like FIDO Alliance. There's nothing open about the FIDO Alliance. The firmware for most of those devices are closed-source and the only reason people are duped into buying them is because of the "FIDO2 Certified" seal on those products. I feel like this is a turning point in cybersecurity history and we need to kill this attempt at monopolisation before we end up with the tragedy that happened with TLS CAs."

"A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society."How many billions of dollars were washed down the drain because of these? And we ended up with "trusted" CAs that are mostly in bed with the world's biggest spying operation. Which means they might be worse than useless...

"We decide who to trust with our OpenPGP certificates," our reader noted. "We don't let other bodies make that decision for us. Let's work together to make sure we nip this FIDO nonsense in the bud. We've got the platforms and people. The WebAuthn W3C steering members are stuffed with Google, Microsoft, and (surprise) Yubico people. I'm almost certain that they're using embedded cryptography MCUs in their closed proprietary products and then making a eye-watering profit margin."

Notice that their stuff is controlled partly by Microsoft and the NSA (in GitHub). So they clearly do not value or grasp basic security.

Our reader noted: "The OpenSK project on GitHub (by Google, I believe) uses an overpriced board and there's a nice disclaimer at the bottom that OpenSK is not FIDO certified (this is blatant FUD). They aren't even using the embedded crypto MCUs on the Nordic chip. They have gone with the excuse that their software-driven crypto is "research quality" code. OpenSK is a blatant attempt to spread FUD about uncertified FIDO hardware. Yubico are in on it as well.

"We might be the first site to touch this subject, but there's more on the way for sure.""Nitrokey has a FIDO2 product and I think it's uncertified by the looks of things. I know Nitrokey people are very closely linked to GnuPG devs because I've been around GnuPG dev a lot recently. I'm pretty sure the folks at Nitrokey see the dangers of monopolisation but they're keeping it quiet (probably in fear of the media pull Google et al have). I would also prefer remaining anonymous, thanks for allowing that..."

A mechanism for trust among parties, e.g. encryption, is crucial in a free and democratic society. Those who undermine the encryption basically maintain keys to the castle. They've long attempted to put back doors (or back door access, e.g. via third parties) to everything. Sometimes the media describes that as "weakening" encryption, but that actually means breaking; weak means broken.

We might be the first site to touch this subject, but there's more on the way for sure. "Wanted you to be the first to throw a punch though," our reader noted, "because people in the community trust you on these things."

But there's lots more on the way. Stay tuned.

ClearlyDefined is Just Microsoft Land Grab (Which the OSI Now Actively Participates in) | Links 15/10/2020: Parted Magic Leaves OpenBox, US Congress Urged to Choose Free Software

Recent Techrights' Posts

European Patent Office (EPO) Series: The Centre (in Portugal) Falls Apart…
Luís Montenegro became embroiled in a conflict-of-interest controversy
Links 10/06/2026: More Microsoft Layoffs, Sweden to "Ban Mobile Phones in Schools"
Links for the day
 
SLAPP Censorship - Part 103 Out of 200: Telling People What They Know and Don't Know About Death Threats They Receive
patronising letters sent on behalf of the Serial Strangler from Microsoft
IBM Genies in the Bottle
for ordinary people working who at at IBM, it's not hard to see that IBM is floundering
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, June 10, 2026
IRC logs for Wednesday, June 10, 2026
Links 11/06/2026: LF Openwashing of Slop and "Azerbaijan Bans TikTok and Other Social Media Apps in School"
Links for the day
IBM Lost About 18% of Its "Market Value" This Month
In IBM's case, a lot of the latest "pump" was Arvind's "quantum" hype/fantasy
Gemini Links 10/06/2026: Signal to Noise, Cancer, and Permacomputing
Links for the day
Communities and "Prosumers."
today's meetup will be about community
Gemini and Gopher Links 10/06/2026: Roasting, Changes, and Harms of Slop
Links for the day
Microsoft Azure Shrinking With More Mass Layoffs
"Reports suggest the layoffs will impact close to 200 out of 400 workers, who are set to cease employment at Azure on July 6"
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 09, 2026
IRC logs for Tuesday, June 09, 2026
European Patent Office (EPO) Series: The Centre-Right "Social Democratic Party" in Portugal
Quite an achievement for a former Maoist radical and aspiring champion of the Portuguese proletariat to be invited to join Goldman Sachs
SLAPP Censorship - Part 102 Out of 200: Maybe One Day Whistleblowers From Brett Wilson LLP Will Tell Us What Really Happened
Maybe one day some former staff of Brett Wilson LLP will also approach us to blow the whistle
What LibreOffice and TDF Get Right About Document Formats (and What They Get Wrong)
OOXML is a phantom - it is something nobody implements, not even Microsoft!
Gemini Links 09/06/2026: "The Mist of the Lands Between", Board Game Concept
Links for the day
2026: The Year Slop Companies "Made an Exit" (Threw in the Towel Over to Wall Street)
Remember 2026 as the year two major slop companies (which we won't name) sought an IPO
Links 09/06/2026: NSO Group still cracking, "FOI tribunal throws out £14k costs claim against journalist Barnie Choudhury"
Links for the day
Links 09/06/2026: "Smartphones Broke Dating" and "EU Open Source Strategy"
Links for the day
Cannot Speak About IBM Wrongdoing or Jobs Being Sent Overseas (Lower Salaries)
IBM has long attacked the media, the whistleblowers, and even online forums
European Patent Office (EPO) Series: The CIA-Funded Centre-Left in Portugal
In the political turmoil which followed the fall of the old regime, the communists seemed to be acquiring a dominant position and there was a very real risk that Portugal could end up aligned with the Eastern Bloc if they were not stopped
This Coming Friday
Richard Stallman (RMS)
Yesterday Afternoon The Register MS Published a Fake Article That Says "AI" 31 Times Because It Got Paid to Do This
What will happen when all those loans for slop (Ponzi scheme) stop and companies' marketing budgets - which include media bribes for hype campaigns - are no more?
Extraordinary General Meeting of Staff Union of the European Patent Office Ahead of Intensifying Strikes
We will, in the meantime, run a series about EPO corruption, which is now connected to corruption in Portugal and to corruption inside the EU
Several Slopfarms That Target "Linux" Seem to Have Died
Or perished severely
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, June 08, 2026
IRC logs for Monday, June 08, 2026
Gemini Links 09/06/2026: Tanana River, Cassette Beasts, and Emacs
Links for the day