U2F registration issues
my1xt last edited by
In Opera 53 stable they apparently tried to make U2F even more secure by pulling out a prompt whenever a page wants to register a U2F token about whether the site may see the "serial number" of the Security key.
but there are 2 problems with that whole thing:
- apparently this thing is kinda broken and doesnt come down on every site leaving a client error 1 (unknown error) instead
- The serial number doesnt even get transmitted as U2F sticks usually pull keypairs out of nowhere (aka generating them by using random and deterministic data), the only thing that CAN even remotely trance a U2F stick is the attestation cert, although that isnt always 1 cert per stick (which would also completely crash the anonymity point of U2F)
I have now so far seen this issue on both Github and dropbox, 2 sites which are fairly big, and therefore should really have a proper U2F implementation.