-
-
Notifications
You must be signed in to change notification settings - Fork 273
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
independent security audit #126
Comments
Nitrokey has plans to perform a security audit for the software at some point |
thanks for the answer and your transparency. What has nitrokey to do with this project? |
Nitrokey has plans to leverage our FIDO2 functionality and will contribute back. One of their requirements is going through a security audit, so we both get to benefit :) |
@conorpp nice news! |
@0x0ece does this mean that solokey got an independend security audit? |
No audit and no funds to do one anytime soon. Fo now FIDO2 L1 certification is the best assurance of security against online attacks. Independently, we're trying to clean up issues starting from the ones with no activity. This morning we had 75+ issues, it's impossible to keep track of them. I feel issues should give a representation of what's happening and it's being worked on. For ideas and wishlist we should prob find a different place. |
@0x0ece You could use Issue Labels and Milestones for this. |
Yes, there are labels and milestones.. I don't think there is a reason to close issues, especially issues asking for an independend security audit.. It looks really suspicious if you close such things without any word. |
This is a won’t fix, added label. Suspicious or not, there’s no budget. |
@0x0ece I don't think you need a budget for this.. I would just leave that issue open and maybe some nice security researcher out there would have an independend look on your hardware.I mean you could at least try to find a security researcher checking your device and if it's with a |
I second this @shibumi . |
We (Nitrokey) did a short review of the most important security related aspects. For us, the firmware update was most crucial because it affects future firmware releases too and can't be updated itself. One shortcoming we identified and patched subsequently was that old firmware versions could be installed. Now with the patch, only newer firmware versions can be installed (downgrade protection). Because the review wasn't complete we didn't write a review. It would still be good to have a comprehensive security review. At a later stage, we may work more on this. |
I reopened then. But I confirm no current budget to do a security review. |
@jans23 Thanks a lot! This comment is gold for me. So, can we expect a review about this downgrade protection? |
@shibumi We implemented the downgrade protection so somebody else should review it. |
Update. We run a security analysis with @doyensec. Blog post: https://solokeys.com/blogs/news/security-analysis-of-the-solo-firmware-by-doyensec Full report: https://doyensec.com/resources/Doyensec_SoloKeys_TestingReport_Q12020_v3.pdf |
I strongly suggest an independent security audit for the soft- and hardware.
The text was updated successfully, but these errors were encountered: