Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:37 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Wed Feb 25, 2009 3:12 am 
Offline
Site Admin
Site Admin

Joined: Wed May 28, 2008 7:04 pm
Posts: 263
Location: Yubico base camp in Sweden - Now in Palo Alto
The automatic navigation feature is a bit of an unofficial gizmo feature that was implemented in an early stage. Although it is a pretty cool feature, we've not promoted it due to some issues with it.

Primo - As we emit all keystrokes, not just the "safe" modhex ones, we are subject to keyboard layout variations. An URL that works on a US keyboard may very well not work on a German one as the scan codes maps to different keys - www.yubico.com would be www.zubico.com :)

Secundo - The feature is Windows specific and as we claim that the Yubikey works on all platforms, this feature somewhat invalidates the statement.

Tertio - We make a "reasonable delay" after enumeration until the point we emit the URL. This "reasonable delay" is for example too short at the first insertion when the hardware is installed. Another issue when we now added support for pre-boot enumeration is that the URL string gets sent out nowhere at that point, potentially flooding the BIOS setup with some garbage.

Quarto - The feature in can in theory open up for some subtle attacks where "rougue keys" can launch bad things or go to bad sites, just like the highly criticized "CD autorun" feature.


There are a few more things, but in summary - the feature really does not work in a practical setting. That's life...

We're going through some validation stages and security reviews and feel very tempted to simply delete the feature due to the reasons listed above. But I very much know that there are quite a few people who really likes the feature. I somewhat guess it is more for personal use than for "professional" settings.

So the question is - what do you all say ? Will we get a swarm of upset users or shall we keep it "as is" in a kind of unsupported way where you explicitly need to enable the feature if you want it ?


Regards,

Jakob E
Hardware- and firmware guy @ Yubico


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Feb 25, 2009 11:34 am 
Offline

Joined: Tue Feb 24, 2009 4:05 pm
Posts: 9
As a new user, I didn't know about automatic navigation, a search of the forums didn't enlighten me and being Windows only is a negative for me so I'd say drop it.

You say it does not work in a practical setting, which sounds like a second reason for dropping it.

Ed


Top
 Profile  
Reply with quote  
PostPosted: Wed Feb 25, 2009 8:14 pm 
Offline

Joined: Sun Jan 11, 2009 4:40 am
Posts: 41
Although the change that you've made in the latest firmware release to require a password to program/reprogram the auto-navigation would seem to resolve "Quarto", the first three issues remain.

Another downside is that having auto-navigation enabled interferes with multi-purpose/multi-site use. I noticed this with the YK that I purchased from MashedLife which wanted to take me to that website every time that I plugged it in. It would have been awkward to use the same YK for another purpose such as, for example, OpenID or even to log into this forum. While that might sell more YKs, it could inhibit adoption as a multi-use device.

Dick


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 26, 2009 3:32 am 
Offline

Joined: Fri May 30, 2008 5:32 am
Posts: 19
Location: Austin, TX USA
If the feature is off by default and requires a password to enable it then I would say keep it unless it is going to require significant resources to maintain it in future firmware builds. In my opinion the more options available the more flexible the device will be. If a person manually enables that feature on their Yubikey then they will most likely know its limitations. That feature may prove useful for someone in their specific environment and be the difference between them going with a Yubikey or not. That being said I personally don't use the auto navigation feature and wouldn't miss it if it is removed.


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 26, 2009 10:32 pm 
Offline

Joined: Mon Jun 16, 2008 3:10 am
Posts: 25
Location: Sydney, Australia
You have to draw the line somewhere. I didn't know of this feature until I saw the option in the personalization tool. From what everyone has said here, I don't think this is something that should stay. It is too restrictive, and prone to misuse. Imagine a company deploys this feature, allowing employees to automatically log on through their secure SSL VPN solution using the YK with auto navigate feature. If the YK gets lost or stolen, without even knowing the URL, Mr Hacker just has to plug the YK in, press the button, and he's logged on.

In my opinion, stick to your core business, which is authentication - not auto navigation.

Cheers

Phil


Top
 Profile  
Reply with quote  
PostPosted: Wed Mar 25, 2009 4:47 am 
Offline
User avatar

Joined: Tue Jan 13, 2009 6:33 am
Posts: 20
I knew of this feature before I received a Yubikey.
I know that it had some problems under some OSes.
I don't hear of any discussion about using it lately.
So, I vote for dumping it all together.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group