Re: Yubikeys are now supported

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Oct 7, 2010 at 5:51 PM, Paul Wouters <paul@xxxxxxxxxxxxx> wrote:
> I have one and I've played with it in fedora. There is however an important
> catch. The server and the yubikey share the same AES symmetric key. This means
> that if the yubikey is used for multiple sites by one user, that user is sharing
> is his "private key" over various external sites.
>
> So if fedoraproject would accept it, and the same user uses this yubikey for
> another site, and that other site gets hacked, then fedoraproject could be
> hacked as well.
>
> I guess in a way it is like using the same password, but people might not be
> thinking of that when they have a "device" on them that they use.

Wow, that's a serious weakness. Are we sure about this?
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux