I’m sorry to be pedantic, that’s not exactly true. I agree in the sense that extracting hw based keys is next to impossible, but if your machine is compromised, there isn’t much stopping malware from using your hw based key (assuming 1. Left plugged in, 2. Unlocked with either ssh-agent or gpg-agent, and 3. You don’t have touch to auth turned on). Reduced risk? Absolutely. No risk? Absolutely not.
And if you want to be even more pedantic, shell access with a touch based key just means the attacker has to wait for you to auth, which makes touch based systems largely a waste of effort on the defenders part.
> shell access with a touch based key just means the attacker has to wait for you to auth
And if you want to be EVEN more pedantic, on most touch-based keys, you have to touch within 10–15 seconds otherwise it times out.
So it is not a waste of effort at all. First the need to touch at all eliminates a large chunk of attacks. Second the need to touch within 10–15 seconds eliminates a whole bunch more.
There would have to be some heavy-duty alignment of ducks going on to get past a touch requirement.
Even more if the target has touch AND PIN enabled.
The touch based key I use only responds once per touch. If someone compromises the machine it's plugged into, the action I expected to complete won't complete. This means the compromise becomes immediately visible.
I do this to defang the url to prevent unintentional clicks or automatic previewing when working and reporting on security events. Sometimes the habit bleeds over.
Name constraints are an optional feature in the standards. A client can ignore the constraints and be completely standards compliant.
Should the CAs issue intermediate certs that are only secure if a client implements an optional feature?
And even if most web browsers support name constraints properly - who knows if that cheap network webcam does, or that old mail client, or that 20 year old retro PC game?
If you want to uphold the name constraints in your CA cert, mark the field as critical. At that point clients that don’t understand them should fail validation of the CA cert.
So it may have limited use-cases today if you require full compat for all clients. For example internal controlled networks like discussed in the article.
Just like you presumably already wouldn't issue LE certs when you need to support clients with ancient CA bundles.
I mean if its being hostile to your LAN then why not?
Let the hostile phones, TV's, sonos, toasters, etc live on the IOT network and your laptop, desktop, NAS and whatever else you value live on a your actual LAN.
Not defending ridiculous claims based on small sample sets, but isn't this how it's supposed to work? You run some tests and notice a pattern and develop an hypothesis, and then continue to expand the test to see if it holds true? Then other groups perform the same tests to hopefully receive the same results so that we end up with known facts. Essentially, the definition of scientific method.
Yeah, but people aren't actually that interested in the scientific method here. Criticizing things is an easy way to appear smart, and that's the main point.
Empirical research has never been about some true/false binary; that's a myth perpetuated on HN. It has always been about strength of evidence, improving models, and opening paths for future research. I've seen people dismiss case studies by decrying that their n=1, for god's sake.
