Ah, thanks. From a quick read of the doc, it is focused on the MITM case. My read of the quote below is that the MITB case is, in fact, not solved. +1 for being honest and transparent. Still, it's progress for one common class of attacks (like say your government feeding you a fake gmail page). It would probably be better in their docs if they used the "MITB" terminology (hey, it has its own wikipedia page!) to be super clear about what is and is not solved. Ultimately, the MITB solution dongle will probably need a little display on it, as outlined above.

9. Client Malware Interactions with U2F Devices As long as U2F devices can be accessed directly from user space on the client OS, it is possible for malware to create a keypair using a fake origin and exercise the U2F device. The U2F device will not be able to distinguish 'good' client software from 'bad' client software. On a similar note, it is possible for malware to relay requests from Client machine #1 to a U2F device attached to client machine #2 if the malware is running on both machines. This is conceptually no different from a shared communication channel between the Client machine (in this case #1) and the U2F device (which happens to be on machine #2). It is not in scope to protect against this situation. Protection against malware becomes more possible if the U2F client is built into the OS system layer as opposed to running in user space. The OS can obtain exclusive access to U2F devices and enforce methods to ensure origin matches.

Well I watched some low-content video, and it mentions the MITM case (I called it MITB, but whatever). However, there was zero actual information. I guess one way it could work is that the key and google.com have a shared secret, and this is used to bring up a channel between google and the key, and that channel can be secure even if the bad guy controls the browser. But then how is the browser UI resistant against the MITB attack, since obviously the browser is running outside of the key, and outside the keygoogle secure channel. I'm quite curious what they've done there. Hey Google -- let's have the reassuring video for the normals. But put in 10 more hours to publish the 2 page whitepaper on how this thing actually works against MITB the slashdot/hackernews folks please.

It's great the Google is trying to advance this. The attack to worry about is "Man In the Browser" MITB http://en.wikipedia.org/wiki/M...

MITB is the difficult case, and the way that bank accounts get emptied. The bad guy has malware on the victim computer, and the malware puts up web pages, and of course it can just lie about the url bar. So then the bad guy puts up the fake bank web site, and the victim type in the 2-factor code or whatever, and now the bad guy has it. Obviously Google knows about the MITB case. Does this thing have some sort of MITB mitigation? I'm guessing it does something. Hey Google, what do you say?

The classical solution to MITB is that the little key has its own display, so it can show "Confirm transfer $4500 to account 3456" - showing the correct info to the "victim" even if their laptop is compromised. Basically, keeping the usb key itself from getting malware is feasible, while keeping the laptop or whatever clean is not.

Check out the circuit-gear units. The new "mini" is just $99 http://www.syscompdesign.com/C... I have the previous generation unit. I've enjoyed it for just hacking around, and it's great for demos, since the computer it's hooked up to can be projected. The GUI software for it is open-source, so that's neat.

And don't get wrapped around the axle on the cost-benefit for the other party. Your life will be more pleasant by not being an asshole. Often you will need to do things that benefit someone else ... but really you benefit in the end, just in your own psyche.

Are you kidding? Persona solves a whole raft of super common problems

• -Say for example kittens.com site you post on is hacked. With Persona the bad guys don't get anything. There is no password stored on kittens.com. It's more akin to certs. That alone will eliminate a whole class of internet disasters that we read about every week on slashdot.
• -I don't want to make up yet another stupid username/password recovery question for every site. Now I can just use one of the Persona identities I already have, and I'm done. I also trust Mozilla or Google a lot more to be on top of security than kittens.com
• -Unlike, say, facebook connect, this is a federated standard, not dependent on any org. You can run your own identity-provider if you like, not that most people would care to.

Ok repeating myself, but the open, standard, non-one-corp-controlling-it-all solution is Mozilla Persona http://www.persona.org/ -- it's in like alpha state now, should ship for real this year. You heard it here first!

Mozilla Persona http://www.persona.org/ is the new best one -- not tied to any corp, but without the usability problems of openid

Note that addition to using a new numbering scheme, each critical Java security update attempts to install the Ask.com toolbar, even if upon the initial install you unchecked the Ask.com checkbox. The latest browser versions include measures to foil the attempted install of the Ask.com, so tech-savvy people tend to be unaware of how bad and intrusive the toolbar is. It mucks up all search results with complete garbage. (details here)

So basically the tech naive types get this thing installed and it thoroughly messes up their internet experience, but they are not sure how it happened... thanks Oracle! I cannot think of a better way of getting nobody to use Java.

I would like Java to thrive and compete with other languages, so I'm trying to make sure Oracle to get all the bad press it deserves for this abusive practice. Heh, every time there's a Java story, I try to post a reminder for people to be super careful when applying Java updates. Posting this warning repeatedly I think means I've satisfied one of the three tests for becoming a certified Internet Crazy Person. I just need to figure out what the other two are and I'm all set!

Suppose that when you first run the java installer, it asks you if you wan to install the ask.com toolbar, naturally you select No Ask.com Malware button, and everything installs nicely. Now later on, for each security update that comes along, there's a nice Install Important Update button .. and what do you suppose that does? It installs the Ask.com toolbar! I know Oracle is supposed to be aggressive with their practices, but I cannot believe they abuse security updates this way to get a few pennies out of Ask.com which is basically a search-result-spam engine.

The reason you have not heard about this more, is that Macs and Firefox/Chrome (not sure about IE) resist the Ask.com installer, so you just don't see it, but the crappy Oracle behavior is in fact going on each time. The result is that naive users are getting this toxic thing installed and it really messes up their whole internet experience.

Hey Oracle: you're pissing away tons of Java goodwill in exchange for pennies form the Ask.com spammers. Who on the heck thought that was a good trade? Like what techie who learns of this behavior is ever going to install Java anywhere? Aren't you trying to make JavaFX into a real client thing?

See http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/ for lots of details on how the Ask.com installer tries to trick the users and hide itself. It's kind of interesting arms race between the spamming toolbar and the browser vendors.

Warning: the Java installer will install the ask.com toolbar if you click the "yes, please just install my security update" button, even for the original install you declined the toolbar -- really an obnoxious abuse of updates. Here is a very interesting analysis of the whole back and forth between the ask.com installer and the browsers trying to keep junk out. Interesting tidbit: apparently the ask.com installer sleeps for 10 minutes, so if you try to "remove" right afterwards, it's not there yet. This is on Windows, not sure across all platforms. Oracle taking this little tiny income stream from ask.com in exchange for screwing over tons of users and admins seems like a big mistake by Oracle, and would just sort of bug me if I were an engineer at Oracle spending all this time trying to make Java better.

Try "baby picture fun" ... Super simple, free, no ads. Will entertain for a couple minutes.