Comments (6)
nitrokey-app warns the user about insecure configurations. We should consider whether we also want to have these warnings.
Where do you think we should display warnings?
- default PINs: I don’t think we should to check that. Changing the default PINs should be common sense.
Agreed.
- missing AES key: Might make sense when accessing features that need an AES key.
Sounds to me more as if the functions using those keys should be adjusted to return proper error codes. Do you know if that is something the Nitrokey team is working to report properly by any chance?
- SD card not filled with random data: Would make sense to check that as it’s non-intuitive and as the user can clear that warning using the
NK_clear_new_sd_card_warning
function if they don’t want to clear the SD card.These are all I could think of, but there might be more. On a related note, we have commands that may easily cause significant damage – namely the factory reset. If the admin PIN is cached, the user does not have to confirm the reset. Possible strategies:
- Clear the admin PIN cache before dangerous operations.
- Explicitly ask for confirmation.
- No confirmation required.
I’d prefer the first option.
Yeah, sounds fine.
from nitrocli.
How about instead of a warning we just fail the operation for a sufficiently severe problem (# 3 seems like a candidate)? We can add a --force
parameter that overrides the check.
I think that would also play better with the extension related functionality we have been discussing. We could not really embed a warning into the output format, and emitting it to stderr is just bound to make it appear somewhere where nobody cares, I'd say.
from nitrocli.
Where do you think we should display warnings?
My first thought was printing to stderr, but I haven’t thought about it that much.
Do you know if that is something the Nitrokey team is working to report properly by any chance?
Not that I’m aware of. I intend to file an issue for that in the context of #45. But as it should be fixed in the firmware, not in libnitrokey, I don’t think there will be a change soon.
How about instead of a warning we just fail the operation for a sufficiently severe problem (# 3 seems like a candidate)? We can add a --force parameter that overrides the check.
Yeah, we can do that. Even for 2), we don’t have to perform the command just to get a nice error message.
from nitrocli.
Another possible warning would be outdated firmware. We could warn a) if we know that there is a newer firmware version, b) if we detect an incompatible firmware version (currently < 0.52 due to the access mode changes), or c) if a firmware with a security update has been published (0.51).
While I’m not to keen on checking the firmware, an average user probably won’t notice firmware updates, so b) might make sense.
from nitrocli.
Yeah, b) may be okay. But I think we should probably error out there as well (only for the command in question). Regardless, this is something that has very low priority, at least on my list :D
from nitrocli.
I agree, I’m just currently transforming my hand-written notes into issues and todos before I forget about them. :)
from nitrocli.
Related Issues (20)
- Compare strings instead of byte slices in tests HOT 2
- Access PWS slots by name HOT 8
- Improve otp subcommand HOT 1
- Validate PWS and OTP string length HOT 5
- Document scdaemon reset workaround in readme
- Publishing nitrocli-ext HOT 5
- Publishing the core extensions HOT 10
- Improve installation instructions HOT 6
- Split up commands module HOT 1
- Show retry count (< 3) in pinentry HOT 1
- "Wrong password, please reenter" after device reconnection HOT 22
- "Unexpected response: OK" if empty password is entred via pinentry HOT 1
- Add log messages to nitrocli HOT 12
- Add option to otp-cache to create custom aliases HOT 4
- pinentry-tty does not work HOT 13
- Change tests to not create python scripts during builds HOT 2
- Migrate to clap 3.0.0 HOT 2
- Move CI checks to Makefile HOT 4
- nitrocli (for NK2 Pro) not responsive while NK3 plugged in HOT 4
- Document extensions in readme HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nitrocli.