"Should I buy a Nitrokey FIDO U2F?"

If there is no specific reason for you to buy the Nitrokey FIDO U2F (which is based on the U2F Zero) and you want open hardware, buy a SoloKey (solokeys.com/).

The SoloKey is the official successor of the U2F Zero, and – more importantly – it already supports WebAuthn/FIDO2 (unlike the Nitrokey FIDO U2F).

Besides, keep in mind that U2F/WebAuthn support may not be available for your web services at the moment.


Trackers on websites are neither always illegal nor directly related to the product, an offline security token.

Besides, Nitrokey also uses at least one tracker.

@infosechandbook yeah, but they are there (nitrokey doesnt have one, there is only a third party font). sadly.

I like the solokey, @Nitrokey is even a sponser of them. I don't think this should be a competition, rather they work hand in hand

@perflyst @Nitrokey

Several pages of nitrokey.com have Piwik embedded. For instance, shop.nitrokey.com/shop. See also webbkoll.dataskydd.net/en/resu.

If you rely on Webbkoll (we assume this here), always scan all pages. We wrote about this problem in infosec-handbook.eu/blog/limit and talked with the Webbkoll dev who totally agrees with us. Webbkoll has several limits.

@perflyst @infosechandbook At nitrokey.com Piwik is configured to pseudonymize all visitors. Basically we use it to get a dashboard-view of our website visitors.


@Nitrokey @perflyst

Interestingly scanning nitrokey.com/de/documentation/ reveals googleads.g.doubleclick.net, youtube.com, and more Google. Google APIs and YouTube are explicitly allowed in the CSP of nitrokey.com. Just opening this page already transmits data to Google, and you get cookies from YT. Google fonts are also present at support.nitrokey.com.

This again shows the importance of scanning all pages, not only the home page.

@infosechandbook @perflyst This is because we include some videos which are hosted at youtube.com. We don't include any external trackers or alike separately. Youtube works well and does scaling based on visitor's connection. Do you know any privacy-friendly and similarly good alternative?

@Nitrokey @perflyst

Why don't you mention YouTube in your privacy policy then? Even if I don't want to watch any videos, my data is immediately transfered to YouTube.

You could alternatively only show a link to YouTube without embedding any content. By doing so, you can remove YouTube from your CSP.

This is also true for other third-party content embedded on nitrokey.com and its subdomains.

@infosechandbook @perflyst Right, youtube should be added to our privacy policy. Which other 3rd party content do you mean? Any other than Google Fonts?

@Nitrokey @perflyst

As the website operator, you should know which third-party content you embed.

For instance, on different pages you embed content from bootstrapcdn.com, api.github.com, doubleclick.net, and fonts.googleapis.com.

@kirschwipfel @infosechandbook @perflyst We do use Shariff already but it doesn't cover Youtube videos.


There is obviously more embedded 3rd-party content and it isn't covered by your privacy policy as already mentioned.

Funny that the recent (obviously sponsored) article about Nitrokeys on @kuketzblog doesn't mention this.

According to kuketzblog's article, there is only one resource embedded on nitrokey.com. This is wrong and his comparison with Yubico's website looks more than biased now.

@kirschwipfel @perflyst

@infosechandbook @kuketzblog @kirschwipfel @perflyst We just installed Embetty on www.nitrokey.com for videos. Now all trackers which were included because of Youtube and external fonts are removed. The only external dependency I'm aware of is a custom call to api.github.com to read the latest release version of Nitrokey App. I think that isn't an issue. We are working on CSP now and will update it later.

@Nitrokey @kirschwipfel @perflyst

Accessing nitrokey.com/documentation/app still results in cookies from Google and lots of third party connections, or will you update this as well?

Besides, will you cover this in your privacy policy as previously announced?

@Nitrokey @kirschwipfel @perflyst

Plus, if you open this page, there is no Referrer Policy, so "nitrokey.com" is leaked to YouTube as the Referrer in the request header.

@infosechandbook @kirschwipfel @perflyst We improved our CSP too and removed a few 3rd party exceptions.

@Nitrokey @infosechandbook @perflyst

invidio.us is a privacy friendly frontend to youtube that also supports embedding content, eg. invidio.us/embed/Sau_Ewe6Gpw

Hosting your own is also possible (github.com/omarroth/invidious), it allows to stream videos from googlevideos.com once the user interacts with it, so you don't have to worry about traffic/scale if that is a concern to you.
Way better than using youtube directly.

Even better would be to not use youtube at all obviously.

Sign in to participate in the conversation

mastodon.at is a microblogging site that federates with most instances on the Fediverse.