"Should I buy a Nitrokey FIDO U2F?"

If there is no specific reason for you to buy the Nitrokey FIDO U2F (which is based on the U2F Zero) and you want open hardware, buy a SoloKey (solokeys.com/).

The SoloKey is the official successor of the U2F Zero, and – more importantly – it already supports WebAuthn/FIDO2 (unlike the Nitrokey FIDO U2F).

Besides, keep in mind that U2F/WebAuthn support may not be available for your web services at the moment.


Trackers on websites are neither always illegal nor directly related to the product, an offline security token.

Besides, Nitrokey also uses at least one tracker.

@infosechandbook yeah, but they are there (nitrokey doesnt have one, there is only a third party font). sadly.

I like the solokey, @Nitrokey is even a sponser of them. I don't think this should be a competition, rather they work hand in hand

@perflyst @Nitrokey

Several pages of nitrokey.com have Piwik embedded. For instance, shop.nitrokey.com/shop. See also webbkoll.dataskydd.net/en/resu.

If you rely on Webbkoll (we assume this here), always scan all pages. We wrote about this problem in infosec-handbook.eu/blog/limit and talked with the Webbkoll dev who totally agrees with us. Webbkoll has several limits.

@perflyst @infosechandbook At nitrokey.com Piwik is configured to pseudonymize all visitors. Basically we use it to get a dashboard-view of our website visitors.

@Nitrokey @perflyst

Interestingly scanning nitrokey.com/de/documentation/ reveals googleads.g.doubleclick.net, youtube.com, and more Google. Google APIs and YouTube are explicitly allowed in the CSP of nitrokey.com. Just opening this page already transmits data to Google, and you get cookies from YT. Google fonts are also present at support.nitrokey.com.

This again shows the importance of scanning all pages, not only the home page.

@infosechandbook @perflyst This is because we include some videos which are hosted at youtube.com. We don't include any external trackers or alike separately. Youtube works well and does scaling based on visitor's connection. Do you know any privacy-friendly and similarly good alternative?

@Nitrokey @perflyst

Why don't you mention YouTube in your privacy policy then? Even if I don't want to watch any videos, my data is immediately transfered to YouTube.

You could alternatively only show a link to YouTube without embedding any content. By doing so, you can remove YouTube from your CSP.

This is also true for other third-party content embedded on nitrokey.com and its subdomains.

@infosechandbook @perflyst Right, youtube should be added to our privacy policy. Which other 3rd party content do you mean? Any other than Google Fonts?


@Nitrokey @perflyst

As the website operator, you should know which third-party content you embed.

For instance, on different pages you embed content from bootstrapcdn.com, api.github.com, doubleclick.net, and fonts.googleapis.com.

Sign in to participate in the conversation

mastodon.at is a microblogging site that federates with most instances on the Fediverse.