"Should I buy a Nitrokey FIDO U2F?"
If there is no specific reason for you to buy the Nitrokey FIDO U2F (which is based on the U2F Zero) and you want open hardware, buy a SoloKey (https://solokeys.com/).
The SoloKey is the official successor of the U2F Zero, and – more importantly – it already supports WebAuthn/FIDO2 (unlike the Nitrokey FIDO U2F).
Besides, keep in mind that U2F/WebAuthn support may not be available for your web services at the moment.
@infosechandbook their website is full of trackers
Trackers on websites are neither always illegal nor directly related to the product, an offline security token.
Besides, Nitrokey also uses at least one tracker.
Several pages of nitrokey.com have Piwik embedded. For instance, https://shop.nitrokey.com/shop. See also https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fshop.nitrokey.com%2Fshop.
If you rely on Webbkoll (we assume this here), always scan all pages. We wrote about this problem in https://infosec-handbook.eu/blog/limits-webbkoll/ and talked with the Webbkoll dev who totally agrees with us. Webbkoll has several limits.
Interestingly scanning https://www.nitrokey.com/de/documentation/applications reveals googleads.g.doubleclick.net, youtube.com, and more Google. Google APIs and YouTube are explicitly allowed in the CSP of nitrokey.com. Just opening this page already transmits data to Google, and you get cookies from YT. Google fonts are also present at support.nitrokey.com.
This again shows the importance of scanning all pages, not only the home page.
You could alternatively only show a link to YouTube without embedding any content. By doing so, you can remove YouTube from your CSP.
This is also true for other third-party content embedded on nitrokey.com and its subdomains.
Instead of writing more legal crap, you'd better implement a privacy-friendly solution like "embetty".
Funny that the recent (obviously sponsored) article about Nitrokeys on @kuketzblog doesn't mention this.
According to kuketzblog's article, there is only one resource embedded on nitrokey.com. This is wrong and his comparison with Yubico's website looks more than biased now.
@infosechandbook @kuketzblog @kirschwipfel @perflyst We just installed Embetty on www.nitrokey.com for videos. Now all trackers which were included because of Youtube and external fonts are removed. The only external dependency I'm aware of is a custom call to api.github.com to read the latest release version of Nitrokey App. I think that isn't an issue. We are working on CSP now and will update it later.
Accessing https://www.nitrokey.com/documentation/applications still results in cookies from Google and lots of third party connections, or will you update this as well?
@infosechandbook @kirschwipfel @perflyst I believe webbkoll cached some old data. Now it shows the correct status which is *no 3rd party cookies*. https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fwww.nitrokey.com%2Fdocumentation%2Fapplications Also we improved the security header for all our public websites to an A rating: https://securityheaders.com/?q=www.nitrokey.com&followRedirects=on https://securityheaders.com/?q=support.nitrokey.com&followRedirects=on https://securityheaders.com/?q=shop.nitrokey.com&followRedirects=on CSP will be improved soon...
mastodon.at is a microblogging site that federates with most instances on the Fediverse.