My understanding is that the blog post complains about the fact that there was a security vulnerability in Yubikeys and that Yubico doesn't exchange everything they have sold until now. But it makes sense to me: I buy a Yubikey at time T, with firmware F that by design cannot be modified. I don't buy a subscription that will provide me with an updated key every month, it's a one-off.
Until the security flaw was discovered, my keys were fine. So I paid 50$ per key for 4 years, I don't think it's exactly expensive. Now there are two questions for me:
1. Should I replace my keys? In my case, I don't think so (given my threat model)
2. Should I stop trusting Yubico? I don't think so. It doesn't seem like this flaw is due to a total incompetence from their part. If I stopped trusting software every time a critical flaw was discovered, I wouldn't use software anymore.
The blog post then goes on claiming that Yubico pretends that they sell keys with the updated firmware (on their store, it clearly says if I am ordering a key with firmware 5.7 or not) but sell keys with older firmware. That would be pretty bad from Yubikey, but the blog gives absolutely no proof. It could as well just be an empty claim to hurt Yubico's reputation, for what I see.
My understanding is that the blog post complains about the fact that there was a security vulnerability in Yubikeys and that Yubico doesn't exchange everything they have sold until now. But it makes sense to me: I buy a Yubikey at time T, with firmware F that by design cannot be modified. I don't buy a subscription that will provide me with an updated key every month, it's a one-off.
Until the security flaw was discovered, my keys were fine. So I paid 50$ per key for 4 years, I don't think it's exactly expensive. Now there are two questions for me:
1. Should I replace my keys? In my case, I don't think so (given my threat model)
2. Should I stop trusting Yubico? I don't think so. It doesn't seem like this flaw is due to a total incompetence from their part. If I stopped trusting software every time a critical flaw was discovered, I wouldn't use software anymore.
The blog post then goes on claiming that Yubico pretends that they sell keys with the updated firmware (on their store, it clearly says if I am ordering a key with firmware 5.7 or not) but sell keys with older firmware. That would be pretty bad from Yubikey, but the blog gives absolutely no proof. It could as well just be an empty claim to hurt Yubico's reputation, for what I see.