rust-u2f
WebKit
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
rust-u2f
-
Software U2F with Fingerprint (On Linux)
This project aims to support U2F / FIDO2 using fingerprint reader on Linux (via libfprint). The goal is to have the same user experience with 2FA using Windows Hello.
This project is based on https://github.com/danstiner/rust-u2f with minor modification (see my fork: https://github.com/ngxson/rust-u2f-pkexec)
Link to the project: https://github.com/ngxson/softu2f-fprintd-docker
- The mechanics of a sophisticated phishing scam and how we stopped it
-
Apple, Google, and Microsoft commit to expanded support for FIDO standard
I've considered adding FIDO2 support to the software-only U2F token I wrote ( https://github.com/danstiner/rust-u2f). It's a fair bit of work though, and I am not sure how comfortable I am with passwordless login unless the keys are kept purely in hardware such as a TPM.
That said, my reading of this post is that FIDO2 support will get built into Chromium directly, which is itself open source. Or if you do want a hardware key but running open software, I'd definitely recommend https://solokeys.com/, I've been following them for a long time.
Also there was some related discussion on this same article last week: https://news.ycombinator.com/item?id=31274677
- Apple/Google/Microsoft to accelerate rollout of passwordless sign‑in standard
- Howdy – Windows Hello style facial authentication for Linux
-
Google is going to ban “less secure sign in method”
On a Workspace account you only need U2F token emulator (https://github.com/danstiner/rust-u2f woks fine) and thenn you can setup u2f first and add normal TOTP in second step. But u2f must stay there. I don't have a personal account to try if it works the same.
-
Ask HN: Is Google phasing out Authenticator/TOTP?
As it becomes easier to emulate hardware tokens[1], Google may start limiting which ones it accepts. I believe they can use attestation keys to do that.
This is just a softer layer of security to slow down less sophisticated mass signup attempts.
They may very well eventually phase out TOTP, under the justification that it is not as secure, but I would be shocked if they ever retire the highly insecure SMS verification.
TOTP is really easy to implement, and adds a ton of value. I have a oneliner that takes a screenshot, extracts the QR code with zbarimg, and adds it to my pass[2] password database, which then hooks back into my browser. I use it whenever it is available because it is so low effort.
[1]: https://github.com/danstiner/rust-u2f
-
Does 2FA actually prevent phishing?
GitHub has a couple of others listed, but I have not tested them personally: Example https://github.com/danstiner/rust-u2f
WebKit
-
GPU Compute in the Browser at the Speed of Native: WebGPU Marching Cubes
Multiple engineers are working on adding it back: https://github.com/WebKit/WebKit/pulls?q=is%3Apr+is%3Aclosed...
-
HTML Streaming and DOM Diffing Algorithm
Since 2023 Chrome announced the View Transition API, and it looks like Safari is also going to support it soon.
-
Towards memory safety with ownership checks for C
One heap per type.
Here’s an allocator optimized for that use case.
https://github.com/WebKit/WebKit/blob/main/Source/bmalloc/li...
-
Bun, JavaScript, and TCO
To use this in Bun, you’d have to start Bun with the environment variable “BUN_JSC_useDollarVM=1” and then $vm.createBuiltin(mySourceCodeString)
When using this intrinsic, if any of the arguments are incorrect or it cannot otherwise enable it, the entire process will probably crash. In debug builds of JSC it will have a nicer assertion failure but that is not enabled in release builds
Example code: https://github.com/WebKit/WebKit/blob/17351231b4dedb62d81721...
also happy to answer any questions about Bun
-
Show HN: Rem: Remember Everything (open source)
Ah, good, let me introduce you to the wonderful world of the Chrome Devtools Protocol! (fka Chrome Remote Debugging Protocol)
I love this API for almost everything browser related. I built my RBI product atop this (BrowserBox: https://dosyago.com), and I think it's a drastically underrated API.
Also, it works out of the box in Edge, Brave, Chromium, and many parts of CRDP are supported by Firefox and Safari^1
1: See for example: https://github.com/WebKit/webkit/tree/main/Source/JavaScript...
- WebGPU now available for testing in Safari Technology Preview
-
Disabling iOS Personalized Ads tells kernel to kill daemon every 3 seconds
No, it's unrelated.
https://github.com/WebKit/WebKit/commit/064df1a9f395f8c6e32c...
- Apple's Safari browser is still vulnerable to Spectre attacks
-
Replacing WebRTC: real-time latency with WebTransport and WebCodecs
It's being worked on now: https://github.com/WebKit/WebKit/pull/17320
-
iLeakage: Browser-Based Timerless Speculative Execution Attacks on Apple Devices
It is different. The cross-site navigation flag is a couple of years old. It was enabled by default for iOS in November 2018 for example https://github.com/WebKit/WebKit/commit/e191fc8c412850cb9fd0...
What are some alternatives?
OpenSK - OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
chromium - The official GitHub mirror of the Chromium source
secretive - Store SSH keys in the Secure Enclave
otter-browser - Otter Browser aims to recreate the best aspects of the classic Opera (12.x) UI using Qt5
Coze - Coze is a cryptographic JSON messaging specification.
cname-trackers - This repository contains a list of popular CNAME trackers
wasmer - 🚀 The leading Wasm Runtime supporting WASIX, WASI and Emscripten
fingerprintjs - Browser fingerprinting library. Accuracy of this version is 40-60%, accuracy of the commercial Fingerprint Identification is 99.5%. V4 of this library is BSL licensed.
solo1 - Solo 1 firmware in C
gecko-dev - Read-only Git mirror of the Mercurial gecko repositories at https://hg.mozilla.org. How to contribute: https://firefox-source-docs.mozilla.org/contributing/contribution_quickref.html
CozeJS - Coze Javascript - cryptographic JSON messaging specification
uBlock-Safari - uBlock Origin - An efficient blocker for Chromium, Firefox, and Safari. Fast and lean.