Hi @Jeffoh82 !
Just to clear things up a bit:
- This is a server-side issue, introduced just recently for ECDSA, within the Java rewrite from C++ (which was not showing this bug); note though apparently other DSAs were broken in the previous versions.
- Following the article, we do not know if ed25519 was not affected either (please update me if I am wrong).
- Just a couple of notes to clear:
- see these posts: Documentation of FIDO2 supported crypto algorithms - #8 by szszszsz
- as a user you cannot select what algorithm you would like to use - this is requested server side. I understand Gitlab has a priority list for the supported algorithms, selecting ed255 first;
- to switch you need to re-register on the all services you use, so it will not work by itself without any additional work;
- as a user you do not have control over what signature algorithm will be used (this could be potentially changed with additional configuration steps, like blacklisting some algorithms, however it will result in compatibility issues, as default implementations are ecdsa based as far as I know.
- I believe the issue is about not testing the input parameters (specifically checking for
0values), hence I do not see how ed255 would be more secure against that. - I understand the theory that NSA had mixed constants for its advantage, however it’s almost 10 years, and we still do not have any proofs for that.
Having this said, I would love to see ed25519 curve finally added! I will bring this up on the next internal discussion.
Edit: here is a nice summary on the differences ECDSA vs EdDSA: