Questions About U2F Proxy

I have two questions relating to the U2F proxy.

1. I don’t see people talking much about it lately. Most of what I see were issues back when it first came out. How is it now? Is it still supported/developed and have some of the problems people were having been fixed/mitigated?

2. I’m seeing somewhat conflicting instructions in the docs. One of the features in the Introduction page is the proxy. And the proxy page says it’s recommended for security reasons.

BUT the section on installing software in Dom0 (which we have to do to use the proxy) says it’s for advanced users only, that installing specific packages is usually not recommended, and that the best practice is to exercise EXTREME caution when doing this.

So does the U2F proxy count as one of those exceptions or am I deciding which of the two threats is more likely (compromised proxy versus compromised browser and session hijack)? Is it one of those trusted extensions that’s fine to install?

I know the second question is almost self-explanatory, since its specifically recommended. But I want to make sure I’m right about it before I perform an advanced user task that the instructions say multiple times, “make sure you know what you’re doing or risk Dom0.”

I realized this is the wrong area to have this question but can’t seem to move it.

@Karrie Let’s ask @deeplow to move it where appropriate

@Karrie I moved it to support

It is part of the Qubes Project, so yes.
https://github.com/QubesOS/qubes-app-u2f

Yes, it’s an official application from the Qubes Project, not installed by default.
(make sure to verify this statement, by actually visiting the above link, see the official doc, etc …).

The warning about installing software in dom0 are for external applications.
i.e. any packages that is not provided by the Qubes Project.

Always, and you right to ask if you’re not sure.