I’ve been using Brave for a while and that works with CTAP but they’ve just proven themselves untrustworthy time and again. The URL injection for affiliates and the fact they were installing the VPN by default on Windows last year makes me uncomfortable.
Has anyone tried using Mullvad browser with the CTAP proxy? I’ve had issues with it in normal Firefox, so I’m not holding my breath.
If Mullvad doesn’t work, do you know of any others? Ungoogled Chromium maybe?
Hi @Fan, this question is off-topic. There is one category in the forum where topic like this, that are not about Qubes OS, can be discussed. It is called All around Qubes, and you will gain access to it through participation in the other categories (about Qubes OS).
Since moving the topic to the right category would result in you loosing access to your own post, I’ll close it for now.
My mistake, I missed the fact that the CTAP proxy is specific to Qubes OS.
Apologies @Fan, thanks for the correction @rustybird !
Did you try librewolf? Sadly, Mullvad does not support the sec key at all (at least in installed salt configuration from qusal ben-grande). If you succeed with librewolf I would really appreciate a step by step guid. I did not manage to set everything up with Firefox and nitrokey. After solving ctap.GetInfo and ctap.ClientPin problem no successful authentication on github.
I’ve used Qubes CTAP with Google Chrome, Chromium and Firefox-ESR.
Mullvad browser disables WebAuthn support, so it won’t work by default.
Not a Qusal issue, but if it was, please report on the issue tracking system so I can correct if necessary. I also don’t plan to patch browsers or provide a user.js. You are free to customize your browser settings in templates or templates of dispvms such as enabling security.webauth.webauthn for Mullvad.
I took a break from this project because I had a bunch of other things going on and didn’t really see any solutions.
I saw ben-grande’s reply about how to do the change to Mullvad.
I made a new disposable template based on my Mullvad template. Inside the template, I changed security.webauth.webauthn inside about:config. Thanks to QubesOS, I can have both a default Mullvad and one that allows webauthn.
I then allowed it to access ctap proxy inside the global config page and allowed it access to keys it hasn’t signed (I know that’s probably not the best, but it’s better than not being able to sign in at all) Plus, it’s a disposable.
I’ve only tested it so far, but it’s working. Ctap triggers, I touch the key, it signs for the account, I get in.
Once I’m sure it’s working for all my stuff, I’ll probably stop using Brave all together.
Then it’s Mullvad and Tor for almost all of my browsing.
See my solution for Mullvad. I have only tried Yubikey so far, not Nitrokey. I’m planning to switch over to my Nitrokey and only keep my Yubikey for a backup, so hopefully it works.