lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 1 Sep 2014 04:43:35 -0400
From: Stephanie Daugherty <sdaugherty@...il.com>
To: John Leo <johnleo@...ckssh.com>
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] SSH host key fingerprint - through HTTPS

Sure it shows me the fingerprint, but it doesn't tell me for sure if that's
the RIGHT fingerprint or the fingerprint of an imposter,

It's entirely possible that both myself and that site are BOTH falling
victim to a MITM attack.(routing attacks, DNS attacks, etc)

Proper host key verification (which nobody does) ideally means one or more
of:
* Verification that the SSH host key is connected via certificate chain to
a trusted certificate,
* Comparison to a fingerprint being posted on the organization's OWN https
site
* Comparison to a fingerprint provided with a GPG or S/MIME signature from
the administrator of the machine.
* Voice verification of the host public key or its fingerprint with the
administrator of the machine.
* Obtaining a printed copy of the host public key or its fingerprint
directly from the administrator.


Although this might be marginally better than trust on first contact
(TOFC), the danger of a false sense of security likely outweigh any
potential security gains over TOFC, particularly when more robust
alternatives (MonkeySphere, signed host keys, use of an organization's own
HTTPS site) exist and are clearly superior.



On Mon, Sep 1, 2014 at 12:41 AM, John Leo <johnleo@...ckssh.com> wrote:

> This tool displays SSH host key fingerprint - through HTTPS.
>
> SSH is about security; host key matters a lot here; and you can know for
> sure by using this tool. It means you know precisely how to answer this
> question:
> The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be
> established.
> RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4:
> d9a4:d9a4:d9a4:d9a4:d9a4:d9.
> Are you sure you want to continue connecting (yes/no)?
>
> https://checkssh.com/
>
> We hackers don't want to get hacked. :-) SSH rocks - when host key is
> right. Enjoy!
>
> Best Wishes,
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists