| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <81DD2C0F-CB9E-43BF-9DA4-CD220FFA8980@dckd.nl> Date: Mon, 1 Sep 2014 22:21:15 +0200 From: Jeroen van der Ham <jeroen@...d.nl> To: Stephanie Daugherty <sdaugherty@...il.com> Cc: John Leo <johnleo@...ckssh.com>, fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: Re: [FD] SSH host key fingerprint - through HTTPS Hi, On 1 Sep 2014, at 10:43, Stephanie Daugherty <sdaugherty@...il.com> wrote: > Sure it shows me the fingerprint, but it doesn't tell me for sure if that's > the RIGHT fingerprint or the fingerprint of an imposter, > > It's entirely possible that both myself and that site are BOTH falling > victim to a MITM attack.(routing attacks, DNS attacks, etc) > > Proper host key verification (which nobody does) ideally means one or more > of: > * Verification that the SSH host key is connected via certificate chain to > a trusted certificate, > * Comparison to a fingerprint being posted on the organization's OWN https > site > * Comparison to a fingerprint provided with a GPG or S/MIME signature from > the administrator of the machine. > * Voice verification of the host public key or its fingerprint with the > administrator of the machine. > * Obtaining a printed copy of the host public key or its fingerprint > directly from the administrator. > There is a way now, using the “magic” of DNSSEC and SSHFP records: http://tools.ietf.org/html/rfc4255 You use the DNSSEC hierarchy to create a trust chain. You can then securely publish a signed fingerprint of your SSH host key for that specific machine. Jeroen.
Powered by blists - more mailing lists