| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 22 Sep 2014 15:51:57 +0800 From: John Leo <johnleo@...ckssh.com> To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org Subject: Strength and Weakness of Methods to Confirm SSH Host Key Monkeysphere (advice from maxigas) "verify your SSH key through the OpenPGP web of trust" Strength: OpenPGP is cool if you REALLY know how to use it. Weakness: "vote counting scheme" does not sound too cool. "use of an organization's own HTTPS site" (advice from Stephanie Daugherty) In my personal opinion, this is the best solution. Weakness: basically nothing - it's very secure. "use DNSSEC to validate SSH fingerprints" (advice from Micha Borrmann / Jeroen van der Ham / john) This is a good solution. Weakness: HTTPS is more mature than DNSSEC(in my personal opinion). "ssh-keyscan -p 22 domain.com ..." (advice from Busindre) It's the same as running "ssh" directly. Check SSH(https://checkssh.com/) (we made it) Strength: this definitely stops ALL local bad boys. Weakness: While it's open source(and source code is less than 100 lines)... We simply won't give you root password of the server(you don't own the server). If adversary is EXTREMELY powerful: It's better to set up your own Check SSH. Best Wishes,
Powered by blists - more mailing lists