lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <541FD51D.1020401@checkssh.com>
Date: Mon, 22 Sep 2014 15:51:57 +0800
From: John Leo <johnleo@...ckssh.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: Strength and Weakness of Methods to Confirm SSH Host Key

Monkeysphere
(advice from maxigas)
"verify your SSH key through the OpenPGP web of trust"
Strength: OpenPGP is cool if you REALLY know how to use it.
Weakness: "vote counting scheme" does not sound too cool.

"use of an organization's own HTTPS site"
(advice from Stephanie Daugherty)
In my personal opinion, this is the best solution.
Weakness: basically nothing - it's very secure.

"use DNSSEC to validate SSH fingerprints"
(advice from Micha Borrmann / Jeroen van der Ham / john)
This is a good solution.
Weakness: HTTPS is more mature than DNSSEC(in my personal opinion).

"ssh-keyscan -p 22 domain.com ..."
(advice from Busindre)
It's the same as running "ssh" directly.

Check SSH(https://checkssh.com/)
(we made it)
Strength: this definitely stops ALL local bad boys.
Weakness:
While it's open source(and source code is less than 100 lines)...
We simply won't give you root password of the server(you don't own the server).
If adversary is EXTREMELY powerful:
It's better to set up your own Check SSH.

Best Wishes,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ