lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 01 Sep 2014 15:48:27 -0300 (ART)
From: maxigas <maxigas@...rgeek.net>
To: johnleo@...ckssh.com
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] SSH host key fingerprint - through HTTPS

From: John Leo <johnleo@...ckssh.com>
Subject: [FD] SSH host key fingerprint - through HTTPS
Date: Mon, 01 Sep 2014 12:41:17 +0800

> This tool displays SSH host key fingerprint - through HTTPS.
> 
> SSH is about security; host key matters a lot here; and you can know
> for sure by using this tool. It means you know precisely how to answer
> this question:
> The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be
> established.
> RSA key fingerprint is
> a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
> Are you sure you want to continue connecting (yes/no)?
> 
> https://checkssh.com/
> 
> We hackers don't want to get hacked. :-) SSH rocks - when host key is
> right. Enjoy!

Excellent point and thanks for the tool! Indeed, fingerprint
verification is the absolute weak point of SSH. Here the problem
is that you have to trust the service operators when you use
checkssh or set up your own. Is the source code available
somewhere?

Also, a better solution is to use Monkeysphere which uses the
public key infrastructure of PGP. It can not just check your SSH
fingerprints automatically but do a whole lot of other things:

http://web.monkeysphere.info/

--
maxigas, kiberpunk
FA00 8129 13E9 2617 C614 0901 7879 63BC 287E D166
http://research.metatron.ai/

People the switches!






_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists