lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 01 Sep 2014 15:48:27 -0300 (ART) From: maxigas <maxigas@...rgeek.net> To: johnleo@...ckssh.com Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: Re: [FD] SSH host key fingerprint - through HTTPS From: John Leo <johnleo@...ckssh.com> Subject: [FD] SSH host key fingerprint - through HTTPS Date: Mon, 01 Sep 2014 12:41:17 +0800 > This tool displays SSH host key fingerprint - through HTTPS. > > SSH is about security; host key matters a lot here; and you can know > for sure by using this tool. It means you know precisely how to answer > this question: > The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be > established. > RSA key fingerprint is > a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9. > Are you sure you want to continue connecting (yes/no)? > > https://checkssh.com/ > > We hackers don't want to get hacked. :-) SSH rocks - when host key is > right. Enjoy! Excellent point and thanks for the tool! Indeed, fingerprint verification is the absolute weak point of SSH. Here the problem is that you have to trust the service operators when you use checkssh or set up your own. Is the source code available somewhere? Also, a better solution is to use Monkeysphere which uses the public key infrastructure of PGP. It can not just check your SSH fingerprints automatically but do a whole lot of other things: http://web.monkeysphere.info/ -- maxigas, kiberpunk FA00 8129 13E9 2617 C614 0901 7879 63BC 287E D166 http://research.metatron.ai/ People the switches! _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists