lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 02 Sep 2014 19:40:34 +0800
From: John Leo <johnleo@...ckssh.com>
To: maxigas <maxigas@...rgeek.net>
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] SSH host key fingerprint - through HTTPS

"source code"
It's here:
https://checkssh.com/result/indexdotphp.txt
Extremely short and easy to read.

"trust the service operators"
Hey, trust your own eyes. :-) Feel free to audit/use our code.

"a better solution is to use Monkeysphere"
Professional "certificate authority" vs "OpenPGP web of trust"
Personally I feel more comfortable with CA.

Best Wishes,

On 2014-9-2 02:48, maxigas wrote:
> From: John Leo <johnleo@...ckssh.com>
> Subject: [FD] SSH host key fingerprint - through HTTPS
> Date: Mon, 01 Sep 2014 12:41:17 +0800
>
>> This tool displays SSH host key fingerprint - through HTTPS.
>>
>> SSH is about security; host key matters a lot here; and you can know
>> for sure by using this tool. It means you know precisely how to answer
>> this question:
>> The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be
>> established.
>> RSA key fingerprint is
>> a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
>> Are you sure you want to continue connecting (yes/no)?
>>
>> https://checkssh.com/
>>
>> We hackers don't want to get hacked. :-) SSH rocks - when host key is
>> right. Enjoy!
>
> Excellent point and thanks for the tool! Indeed, fingerprint
> verification is the absolute weak point of SSH. Here the problem
> is that you have to trust the service operators when you use
> checkssh or set up your own. Is the source code available
> somewhere?
>
> Also, a better solution is to use Monkeysphere which uses the
> public key infrastructure of PGP. It can not just check your SSH
> fingerprints automatically but do a whole lot of other things:
>
> http://web.monkeysphere.info/
>
> --
> maxigas, kiberpunk
> FA00 8129 13E9 2617 C614 0901 7879 63BC 287E D166
> http://research.metatron.ai/
>
> People the switches!
>
>
>
>
>


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists