lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 03 Sep 2014 22:23:52 +0200
From: Árpád Magosányi <mag@...was.rulez.org>
To: fulldisclosure@...lists.org
Subject: Re: [FD] SSH host key fingerprint - through HTTPS

Hi,

(Is it within the list charter to discuss theoretical background?)

On 09/01/2014 08:48 PM, maxigas wrote:

> Excellent point and thanks for the tool! Indeed, fingerprint
> verification is the absolute weak point of SSH. 

This is about trust relationship model. And the end-to-end trust
relationship model used by SSH - while not always feasible as is - is
much better than the "military" model of X.509, which actually dooms
adoption of encryption technologies.

If you do not like the end-to-end model, then you can build something on
top of it. This tool is an example of it. (I  do not want to argue
whether better or not.) With the military model you could build
something *despite* of the built-in model.

And my main point would be that it is hightime to come up with
something, based on real-life use cases which uses x.509 (just because
it is well supported), and works around its broken trust relationship model.
This could solve some ssh-related use cases as well.

Problem is that I (and a lot of other people here) could come up with
technologically sound solutions, but no one yet came up with something
which have a sustainable business model behind it as well. (When I use
the term "business model" I do not necessarily mean a money driven
setup: It includes those things which drive open source projects, like
linux kernel or apache development.)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ