Full Disclosure mailing list archives
Re: SSH host key fingerprint - through HTTPS
From: Stephanie Daugherty <sdaugherty () gmail com>
Date: Mon, 1 Sep 2014 04:43:35 -0400
Sure it shows me the fingerprint, but it doesn't tell me for sure if that's the RIGHT fingerprint or the fingerprint of an imposter, It's entirely possible that both myself and that site are BOTH falling victim to a MITM attack.(routing attacks, DNS attacks, etc) Proper host key verification (which nobody does) ideally means one or more of: * Verification that the SSH host key is connected via certificate chain to a trusted certificate, * Comparison to a fingerprint being posted on the organization's OWN https site * Comparison to a fingerprint provided with a GPG or S/MIME signature from the administrator of the machine. * Voice verification of the host public key or its fingerprint with the administrator of the machine. * Obtaining a printed copy of the host public key or its fingerprint directly from the administrator. Although this might be marginally better than trust on first contact (TOFC), the danger of a false sense of security likely outweigh any potential security gains over TOFC, particularly when more robust alternatives (MonkeySphere, signed host keys, use of an organization's own HTTPS site) exist and are clearly superior. On Mon, Sep 1, 2014 at 12:41 AM, John Leo <johnleo () checkssh com> wrote:
This tool displays SSH host key fingerprint - through HTTPS. SSH is about security; host key matters a lot here; and you can know for sure by using this tool. It means you know precisely how to answer this question: The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be established. RSA key fingerprint is a4:d9:a4:d9:a4:d9a4:d9:a4: d9a4:d9a4:d9a4:d9a4:d9a4:d9. Are you sure you want to continue connecting (yes/no)? https://checkssh.com/ We hackers don't want to get hacked. :-) SSH rocks - when host key is right. Enjoy! Best Wishes, _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SSH host key fingerprint - through HTTPS John Leo (Sep 01)
- Re: SSH host key fingerprint - through HTTPS Stephanie Daugherty (Sep 01)
- Re: SSH host key fingerprint - through HTTPS Jeroen van der Ham (Sep 01)
- Re: SSH host key fingerprint - through HTTPS Jeroen van der Ham (Sep 01)
- Re: SSH host key fingerprint - through HTTPS John Leo (Sep 02)
- Re: SSH host key fingerprint - through HTTPS maxigas (Sep 01)
- Re: SSH host key fingerprint - through HTTPS John Leo (Sep 02)
- Re: SSH host key fingerprint - through HTTPS Busindre ™ (Sep 09)
- Re: SSH host key fingerprint - through HTTPS Árpád Magosányi (Sep 03)
- Re: SSH host key fingerprint - through HTTPS John Leo (Sep 02)
- Re: SSH host key fingerprint - through HTTPS Stephanie Daugherty (Sep 01)