Bugtraq mailing list archives

Re: [FD] SSH host key fingerprint - through HTTPS

From: john <mail () johnbond org>
Date: Mon, 01 Sep 2014 23:32:13 +0200

On 01/09/14 10:43, Stephanie Daugherty wrote:

Sure it shows me the fingerprint, but it doesn't tell me for sure if that's
the RIGHT fingerprint or the fingerprint of an imposter,

It's entirely possible that both myself and that site are BOTH falling
victim to a MITM attack.(routing attacks, DNS attacks, etc)

Proper host key verification (which nobody does) ideally means one or more
of:
* Verification that the SSH host key is connected via certificate chain to
a trusted certificate,
* Comparison to a fingerprint being posted on the organization's OWN https
site
* Comparison to a fingerprint provided with a GPG or S/MIME signature from
the administrator of the machine.
* Voice verification of the host public key or its fingerprint with the
administrator of the machine.
* Obtaining a printed copy of the host public key or its fingerprint
directly from the administrator.

Or just use an SSHFP record in a signed zone

Current thread:

SSH host key fingerprint - through HTTPS John Leo (Sep 01)
- Re: SSH host key fingerprint - through HTTPS Micha Borrmann (Sep 01)
  - Re: SSH host key fingerprint - through HTTPS John Leo (Sep 02)
- Re: SSH host key fingerprint - through HTTPS Chris Nehren (Sep 01)
  - Re: SSH host key fingerprint - through HTTPS Lukasz Biegaj (Sep 02)
    - Re: SSH host key fingerprint - through HTTPS Jamie Riden (Sep 02)
- Re: [FD] SSH host key fingerprint - through HTTPS maxigas (Sep 02)
  - Re: [FD] SSH host key fingerprint - through HTTPS John Leo (Sep 02)
- Message not available
  - Re: [FD] SSH host key fingerprint - through HTTPS Jeroen van der Ham (Sep 02)
    - Re: [FD] SSH host key fingerprint - through HTTPS John Leo (Sep 02)
- Message not available
  - Re: [FD] SSH host key fingerprint - through HTTPS john (Sep 02)
- Message not available
  - Re: [FD] SSH host key fingerprint - through HTTPS John Leo (Sep 02)