Full Disclosure mailing list archives
Re: SSH host key fingerprint - through HTTPS
From: Árpád Magosányi <mag () magwas rulez org>
Date: Wed, 03 Sep 2014 22:23:52 +0200
Hi, (Is it within the list charter to discuss theoretical background?) On 09/01/2014 08:48 PM, maxigas wrote:
Excellent point and thanks for the tool! Indeed, fingerprint verification is the absolute weak point of SSH.
This is about trust relationship model. And the end-to-end trust relationship model used by SSH - while not always feasible as is - is much better than the "military" model of X.509, which actually dooms adoption of encryption technologies. If you do not like the end-to-end model, then you can build something on top of it. This tool is an example of it. (I do not want to argue whether better or not.) With the military model you could build something *despite* of the built-in model. And my main point would be that it is hightime to come up with something, based on real-life use cases which uses x.509 (just because it is well supported), and works around its broken trust relationship model. This could solve some ssh-related use cases as well. Problem is that I (and a lot of other people here) could come up with technologically sound solutions, but no one yet came up with something which have a sustainable business model behind it as well. (When I use the term "business model" I do not necessarily mean a money driven setup: It includes those things which drive open source projects, like linux kernel or apache development.) _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SSH host key fingerprint - through HTTPS John Leo (Sep 01)
- Re: SSH host key fingerprint - through HTTPS Stephanie Daugherty (Sep 01)
- Re: SSH host key fingerprint - through HTTPS Jeroen van der Ham (Sep 01)
- Re: SSH host key fingerprint - through HTTPS Jeroen van der Ham (Sep 01)
- Re: SSH host key fingerprint - through HTTPS John Leo (Sep 02)
- Re: SSH host key fingerprint - through HTTPS maxigas (Sep 01)
- Re: SSH host key fingerprint - through HTTPS John Leo (Sep 02)
- Re: SSH host key fingerprint - through HTTPS Busindre ™ (Sep 09)
- Re: SSH host key fingerprint - through HTTPS Árpád Magosányi (Sep 03)
- Re: SSH host key fingerprint - through HTTPS John Leo (Sep 02)
- Re: SSH host key fingerprint - through HTTPS Stephanie Daugherty (Sep 01)