[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] SSH host key fingerprint - through HTTPS

To: Stephanie Daugherty <sdaugherty@xxxxxxxxx>
Subject: Re: [FD] SSH host key fingerprint - through HTTPS
From: John Leo <johnleo@xxxxxxxxxxxx>
Date: Tue, 02 Sep 2014 19:06:49 +0800

Good to hear from you!

"marginally better"
We never said this is perfect. checkssh.com stops LOCAL bad boys. That's all.

"both myself and that site are BOTH falling victim"
Ah, here is the source code...
https://checkssh.com/result/indexdotphp.txt
It's extremely short and easy to read. You can set up your own Check SSH(where 
you trust).

"more robust alternatives"
Trust me - HTTPS is more mature. And our code is more simple.

Best Wishes,

On 2014-9-1 16:43, Stephanie Daugherty wrote:

Sure it shows me the fingerprint, but it doesn't tell me for sure if that's the 
RIGHT fingerprint or the fingerprint of an imposter,

It's entirely possible that both myself and that site are BOTH falling victim 
to a MITM attack.(routing attacks, DNS attacks, etc)

Proper host key verification (which nobody does) ideally means one or more of:
* Verification that the SSH host key is connected via certificate chain to a 
trusted certificate,
* Comparison to a fingerprint being posted on the organization's OWN https site
* Comparison to a fingerprint provided with a GPG or S/MIME signature from the 
administrator of the machine.
* Voice verification of the host public key or its fingerprint with the 
administrator of the machine.
* Obtaining a printed copy of the host public key or its fingerprint directly 
from the administrator.


Although this might be marginally better than trust on first contact (TOFC), 
the danger of a false sense of security likely outweigh any potential security 
gains over TOFC, particularly when more robust alternatives (MonkeySphere, 
signed host keys, use of an organization's own HTTPS site) exist and are 
clearly superior.



On Mon, Sep 1, 2014 at 12:41 AM, John Leo <johnleo@xxxxxxxxxxxx 
<mailto:johnleo@xxxxxxxxxxxx>> wrote:

    This tool displays SSH host key fingerprint - through HTTPS.

    SSH is about security; host key matters a lot here; and you can know for 
sure by using this tool. It means you know precisely how to answer this 
question:
    The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be 
established.
    RSA key fingerprint is 
a4:d9:a4:d9:a4:d9a4:d9:a4:__d9a4:d9a4:d9a4:d9a4:d9a4:d9.
    Are you sure you want to continue connecting (yes/no)?

    https://checkssh.com/

    We hackers don't want to get hacked. :-) SSH rocks - when host key is 
right. Enjoy!

    Best Wishes,


    _________________________________________________
    Sent through the Full Disclosure mailing list
    http://nmap.org/mailman/__listinfo/fulldisclosure 
<http://nmap.org/mailman/listinfo/fulldisclosure>
    Web Archives & RSS: http://seclists.org/__fulldisclosure/ 
<http://seclists.org/fulldisclosure/>



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] SSH host key fingerprint - through HTTPS
  - From: John Leo
- Re: [FD] SSH host key fingerprint - through HTTPS
  - From: Stephanie Daugherty

Prev by Date: [FD] Reflected XSS Attacks vulnerabilities used MIME Sniffing in Facebook Messenger and Facebook App for iOS.
Next by Date: Re: [FD] SSH host key fingerprint - through HTTPS
Previous by thread: Re: [FD] SSH host key fingerprint - through HTTPS
Next by thread: Re: [FD] SSH host key fingerprint - through HTTPS
Index(es):
- Date
- Thread