tomasino
/
gemspace
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

grammar

This commit is contained in:
James Tomasino 2021-03-31 11:41:14 +00:00
parent a53e0139a6
commit 3e70fa4031
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
journal/20210331-sshfp-and-the-tofu-issue.gmi
View File

@ -1,6 +1,6 @@
# SSHFP and the TOFU Issue
When a user connects to an unknown ssh server for the first time they are presented with the host key fingerprint for that server and recommended to confirm that this host key is correct. The expectation is that a user will look out-of-bounds for that, by making a phone call, sending an email, looking something up online, etc. It's often ignored, but for that do it often results in looking on a website for the fingerprint in a footer or about page.
When a user connects to an unknown ssh server for the first time they are presented with the host key fingerprint for that server and recommended to confirm that this host key is correct. The expectation is that a user will look out-of-bounds for that, by making a phone call, sending an email, looking something up online, etc. It's often ignored, but those who do it often end up looking on a website for the fingerprint in a footer or about page.
A few months back I speculated that it would be better to store this fingerprint in a DNS txt record than on a website that's most likely hosted on the same server you're logging into. If that server were compromised or hijacked it would be trivial for the bad actor to update the fingerprint on the website since they now control that too. It would be much harder, though, to compromise the DNS entries at the same time as the server.