| ▲ | arccy 4 days ago | |
ssh server certificates should not be TOFU, the point of SSH certs is so you can trust the signing key. TOFU on ssh server keys... it's still bad, but less people are interested in intercepting ssh vs tls. | ||
| ▲ | tptacek 4 days ago | parent | next [-] | |
Intercepting and exploiting first-contact SSH sessions is a security conference sport. People definitely do it. | ||
| ▲ | jchw 4 days ago | parent | prev [-] | |
I just typed the wrong thing, fullstop. I meant to say server keys; fixed now. Also, I agree that TOFU in its own is certainly worse than having robust verification via the CA system. OTOH, SSH-style TOFU has some advantages over the CA system, too, at least without additional measures like HSTS and certificate pinning. If you are administering machines that you yourself set up, there is little reason to bother with anything more than TOFU because you'll cache the key shortly after the machine is set up and then get warned if a MITM is attempted. That, IMO, is the exact sort of argument in favor of having an "insecure but encrypted" sort of option for the web; small scale cases where you can just verify the key manually if you need to. | ||