Remix clone Hacker News

TOFU is not less secure than using a certificate authority.

Both defend against attackers the other cannot. In particular, the number of machines, companies and government agencies you have to trust in order to use a CA is much higher.

▲

tptacek 4 days ago | parent [-]

TOFU is less secure than using a trust anchor.

▲

hedora 4 days ago | parent [-]

That’s only true if you operate the trust anchor (possible) and it’s not an attack vector (impossible).

For example, TOFU where “first use” is a loopback ethernet cable between the two machines is stronger than a trust anchor.

Alternatively, you could manually verify + pin certs after first use.

▲

tptacek 4 days ago | parent [-]

There are a couple of these concepts --- TOFU (key continuity) is one, PAKEs are another, pinning a third --- that sort of float around and captivate people because they seem easy to reason about, but are (with the exception of Magic Wormhole) not all that useful in the real world. It'd be interesting to flesh out the complete list of them.

The thing to think in comparing SSH to TLS is how frequent counterparty introductions are. New counterparties in SSH are relatively rare. Key continuity still needlessly exposes you to an grave attack in SSH, but really all cryptographic protocol attacks are rare compared to the simpler, more effective stuff like phishing, so it doesn't matter. New counterparties in TLS happen all the time; continuity doesn't make any sense there.

▲

hedora 3 days ago | parent [-]

There are ~ 200 entries in my password manager. Maybe 25 are important. Pinning their certs would meaningfully reduce the transport layer attack surface for those accounts.

	▲	tptacek 3 days ago \| parent [-]
		Yes, these ideas bubble around because they all seem reasonable on their face. I was a major fan of pinning!