[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] SSH host key fingerprint - through HTTPS

"source code"
It's here:
Extremely short and easy to read.

"trust the service operators"
Hey, trust your own eyes. :-) Feel free to audit/use our code.

"a better solution is to use Monkeysphere"
Professional "certificate authority" vs "OpenPGP web of trust"
Personally I feel more comfortable with CA.

Best Wishes,

On 2014-9-2 02:48, maxigas wrote:
From: John Leo <johnleo@xxxxxxxxxxxx>
Subject: [FD] SSH host key fingerprint - through HTTPS
Date: Mon, 01 Sep 2014 12:41:17 +0800

This tool displays SSH host key fingerprint - through HTTPS.

SSH is about security; host key matters a lot here; and you can know
for sure by using this tool. It means you know precisely how to answer
this question:
The authenticity of host 'blah.blah.blah (' can't be
RSA key fingerprint is
Are you sure you want to continue connecting (yes/no)?


We hackers don't want to get hacked. :-) SSH rocks - when host key is
right. Enjoy!

Excellent point and thanks for the tool! Indeed, fingerprint
verification is the absolute weak point of SSH. Here the problem
is that you have to trust the service operators when you use
checkssh or set up your own. Is the source code available

Also, a better solution is to use Monkeysphere which uses the
public key infrastructure of PGP. It can not just check your SSH
fingerprints automatically but do a whole lot of other things:


maxigas, kiberpunk
FA00 8129 13E9 2617 C614 0901 7879 63BC 287E D166

People the switches!