On 08-09-2014 19:14, Nicolai wrote: > Lots of people use CVS over SSH to update their systems, and thus > already have fingerprints saved in their known_hosts file. But how do you trust the initial fingerprint exchange? That's my point. > In addition > to checking multiple TLS-protected sites, which I previously mentioned, > this is about as good as it gets. One can't ask for more. Where are these tls enable sites for getting the fingerprints? As far as I know, the only page (official) where you can get the ssh fingerprints of all the anoncvs servers is: http://www.openbsd.org/anoncvs.html > This thread is about verifying signify pubkeys, not DNSSEC. > > DNSSEC is an unencrypted protocol that relies on RSA-1024 and > governments. It's horribly complex, and I can't tell if it's a > make-work program (incompetent) or Project Bullrun (malicious). Maybe > both, which is why the US govt likes it so much. I mentioned DNSSEC because SSHFP records with it do seem better for getting the fingerprints than an unencrypted web page. But it won't happen, at least on any foreseeable future. Perhaps, if OpenBSD implement a DNSCURVE enable dns server with the ssh fingerprints, it would be better. But the problem is money and man power to implement it and keep it running. > > Anyway, in my previous post I shared several good methods for > verifying the 5.5 base key, as well as the key itself, and any one of > the thousands of people on this mailing list can pipe up to say, "That's > not the key I have!" That could be a hugely compelling and important > moment -- and if it happens then perhaps there's more to say on the > issue. If you are being directed targeted, forget it. I'm not saying that you should just give up. I'm just saying that your attackers have much, much more resources than you'd possibly have. You might avoid getting compromised for some time, but eventually you'll be.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
