On Wed, 2007-03-14 at 11:09 -0600, Michael L Torrie wrote: > On Wed, 2007-03-14 at 10:07 -0700, Nicholas Leippe wrote: > > As for man-in-the middle, playing with ARP can cause disruption of > > services, > > and could intercept insecure protocols. Which is why for critical data, > > ssl > > or other secure mechanism should be used. > > Additionally this is why SSL uses certificates that should be verified > to prove that the host is who it says it is. Also ssh key fingerprints > should always be verified. How often do we ssh into a box and just > automatically type "yes" to the fingerprint authorization?
That's true, but how practical is it to verify an SSH fingerprint? All you have to do is log in and check the host key. Oh, wait... With SSL certs, at you have a CA infrastructure for verification (which often doesn't get used). Around here it's enough if I can get people to use SSH instead of telnet. Asking them to verify against a list of SSH fingerprints would go over like a lead balloon. Corey /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
