26.03.2018 21:36, Matus UHLAR - fantomas пишет: > On 26.03.18 19:16, Yuri wrote: >> Disagree. >> >> My point about TLS is quite different. >> >> SSH, by design, assumes end-to-end encryption and do not assumes any >> third-party treats as trusty, like TLS does. > > actually, the ssh DOES support certificate authorities that sign > client or > host keys, so you don't need to transfer it over SSH server - it's > just not > widely used. > > https://www.ssh.com/ssh/keygen/#sec-Using-X-509-Certificates-for-Host-Authentication > I know such obvious thing. But functionality you described was not initially designed in SSH and was added later. > >> SSH immediately notice you >> when server key surprisingly changed. > > only when you already have the host key installed in your client. If > there's > MITM attack before you get the key, you will not notice that, unless you > get the key by other (secure) way. By analogue with TLS - let's imagine I've already been on site. With SSH client notify me - "Hey, man, you trying to connect to server with .... fingerprint. Add it Yes/No?"
Instead this, TLS never notify me if third-party CA is known to client. > > unlike SSL, SSH was not designed to be used globally between everyone, > more > within one or more "friend" organizations, so it didn't specify how host > keys are verified (the SSHFP DNS record just transfers trust to DNS, > which > can be hijacked too). To be honest, a weak argument. A secure connection should always be encrypted end-to-end and should not "trusted" third-parties as well. Never. Otherwise it is insecure connection. IMHO. > >> Yes, users is involved in both cases. However the difference still here. >> SSH is end-to-end always by design (we're not talking about things like >> Kerberos here), TLS is not. > > TLS was designed to be end-to-end encryption and the certificate > authority As Stanislavsky said, "I do not believe it!" End-to-end encryption and the (/trusted third-party/) certificate authority these are antonyms. > system was built to fullfil this. The bumping proxies, antiviruses, and > application firewalls just break this. > With this I can not argue. -- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
signature.asc
Description: OpenPGP digital signature
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
