Re: [FD] SSH host key fingerprint - through HTTPS

2014-09-02 Thread John Leo 

"source code"
It's here:
https://checkssh.com/result/indexdotphp.txt
Extremely short and easy to read.

"trust the service operators"
Hey, trust your own eyes. :-) Feel free to audit/use our code.

"a better solution is to use Monkeysphere"
Professional "certificate authority" vs "OpenPGP web of trust"
Personally I feel more comfortable with CA.

Best Wishes,

On 2014-9-2 02:48, maxigas wrote:

From: John Leo 
Subject: [FD] SSH host key fingerprint - through HTTPS
Date: Mon, 01 Sep 2014 12:41:17 +0800


This tool displays SSH host key fingerprint - through HTTPS.

SSH is about security; host key matters a lot here; and you can know
for sure by using this tool. It means you know precisely how to answer
this question:
The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be
established.
RSA key fingerprint is
a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
Are you sure you want to continue connecting (yes/no)?

https://checkssh.com/

We hackers don't want to get hacked. :-) SSH rocks - when host key is
right. Enjoy!


Excellent point and thanks for the tool! Indeed, fingerprint
verification is the absolute weak point of SSH. Here the problem
is that you have to trust the service operators when you use
checkssh or set up your own. Is the source code available
somewhere?

Also, a better solution is to use Monkeysphere which uses the
public key infrastructure of PGP. It can not just check your SSH
fingerprints automatically but do a whole lot of other things:

http://web.monkeysphere.info/

--
maxigas, kiberpunk
FA00 8129 13E9 2617 C614 0901 7879 63BC 287E D166
http://research.metatron.ai/

People the switches!

Re: [FD] SSH host key fingerprint - through HTTPS

2014-09-02 Thread John Leo 

Nice to hear from you!

I can only wish your suggestion is widely implemented. And don't forget those 
machines without domain.

Best Wishes,

On 2014-9-2 04:21, Jeroen van der Ham wrote:

Hi,

On 1 Sep 2014, at 10:43, Stephanie Daugherty  wrote:


Sure it shows me the fingerprint, but it doesn't tell me for sure if that's
the RIGHT fingerprint or the fingerprint of an imposter,

It's entirely possible that both myself and that site are BOTH falling
victim to a MITM attack.(routing attacks, DNS attacks, etc)

Proper host key verification (which nobody does) ideally means one or more
of:
* Verification that the SSH host key is connected via certificate chain to
a trusted certificate,
* Comparison to a fingerprint being posted on the organization's OWN https
site
* Comparison to a fingerprint provided with a GPG or S/MIME signature from
the administrator of the machine.
* Voice verification of the host public key or its fingerprint with the
administrator of the machine.
* Obtaining a printed copy of the host public key or its fingerprint
directly from the administrator.




There is a way now, using the “magic” of DNSSEC and SSHFP records: 
http://tools.ietf.org/html/rfc4255

You use the DNSSEC hierarchy to create a trust chain. You can then securely 
publish a signed fingerprint of your SSH host key for that specific machine.

Jeroen.

Re: [FD] SSH host key fingerprint - through HTTPS

2014-09-02 Thread John Leo 

Good to hear from you!

"marginally better"
We never said this is perfect. checkssh.com stops LOCAL bad boys. That's all.

"both myself and that site are BOTH falling victim"
Ah, here is the source code...
https://checkssh.com/result/indexdotphp.txt
It's extremely short and easy to read. You can set up your own Check SSH(where 
you trust).

"more robust alternatives"
Trust me - HTTPS is more mature. And our code is more simple.

Best Wishes,

On 2014-9-1 16:43, Stephanie Daugherty wrote:

Sure it shows me the fingerprint, but it doesn't tell me for sure if that's the 
RIGHT fingerprint or the fingerprint of an imposter,

It's entirely possible that both myself and that site are BOTH falling victim 
to a MITM attack.(routing attacks, DNS attacks, etc)

Proper host key verification (which nobody does) ideally means one or more of:
* Verification that the SSH host key is connected via certificate chain to a 
trusted certificate,
* Comparison to a fingerprint being posted on the organization's OWN https site
* Comparison to a fingerprint provided with a GPG or S/MIME signature from the 
administrator of the machine.
* Voice verification of the host public key or its fingerprint with the 
administrator of the machine.
* Obtaining a printed copy of the host public key or its fingerprint directly 
from the administrator.


Although this might be marginally better than trust on first contact (TOFC), 
the danger of a false sense of security likely outweigh any potential security 
gains over TOFC, particularly when more robust alternatives (MonkeySphere, 
signed host keys, use of an organization's own HTTPS site) exist and are 
clearly superior.



On Mon, Sep 1, 2014 at 12:41 AM, John Leo mailto:john...@checkssh.com>> wrote:

This tool displays SSH host key fingerprint - through HTTPS.

SSH is about security; host key matters a lot here; and you can know for 
sure by using this tool. It means you know precisely how to answer this 
question:
The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be 
established.
RSA key fingerprint is 
a4:d9:a4:d9:a4:d9a4:d9:a4:__d9a4:d9a4:d9a4:d9a4:d9a4:d9.
Are you sure you want to continue connecting (yes/no)?

https://checkssh.com/

We hackers don't want to get hacked. :-) SSH rocks - when host key is 
right. Enjoy!

Best Wishes,


_
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/__listinfo/fulldisclosure 

Web Archives & RSS: http://seclists.org/__fulldisclosure/

Re: [FD] SSH host key fingerprint - through HTTPS

2014-09-02 Thread john 
On 01/09/14 10:43, Stephanie Daugherty wrote:
> Sure it shows me the fingerprint, but it doesn't tell me for sure if that's
> the RIGHT fingerprint or the fingerprint of an imposter,
> 
> It's entirely possible that both myself and that site are BOTH falling
> victim to a MITM attack.(routing attacks, DNS attacks, etc)
> 
> Proper host key verification (which nobody does) ideally means one or more
> of:
> * Verification that the SSH host key is connected via certificate chain to
> a trusted certificate,
> * Comparison to a fingerprint being posted on the organization's OWN https
> site
> * Comparison to a fingerprint provided with a GPG or S/MIME signature from
> the administrator of the machine.
> * Voice verification of the host public key or its fingerprint with the
> administrator of the machine.
> * Obtaining a printed copy of the host public key or its fingerprint
> directly from the administrator.
Or just use an SSHFP record in a signed zone

Re: [FD] SSH host key fingerprint - through HTTPS

2014-09-02 Thread Jeroen van der Ham 
Hi,

On 1 Sep 2014, at 10:43, Stephanie Daugherty  wrote:

> Sure it shows me the fingerprint, but it doesn't tell me for sure if that's
> the RIGHT fingerprint or the fingerprint of an imposter,
> 
> It's entirely possible that both myself and that site are BOTH falling
> victim to a MITM attack.(routing attacks, DNS attacks, etc)
> 
> Proper host key verification (which nobody does) ideally means one or more
> of:
> * Verification that the SSH host key is connected via certificate chain to
> a trusted certificate,
> * Comparison to a fingerprint being posted on the organization's OWN https
> site
> * Comparison to a fingerprint provided with a GPG or S/MIME signature from
> the administrator of the machine.
> * Voice verification of the host public key or its fingerprint with the
> administrator of the machine.
> * Obtaining a printed copy of the host public key or its fingerprint
> directly from the administrator.
> 


There is a way now, using the “magic” of DNSSEC and SSHFP records: 
http://tools.ietf.org/html/rfc4255

You use the DNSSEC hierarchy to create a trust chain. You can then securely 
publish a signed fingerprint of your SSH host key for that specific machine.

Jeroen.

Re: [FD] SSH host key fingerprint - through HTTPS

2014-09-02 Thread maxigas 
From: John Leo 
Subject: [FD] SSH host key fingerprint - through HTTPS
Date: Mon, 01 Sep 2014 12:41:17 +0800

> This tool displays SSH host key fingerprint - through HTTPS.
> 
> SSH is about security; host key matters a lot here; and you can know
> for sure by using this tool. It means you know precisely how to answer
> this question:
> The authenticity of host 'blah.blah.blah (10.10.10.10)' can't be
> established.
> RSA key fingerprint is
> a4:d9:a4:d9:a4:d9a4:d9:a4:d9a4:d9a4:d9a4:d9a4:d9a4:d9.
> Are you sure you want to continue connecting (yes/no)?
> 
> https://checkssh.com/
> 
> We hackers don't want to get hacked. :-) SSH rocks - when host key is
> right. Enjoy!

Excellent point and thanks for the tool! Indeed, fingerprint
verification is the absolute weak point of SSH. Here the problem
is that you have to trust the service operators when you use
checkssh or set up your own. Is the source code available
somewhere?

Also, a better solution is to use Monkeysphere which uses the
public key infrastructure of PGP. It can not just check your SSH
fingerprints automatically but do a whole lot of other things:

http://web.monkeysphere.info/

--
maxigas, kiberpunk
FA00 8129 13E9 2617 C614 0901 7879 63BC 287E D166
http://research.metatron.ai/

People the switches!