Garrett: We need better support for SSH host certificates Garrett: We need better support for SSH host certificates

Matthew Garrett looks at the recent disclosure of GitHub's private host key, how it probably came about, and what a better approach to key management might look like.
The main problem is that client tooling just doesn't handle this well. OpenSSH has no way to do TOFU for CAs, just the keys themselves. This means there's no way to do a git clone ssh://git@github.com/whatever and get a prompt asking you to trust Github's CA. Instead, you need to add a @cert-authority github.com (key) line to your known_hosts file by hand, and since approximately nobody's going to do that there's only marginal benefit in going to the effort to implement this infrastructure. The most important thing we can do to improve the security of the SSH ecosystem is to make it easier to use certificates, and that means improving the behaviour of the clients.





from LWN.net https://ift.tt/IcZk5GW

via IFTTT

Comments

Post a Comment

Popular posts from this blog

Intentional dark pattern by Coinbase or just terrible UI?

Intentional dark pattern by Coinbase or just terrible UI? 2 by jjeaff | 0 comments on Hacker News. I recently needed to check a past transfer to confirm that I was sending some crypto to the same wallet address. In the past, the last few transactions showed up on the "Pay" page. They have since renamed "Pay" to Transfers or something like that. They no longer show past transactions, so I went down a rabbit hole of searching through the app, couldn't find it, then had to google it and found a help page for Coinbase. There is a link in the article to coinbase.com/reports (I can find no way to get to it from the web app except by following the link from the help article.) Once there, you can select the date ranges you want and generate a transaction report in PDF or CSV and then you have to wait a bit while it generates the report for you to download. What kind of UI craziness is this? A user's transaction history is such a basic feature, I can't imagine c...
Read more