Re: [c2k8]: Developer Blog: grunk@ - SSH Fingerprint Visualization Support (mod -11/57)
by Anonymous Coward (126.96.36.199) on Sat May 16 01:33:45 2009 (GMT)
> Am I the only one who does not like it? Numbers are cumbersome, but they are precise.
> Pictures can be confuse the viewer. I think it should be possible to write a small program that generates thousands of keys, trying to create one where the fingerprint picture is close to the original picture. Assuming that the user has no picture reference, it seems likely that he will accept the false key as his own. The brain is great in recognizing things even if they are not 100% the same.
> This looks like a security facade to me, weakening the security.
Well, on the other hand it's actually much easier to generate thousands of keys and find one that has a hex fingerprint that starts and ends with the same couple of bytes as the fingerprint on the machine you are attacking, so in that respect it's no more or less secure than the existing method of asking a user to verify the hex key. Either they will identify it exactly, byte by byte, or they will choose an approximation. The fingerprint is a more easily recognized approximation, but obviously its still not a substitute for out of band validation.
IMO they really need to add the capability for ssh to validate keys through a CA.
[ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]
Add Story |
Copyright © 2004-2008
All rights reserved.
Articles and comments are copyright their respective authors,
submission implies license to publish on this web site.
Contents of the archive prior to April 2nd 2004 as well as images
and HTML templates were copied from the fabulous original
Jim's kind permission.
Some icons from slashdot.org
used with permission from Kathleen.
This journal runs as CGI with
on OpenBSD, the
source code is
Search engine is ht://Dig.
undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]