mor grammer fixs
This commit is contained in:
parent
ebaf348dd3
commit
7a904114c3
@ -109,8 +109,8 @@
|
|||||||
steal tons of credit card numbers and passwords.
|
steal tons of credit card numbers and passwords.
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
In order to enable this, a new sub-protocol called <a href="https://en.wikipedia.org/wiki/X.509">X.509</a> was created.
|
In order to enable this, a new standard called <a href="https://en.wikipedia.org/wiki/X.509">X.509</a> was created.
|
||||||
X.509 is a standard related to the data format of certificates and keys (public keys and private keys), but it also defines
|
X.509 dictates the data format of certificates and keys (public keys and private keys), and it also defines
|
||||||
a simple and easy way to determine whether a given certificate (public key) is authentic.
|
a simple and easy way to determine whether a given certificate (public key) is authentic.
|
||||||
X.509 introduced the concept of a Certificate Authority, or CA.
|
X.509 introduced the concept of a Certificate Authority, or CA.
|
||||||
These CAs were supposed to be bank-like public institutions of power which everyone could trust.
|
These CAs were supposed to be bank-like public institutions of power which everyone could trust.
|
||||||
@ -143,7 +143,7 @@
|
|||||||
<li>
|
<li>
|
||||||
Does the certificate contain a valid CA signature?
|
Does the certificate contain a valid CA signature?
|
||||||
(can the signature on the certificate be decrypted by one of the CA Certificates included with the operating system?)
|
(can the signature on the certificate be decrypted by one of the CA Certificates included with the operating system?)
|
||||||
If not, display a <a href="https://untrusted-root.badssl.com/">UNKNOWN_ISSUER error</a>.
|
If not, display an <a href="https://untrusted-root.badssl.com/">UNKNOWN_ISSUER error</a>.
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
@ -178,7 +178,7 @@
|
|||||||
allow themselves to be subjugated by so-called "Certificate Authorities".
|
allow themselves to be subjugated by so-called "Certificate Authorities".
|
||||||
So, what are they doing instead? Where is SSH at? Well, back when it was created, computer security was easy —
|
So, what are they doing instead? Where is SSH at? Well, back when it was created, computer security was easy —
|
||||||
a very minimal defense was enough to deter attackers.
|
a very minimal defense was enough to deter attackers.
|
||||||
In order to help prevent these MITM attacks, instead of something like X.509, SSH uses a policy called
|
In order to help prevent these MITM attacks, instead of something like X.509, SSH employs a policy called
|
||||||
<a href="https://en.wikipedia.org/wiki/Trust_on_first_use">Trust On First Use (TOFU)</a>.
|
<a href="https://en.wikipedia.org/wiki/Trust_on_first_use">Trust On First Use (TOFU)</a>.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
@ -207,7 +207,8 @@
|
|||||||
Here, the SSH client is displaying the fingerprint (<a href="https://en.wikipedia.org/wiki/SHA-2">SHA256 hash</a>)
|
Here, the SSH client is displaying the fingerprint (<a href="https://en.wikipedia.org/wiki/SHA-2">SHA256 hash</a>)
|
||||||
of the public key provided by the server at <span class="code">fooserver.com</span>.
|
of the public key provided by the server at <span class="code">fooserver.com</span>.
|
||||||
Back in the day, when SSH was created, servers lived for months to years, not minutes, and they were installed by hand.
|
Back in the day, when SSH was created, servers lived for months to years, not minutes, and they were installed by hand.
|
||||||
So it would have been perfectly reasonable to call the person installing the server
|
So it would have been perfectly reasonable to call the person installing the server on thier
|
||||||
|
<a href="https://nokiamuseum.info/nokia-909/">Nokia 909</a>
|
||||||
and ask them to log into it & read off the host key fingerprint over the phone.
|
and ask them to log into it & read off the host key fingerprint over the phone.
|
||||||
After verifing that the fingerprints match in the phone call, the user would type <span class="code">yes</span>
|
After verifing that the fingerprints match in the phone call, the user would type <span class="code">yes</span>
|
||||||
to continue.
|
to continue.
|
||||||
@ -255,8 +256,8 @@ Host key verification failed.
|
|||||||
If you type <span class="code">yes</span> here without checking the server's host key somehow, you could add an attackers public key to the trusted
|
If you type <span class="code">yes</span> here without checking the server's host key somehow, you could add an attackers public key to the trusted
|
||||||
list in your <span class="code">~/.ssh/known_hosts</span> file; if you type <span class="code">yes</span> blindly, you are
|
list in your <span class="code">~/.ssh/known_hosts</span> file; if you type <span class="code">yes</span> blindly, you are
|
||||||
<b>completely disabling all security of the SSH connection</b>.
|
<b>completely disabling all security of the SSH connection</b>.
|
||||||
It can be fully man-in-the-middle attacked & you are vulnerable to spying, command injection, result-falsification,
|
It can be fully man-in-the-middle attacked & you are
|
||||||
the whole nine yards.
|
vulnerable to surveillance, command injection, even emulation/falsification of the entire stream.
|
||||||
</p>
|
</p>
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
|
Loading…
Reference in New Issue
Block a user