mor grammer fixs

This commit is contained in:
forest 2021-01-31 00:57:33 -06:00
parent ebaf348dd3
commit 7a904114c3

View File

@ -109,8 +109,8 @@
steal tons of credit card numbers and passwords. steal tons of credit card numbers and passwords.
</p> </p>
<p> <p>
In order to enable this, a new sub-protocol called <a href="https://en.wikipedia.org/wiki/X.509">X.509</a> was created. In order to enable this, a new standard called <a href="https://en.wikipedia.org/wiki/X.509">X.509</a> was created.
X.509 is a standard related to the data format of certificates and keys (public keys and private keys), but it also defines X.509 dictates the data format of certificates and keys (public keys and private keys), and it also defines
a simple and easy way to determine whether a given certificate (public key) is authentic. a simple and easy way to determine whether a given certificate (public key) is authentic.
X.509 introduced the concept of a Certificate Authority, or CA. X.509 introduced the concept of a Certificate Authority, or CA.
These CAs were supposed to be bank-like public institutions of power which everyone could trust. These CAs were supposed to be bank-like public institutions of power which everyone could trust.
@ -143,7 +143,7 @@
<li> <li>
Does the certificate contain a valid CA signature? Does the certificate contain a valid CA signature?
(can the signature on the certificate be decrypted by one of the CA Certificates included with the operating system?) (can the signature on the certificate be decrypted by one of the CA Certificates included with the operating system?)
If not, display a <a href="https://untrusted-root.badssl.com/">UNKNOWN_ISSUER error</a>. If not, display an <a href="https://untrusted-root.badssl.com/">UNKNOWN_ISSUER error</a>.
</li> </li>
</ul> </ul>
</li> </li>
@ -178,7 +178,7 @@
allow themselves to be subjugated by so-called "Certificate Authorities". allow themselves to be subjugated by so-called "Certificate Authorities".
So, what are they doing instead? Where is SSH at? Well, back when it was created, computer security was easy — So, what are they doing instead? Where is SSH at? Well, back when it was created, computer security was easy —
a very minimal defense was enough to deter attackers. a very minimal defense was enough to deter attackers.
In order to help prevent these MITM attacks, instead of something like X.509, SSH uses a policy called In order to help prevent these MITM attacks, instead of something like X.509, SSH employs a policy called
<a href="https://en.wikipedia.org/wiki/Trust_on_first_use">Trust On First Use (TOFU)</a>. <a href="https://en.wikipedia.org/wiki/Trust_on_first_use">Trust On First Use (TOFU)</a>.
</p> </p>
@ -207,7 +207,8 @@
Here, the SSH client is displaying the fingerprint (<a href="https://en.wikipedia.org/wiki/SHA-2">SHA256 hash</a>) Here, the SSH client is displaying the fingerprint (<a href="https://en.wikipedia.org/wiki/SHA-2">SHA256 hash</a>)
of the public key provided by the server at <span class="code">fooserver.com</span>. of the public key provided by the server at <span class="code">fooserver.com</span>.
Back in the day, when SSH was created, servers lived for months to years, not minutes, and they were installed by hand. Back in the day, when SSH was created, servers lived for months to years, not minutes, and they were installed by hand.
So it would have been perfectly reasonable to call the person installing the server So it would have been perfectly reasonable to call the person installing the server on thier
<a href="https://nokiamuseum.info/nokia-909/">Nokia 909</a>
and ask them to log into it & read off the host key fingerprint over the phone. and ask them to log into it & read off the host key fingerprint over the phone.
After verifing that the fingerprints match in the phone call, the user would type <span class="code">yes</span> After verifing that the fingerprints match in the phone call, the user would type <span class="code">yes</span>
to continue. to continue.
@ -255,8 +256,8 @@ Host key verification failed.
If you type <span class="code">yes</span> here without checking the server's host key somehow, you could add an attackers public key to the trusted If you type <span class="code">yes</span> here without checking the server's host key somehow, you could add an attackers public key to the trusted
list in your <span class="code">~/.ssh/known_hosts</span> file; if you type <span class="code">yes</span> blindly, you are list in your <span class="code">~/.ssh/known_hosts</span> file; if you type <span class="code">yes</span> blindly, you are
<b>completely disabling all security of the SSH connection</b>. <b>completely disabling all security of the SSH connection</b>.
It can be fully man-in-the-middle attacked & you are vulnerable to spying, command injection, result-falsification, It can be fully man-in-the-middle attacked & you are
the whole nine yards. vulnerable to surveillance, command injection, even emulation/falsification of the entire stream.
</p> </p>
<p> <p>