forked from 3wordchant/capsul-flask
mor grammer fixs
This commit is contained in:
parent
ebaf348dd3
commit
7a904114c3
@ -109,8 +109,8 @@
|
||||
steal tons of credit card numbers and passwords.
|
||||
</p>
|
||||
<p>
|
||||
In order to enable this, a new sub-protocol called <a href="https://en.wikipedia.org/wiki/X.509">X.509</a> was created.
|
||||
X.509 is a standard related to the data format of certificates and keys (public keys and private keys), but it also defines
|
||||
In order to enable this, a new standard called <a href="https://en.wikipedia.org/wiki/X.509">X.509</a> was created.
|
||||
X.509 dictates the data format of certificates and keys (public keys and private keys), and it also defines
|
||||
a simple and easy way to determine whether a given certificate (public key) is authentic.
|
||||
X.509 introduced the concept of a Certificate Authority, or CA.
|
||||
These CAs were supposed to be bank-like public institutions of power which everyone could trust.
|
||||
@ -143,7 +143,7 @@
|
||||
<li>
|
||||
Does the certificate contain a valid CA signature?
|
||||
(can the signature on the certificate be decrypted by one of the CA Certificates included with the operating system?)
|
||||
If not, display a <a href="https://untrusted-root.badssl.com/">UNKNOWN_ISSUER error</a>.
|
||||
If not, display an <a href="https://untrusted-root.badssl.com/">UNKNOWN_ISSUER error</a>.
|
||||
</li>
|
||||
</ul>
|
||||
</li>
|
||||
@ -178,7 +178,7 @@
|
||||
allow themselves to be subjugated by so-called "Certificate Authorities".
|
||||
So, what are they doing instead? Where is SSH at? Well, back when it was created, computer security was easy —
|
||||
a very minimal defense was enough to deter attackers.
|
||||
In order to help prevent these MITM attacks, instead of something like X.509, SSH uses a policy called
|
||||
In order to help prevent these MITM attacks, instead of something like X.509, SSH employs a policy called
|
||||
<a href="https://en.wikipedia.org/wiki/Trust_on_first_use">Trust On First Use (TOFU)</a>.
|
||||
</p>
|
||||
|
||||
@ -207,7 +207,8 @@
|
||||
Here, the SSH client is displaying the fingerprint (<a href="https://en.wikipedia.org/wiki/SHA-2">SHA256 hash</a>)
|
||||
of the public key provided by the server at <span class="code">fooserver.com</span>.
|
||||
Back in the day, when SSH was created, servers lived for months to years, not minutes, and they were installed by hand.
|
||||
So it would have been perfectly reasonable to call the person installing the server
|
||||
So it would have been perfectly reasonable to call the person installing the server on thier
|
||||
<a href="https://nokiamuseum.info/nokia-909/">Nokia 909</a>
|
||||
and ask them to log into it & read off the host key fingerprint over the phone.
|
||||
After verifing that the fingerprints match in the phone call, the user would type <span class="code">yes</span>
|
||||
to continue.
|
||||
@ -255,8 +256,8 @@ Host key verification failed.
|
||||
If you type <span class="code">yes</span> here without checking the server's host key somehow, you could add an attackers public key to the trusted
|
||||
list in your <span class="code">~/.ssh/known_hosts</span> file; if you type <span class="code">yes</span> blindly, you are
|
||||
<b>completely disabling all security of the SSH connection</b>.
|
||||
It can be fully man-in-the-middle attacked & you are vulnerable to spying, command injection, result-falsification,
|
||||
the whole nine yards.
|
||||
It can be fully man-in-the-middle attacked & you are
|
||||
vulnerable to surveillance, command injection, even emulation/falsification of the entire stream.
|
||||
</p>
|
||||
|
||||
<p>
|
||||
|
Loading…
Reference in New Issue
Block a user