diff --git a/capsulflask/templates/about-ssh.html b/capsulflask/templates/about-ssh.html
index 28caae3..d1bc749 100644
--- a/capsulflask/templates/about-ssh.html
+++ b/capsulflask/templates/about-ssh.html
@@ -109,8 +109,8 @@
steal tons of credit card numbers and passwords.
- In order to enable this, a new sub-protocol called X.509 was created.
- X.509 is a standard related to the data format of certificates and keys (public keys and private keys), but it also defines
+ In order to enable this, a new standard called X.509 was created.
+ X.509 dictates the data format of certificates and keys (public keys and private keys), and it also defines
a simple and easy way to determine whether a given certificate (public key) is authentic.
X.509 introduced the concept of a Certificate Authority, or CA.
These CAs were supposed to be bank-like public institutions of power which everyone could trust.
@@ -143,7 +143,7 @@
Does the certificate contain a valid CA signature?
(can the signature on the certificate be decrypted by one of the CA Certificates included with the operating system?)
- If not, display a UNKNOWN_ISSUER error.
+ If not, display an UNKNOWN_ISSUER error.
@@ -178,7 +178,7 @@
allow themselves to be subjugated by so-called "Certificate Authorities".
So, what are they doing instead? Where is SSH at? Well, back when it was created, computer security was easy —
a very minimal defense was enough to deter attackers.
- In order to help prevent these MITM attacks, instead of something like X.509, SSH uses a policy called
+ In order to help prevent these MITM attacks, instead of something like X.509, SSH employs a policy called
Trust On First Use (TOFU).
@@ -207,7 +207,8 @@
Here, the SSH client is displaying the fingerprint (SHA256 hash)
of the public key provided by the server at fooserver.com.
Back in the day, when SSH was created, servers lived for months to years, not minutes, and they were installed by hand.
- So it would have been perfectly reasonable to call the person installing the server
+ So it would have been perfectly reasonable to call the person installing the server on thier
+ Nokia 909
and ask them to log into it & read off the host key fingerprint over the phone.
After verifing that the fingerprints match in the phone call, the user would type yes
to continue.
@@ -255,8 +256,8 @@ Host key verification failed.
If you type yes here without checking the server's host key somehow, you could add an attackers public key to the trusted
list in your ~/.ssh/known_hosts file; if you type yes blindly, you are
completely disabling all security of the SSH connection.
- It can be fully man-in-the-middle attacked & you are vulnerable to spying, command injection, result-falsification,
- the whole nine yards.
+ It can be fully man-in-the-middle attacked & you are
+ vulnerable to surveillance, command injection, even emulation/falsification of the entire stream.