Hacker News new | ask | show | jobs
by OrpheanBeholder 3611 days ago
> A bit ironic openssh.com doesn't have HTTPS

You can however access the release notes (or any other file/page from the website for that matter) over SSH using CVS

    $ cvs -d anoncvs@anoncvs.ca.openbsd.org:/cvs get www/openssh/txt/release-7.3
1 comments
schmichael 3611 days ago
Unless you've gotten anoncvs.ca.openbsd.org's host key fingerprint through some secure mechanism (say... HTTPS), SSH only encrypts the transport. It does nothing to stop a MITM (eg a malware injecting proxy).
link
OrpheanBeholder 3611 days ago
Get the host fingerprints over TLS then?

https://www.openbsd.org/anoncvs.html

link
jlgaddis 3611 days ago
In which case ISTM that they could have just enabled HTTPS on www.openssh.com and saved us a few steps.
link