[MichaelGG]

> I know that when I go to news.ycombinator.com, I'm getting Hacker News.

How do you know that? That's the whole point of SSL - knowing that you've traded private keys with the right party.

SSL for "encryption only" only works to defend against attackers that can listen to your network, but cannot write to it. So, sure, it defends against some passive collection system, and perhaps against some tools that are designed to just listen.

But, if browsers stopped displaying warnings, so that using a "bad" certificate worked just fine, then I'd bet the tools would just switch to allow cert injection and we'd all be worse off.

[SomeCallMeTim]

There was a story I read a while back about a support ticket filed with Mozilla for FireFox complaining about all of these "security warnings" that would pop up at every HTTPS site the user visited.

She was apparently someone who should have known better, but instead was willing to believe that FireFox was just warning her spuriously about valid HTTPS certs -- yes, someone had hacked her computer, and was collecting every bank, credit card, and online shopping password as she fell for an MITM attack over and over.

[martey]

I believe that this is the bug: https://bugzilla.mozilla.org/show_bug.cgi?id=460374

[runningdogx]

In that case, Mallory was a fool. Mallory should have installed the MITM cert in the browser's certificate store, to prevent warnings. How many people routinely audit their browser's SSL cert list?

[gergles]

No, the point of SSL is encryption. SSH seems to handle key exchange just fine.

(Hint: https should have been implemented the same way. CAs are fundamentally broken.)

[kgo]

No, SSH does not. Have you ever actually verified a host fingerprint? Of course not, no one does.

That's the way it's supposed to work. You know the first time you logon to a server and it asks if you trust it? You're supposed to call up the server admin and get them to read off the fingerprint, or have them email it to you, or get it from some other out-of-band channel.

And no-one, nowhere actually verifies host fingerprints. Even security conscious people. And what do people do when they get that warning about a modified fingerprint? Just delete the entry from authorized_hosts and re-connect.

So ssh actually does a really shitty job handling key exchange.

Anyway, the closest thing to a real alternative to https and CAs is monkeysphere (OpenPGP WoT for servers), but no-one uses that.

[pyre]

If I got an error about a modified footprint I wouldn't "just delete the entry" and re-connect... unless I know why it's complaining. If there's a reasonable explanation for why the keys are different then I might do that.

While 'security conscious people' might not verify the fingerprint out-of-band when adding it the first time, I'm sure most of them wouldn't just remove the authorized_hosts entry...

[gaius]

Yes, I often see this and it's almost always that a VIP has moved physical hosts for whatever reason (e.g. planned maintenance on the original box). Occasionally it's that someone's re-JumpStart'd the box. That's sufficient to create a false sense of security, if it ever happened "for real" I would likely dismiss it.

[riffraff]

but that is the case in which yoiu _already have_ the footprint. Parent^2 is talking about the first connection, which is when you validate the fingerprint the first time.

[apotheon]

Why don't people validate?

That doesn't make any sense to me. There are even free services that can perform the validation for you based on a "crowdsourced" approach to verification, like Perspectives:

http://www.techrepublic.com/blog/security/perspectives-provi...

[bmcc]

Several ssh implementations also support using certificates as hostkeys. Of course the ssh client will still need to be configured to trust the issuer but it can help with the 'first-connection-hostkey-fingerprint-verification' problem. In my experience most users will never verify the fingerprint.