China, GitHub and the man-in-the-middle (Greatfire) [LWN.net]

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 30, 2013 22:46 UTC (Wed) by avsej (guest, #72462)
Parent article: China, GitHub and the man-in-the-middle (Greatfire)

they could choose to use ssh protocol to interact with github it doesn't rely on SSL certificates

to post comments

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 31, 2013 0:03 UTC (Thu) by robert_s (subscriber, #42402) [Link] (3 responses)

Yes, but it does that by more or less _ignoring_ the problem of key distribution (leaving the user to manually verify a host's fingerprint). SSL at least tries that by using a PKI (public key infrastructure) - however such things aren't always perfect, which is what the article is trying to point out.

China, GitHub and the man-in-the-middle (Greatfire)

Posted Jan 31, 2013 8:19 UTC (Thu) by pabs (subscriber, #43278) [Link]

There is a PKI for SSH too:

http://web.monkeysphere.info/

China, GitHub and the man-in-the-middle (Greatfire)

Posted Feb 1, 2013 8:59 UTC (Fri) by job (guest, #670) [Link] (1 responses)

Any modern OpenSSH will look up SSHFP in DNS. Provided you turn on DNSSEC (and github actually publishes this), that's as good as it gets. The root key trustees are few and very closely guarded.

China, GitHub and the man-in-the-middle (Greatfire)

Posted Feb 5, 2013 8:51 UTC (Tue) by Lennie (subscriber, #49641) [Link]

DNS in China ? Really ? That is the first thing they mess with. If you are behind the Chinese Firewall, DNSSEC isn't gonna work.