Garrett: We need better support for SSH host certificates
Garrett: We need better support for SSH host certificates
Posted Mar 28, 2023 9:39 UTC (Tue) by Vipketsh (guest, #134480)In reply to: Garrett: We need better support for SSH host certificates by NYKevin
Parent article: Garrett: We need better support for SSH host certificates
> 1. The key got changed for a legitimate reason.
So there is no problem and the warning is useless and the right thing to do is just bypass it.
> 2. The key got changed because someone is MitM'ing you.
Great, so as per your assessment this can be:
> ISP
Easy! I'll get the CEO replaced tomorrow. How hard could this ever be ?
> IT department
Support desks are known to be very responsive, to the point, give detailed explanations, and fix things immediately. Especially when it comes to security. A support desk brick walling people ? Never heard of it! Very easy to solve, clearly.
> government
No problem! I'll just get a new government installed tomorrow, make the appropriate law changes, issue the right directives and problem solved. It would take me a whole day ? I must be slow.
In summary: it's great that you know you are the target of a MitM attack, but reasonably you have two choices: (i) disconnect from the internet and go live in a cave or (ii) just suck it up and hope for the best. Option (i) isn't reasonable in today's world so that leaves one with (ii) and blindly ignoring warnings.
I'm not saying that this is problem is immaterial to talk about or to try to solve, but it is also quite disingenuous to waive it away with "it's [the user's] social problem" and blame users when they end up ignoring warnings. If anything, the social problem is more on the service providers' side who often don't inform users of problems/changes, put those explanations in places you have to hunt for it and/or try as hard as they can to build a wall between them and those "pesky lusers".
Posted Mar 28, 2023 15:59 UTC (Tue)
by NYKevin (subscriber, #129325)
[Link]
Yes I did. I told you to go read the organization's website, which would have worked in the GitHub case.
> In summary: it's great that you know you are the target of a MitM attack, but reasonably you have two choices: (i) disconnect from the internet and go live in a cave or (ii) just suck it up and hope for the best. Option (i) isn't reasonable in today's world so that leaves one with (ii) and blindly ignoring warnings.
There is also (iii) stop trying to use the service and go do something else instead, or (iv) use it and accept that you don't have any security guarantees.
> blame users when they end up ignoring warnings.
Nowhere in my comment did I blame the user. Please do not put words in my mouth. My position is that this is not a problem the technology is capable of solving. That doesn't make it the user's fault.
Posted Mar 28, 2023 17:49 UTC (Tue)
by geert (subscriber, #98403)
[Link]
You are accessing github at work, so clearly this must be related to your work. So you are interacting with github projects to create products for your customers, or for use in your internal infrastructure. I guess at least someone at a higher level in your company must care if your product or internal infrastructure would become compromised?
Garrett: We need better support for SSH host certificates
Garrett: We need better support for SSH host certificates
>
> Support desks are known to be very responsive, to the point, give detailed explanations, and fix things immediately. Especially when it comes to security. A support desk brick walling people ? Never heard of it! Very easy to solve, clearly.