[Security] S2S Leap of faith w/ SASL EXTERNAL

Peter Saint-Andre stpeter at stpeter.im
Fri Nov 19 09:16:57 CST 2010

On 11/19/10 7:42 AM, Jonathan Schleifer wrote:
> Am 19.11.2010 um 00:22 schrieb Matthew Wild:
>> In SSH at least you get notified (quite loudly) that the server 
>> fingerprint has changed.
> Not only that: You have to type "yes" to confirm you verified the
> fingerprint on the first connection attempt. This is not really leap
> of faith, it's verifying the fingerprint. It's only leap of faith if
> the user is too lazy / dumb / uninformed to verify the fingerprint.
> It was never designed as leap of faith, it's just what many users
> made out of it. And it fails if some government wants to read your
> traffic and just MITMs every SSH connection you try to establish.

Yes, and there are even some people out there who check the fingerprints
on the first connection attempt. :)


Peter Saint-Andre

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6105 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/security/attachments/20101119/2da8d3b8/attachment.bin>

More information about the Security mailing list