[Cryptography] WireGuard

Howard Chu hyc at symas.com
Sat Sep 1 03:28:05 EDT 2018

Stephan Neuhaus wrote:
> On 30.08.18 17:56, Howard Chu wrote:
>> ssh's default key model is "convenient" but less secure than the certificate authority model, as
>> soon as you have more than one computer in an administrative domain. How many people actually
>> stop and phone up a remote collaborator to verify a host key the first time they connect to a
>> new machine?
> I am not a fan of the "certificate authority model", for reasons we don't need to go into here, and I would contest your assertion that it is "less secure" than 
> SSH's model,

You misread. The words I wrote above explicitly state that the certificate authority model
is more secure than ssh's default key model.

> but in answer to your question, I refer you to the abstract of Peter Gutmann, Do Users Verify SSH Keys? Usenix :login; August 2011. 
> https://www.usenix.org/system/files/login/articles/105484-Gutmann.pdf

Thanks for confirming that nobody checks host keys, which was exactly my point.

Most people will skip past unknown TLS certificates too, at least in web browsers. But it's
so much rarer to encounter them that you can train a user population to be suspicious of
them. Particularly in the case of authenticating ssh logins. Then you're no longer talking
about random users and random hosts. With a custom self-signed CA you can tell all of your
users "this is the only valid CA cert" and your entire network of hosts is unambiguously

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

More information about the cryptography mailing list