submitted 2 months ago by t0mri@lemmy.ml to c/security@lemmy.ml

28 comments fedilink hide all child comments

There’s a server, a client, and a hacker in a network. For encryption, the client and the server need to share their private keys. Wouldn’t the hacker be able to grab those during their transmission and decrypt further messages as they please?

you are viewing a single comment's thread
view the rest of the comments

[-] Turun@feddit.de 2 points 2 months ago

Yes, that's why https needs certificates (and sometimes shows a broken lock) and why you need to accept the fingerprint when first connecting to a server via ssh.

[-] mitchty 3 points 2 months ago* (last edited 2 months ago)

Accepting ssh key fingerprints on first ssh is a bad practice. Ssh ca’s and or sshfp are around and have been for decades. Accepting random host keys is like trusting random self signed ssl certificates.

Use ssh ca’s for user and host keys so you can revoke and rekey hosts without having to update authorized keys. And then you can revoke access to hosts for users as well and much more.

this post was submitted on 28 Apr 2024

32 points (79.6% liked)

Security

4838 readers

2 users here now

Confidentiality Integrity Availability

founded 4 years ago

MODERATORS

gary_host_laptop@lemmy.ml