What you describe is exactly the behavior the author calls "Firefox' war on self-signed certificates". The actual proposal calls for a browser that does NOT prompt the user all the time. It would just prompt when something extraordinary happens (such as the server's already known certificate changing).
> After a few days of this, you'll see why the SSH model hasn't seen widespread adoption for HTTPS
That's not really true. It has simply never been done for browsers, because many people think it's an abomination and, to paraphrase well-known HNers from previous discussions, supposedly useless and little more than obfuscation instead of encryption.
It's not the first time TOFU/POP has been suggested on HN, too. I find it curious this proposal got so many upvotes here today. I don't remember that many people coming to mine and other people's defenses when we suggested the exact same thing a few months back and crypto gurus were rending their hair like we had committed the most stupidly blasphemous act conceivable to modern computer science.
The first time you connect to an SSH server, your client will display that server's key, and prompt for instructions.
Notably, SSH will not automatically connect. It asks first. That's why it's useful. Additionally, SSH is such a niche tool that its users can be expected to be security-minded -- for example, by checking that the fingerprint matches the expected string instead of just clicking through.
If browsers automatically trusted a page the first time they hit, attackers can just redirect the user to http://paypa1.com/ and feed them a fancy, green-url certificate.
> Notably, SSH will not automatically connect. It asks first. That's why it's useful.
How many sysadmins really do check their newly installed server's fingerprint? They just type "yes" on first connect and grab the server's certificate. I believe very few people actually do manual loopups when SSH pops the first-connection warning.
Most hosting providers will send you cleartext passwords for your server by email. When you log onto that server for the first time, there is no easy way to tell if you're the victim of an elaborate MITM attack. So that's happening right now.
> If browsers automatically trusted a page the first time they hit, attackers can just redirect the user to http://paypa1.com/ and feed them a fancy, green-url certificate.
Indeed they can. Nobody's suggesting otherwise. By the way, I can do that today, by registering a cert for paypa1.com, just to see how many people actually take a second look at the content of the certificate.
You really need to start looking more carefully at those SSH messages. In particular, the fact that you get an SSH warning when a site's key suddenly changes is 99% of the security value of SSH.
It was an old Usenix conference trick --- I think it's Dug Song's, but I'm not really sure --- to snarf people's SSH logins by capitalizing on their lack of interest in those messages. It's a trivial attack.
I wasn't talking about ignoring any SSH warnings that occur when a site's key suddenly changes. Really, look at my comments, that's not at all what I said, is it?
You are misrepresenting my position and then attacking me for it.
There is not a difference between your fingerprint changing, and you not having existing knowledge to compare it to. Your action in either case should be the same.
I disagree. If I get a warning out of the blue, yeah, I take it seriously: something unexpected is going on, and I'm not going to trust the server until I know what it is. But if I know there's going to be a server upgrade overnight and I get an SSH warning in the morning, I figure odds are good that it's because of the new server rather than a coincidentally timed MITM attack. That's not perfect security, certainly, but as long as MITM attacks are rare it doesn't cost you that much of SSH's value.
(All bets are off if someone is targeting your organization specifically, of course: they'd presumably have heard about the server changes in advance and take that opportunity to attack. If I considered that a serious concern in my circumstances then I'd ramp up my security level across the board.)
I have had security conscious hosting providers who have done a proper fingerprint validation over the phone half each way for ssh fingerprints. Its rare though. Sign of a good provider...
> After a few days of this, you'll see why the SSH model hasn't seen widespread adoption for HTTPS
That's not really true. It has simply never been done for browsers, because many people think it's an abomination and, to paraphrase well-known HNers from previous discussions, supposedly useless and little more than obfuscation instead of encryption.
It's not the first time TOFU/POP has been suggested on HN, too. I find it curious this proposal got so many upvotes here today. I don't remember that many people coming to mine and other people's defenses when we suggested the exact same thing a few months back and crypto gurus were rending their hair like we had committed the most stupidly blasphemous act conceivable to modern computer science.