Hacker News new | past | comments | ask | show | jobs | submit login

> Meaning that a lot of users will blindly accept whatever new key (even when it might be the one owened by attacker doing MITM)

This is less likely because unlike for TOFU the SSH client just rejects the mismatch and insists you take manual action, and the likely manual action will be "Paste this stuff from the announcement".

So an adversary needs to either subvert whatever messaging you see (which is tricky, likely impossible for a random user visiting the github web site wondering what's wrong) or hope that you just try to muddle along and do TOFU again, putting you in the same spot as a whole bunch of users every day at GitHub.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: