[cfarm-users] SSH key fingerprints for gcc farm machine

Jonathan Wakely jwakely.gcc at gmail.com
Mon May 6 14:36:15 CEST 2019

On Mon, 6 May 2019, 06:11 Martin Guy via cfarm-users, <
cfarm-users at lists.tetaneutral.net> wrote:

> On 05/05/2019, Jeffrey Walton via cfarm-users
> <cfarm-users at lists.tetaneutral.net> wrote:
> > On Sun, May 5, 2019 at 2:55 PM Olly Betts via cfarm-users
> > <cfarm-users at lists.tetaneutral.net> wrote:
> >> But even a list on an https protected web page seems better than just
> >> having to trust on first use.
> >
> > +1, trusted distribution channels.
> Just a technical mini-point: https is cracked. There are hundreds of
> "trusted" certificare issuers, including, for example, the Library of
> Budapest. To man-in-the-middle an https transaction, you only need to
> corrupt one of the "trusted" CIs, issue falsies. With hundreds to
> choose from it's a doddle, and the NSA has millions in budget for
> exactly that purpose!

If you're worried about that, using shared servers that almost anybody can
get a local account on is probably a bad idea anyway :-)

Verifying you're connecting to the right host doesn't help much if bad
actors have a login to the host.

> I was always worried about the "certificate issuer" thing. And it
> turns out I was right!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tetaneutral.net/pipermail/cfarm-users/attachments/20190506/9380e114/attachment.html>

More information about the cfarm-users mailing list