[SSL Observatory] SSL CA compromise in the wild
Matt McCutchen
matt at mattmccutchen.net
Wed Mar 23 11:11:42 PDT 2011
On Wed, 2011-03-23 at 13:55 -0400, Steve Schultze wrote:
> On Mar 23, 2011, at 1:49 PM, Daniel Kahn Gillmor wrote:
> > Unless you use OpenSSH's new self-designed certificates;
>
> reference? I'm not sure what this means.
See the CERTIFICATES section of the ssh-keygen(1) man page.
One other method is to import known_hosts files from an external
integrity-protected source. Of course, they should be constrained to
the appropriate domain. I have written a tool to do this and am using
it for myself, but have not published it yet.
--
Matt
More information about the Observatory
mailing list