Re: HashKnownHosts

To: debian-devel@lists.debian.org
Cc: Florian Weimer <fw@deneb.enyo.de>, cjwatson@debian.org, matthew@debian.org, debian-devel@lists.debian.org
Subject: Re: HashKnownHosts
From: Anthony DeRobertis <anthony@derobert.net>
Date: Thu, 07 Jul 2005 01:59:17 -0400
Message-id: <[🔎] 42CCC4B5.70705@derobert.net>
In-reply-to: <[🔎] 20050702174831.GA2549@rnb.grep.be>
References: <[🔎] 20050702091926.GA6989@wonderland.linux.it> <[🔎] 87zmt58ij8.fsf@deneb.enyo.de> <[🔎] 20050702174831.GA2549@rnb.grep.be>

Wouter Verhelst wrote:

> and
> relying on other people's security to increase your own isn't pretty
> clever, actually.

Well, it increases your own security to: It makes it harder to use your
machine, were it to be compromised, as an attacker. This increases your
security in two ways:

1. Generally, you log into (and thus have public keys for) boxes you
care about. The worm won't be able to auto-propogate to those machines.
[Remember, there have been root exploits in sshd before. And worms that
exploited them.]

2. You won't have to convince law enforcement, your employer, etc. that
no, really, you didn't attack that machine, it was a worm, because the
attack won't happen (at least from your machine).

And, in general, turning this on by default increases the general
security of the Internet. That is a good thing, really. Its unfortunate,
but when you share a network with a billion other people, you have to
rely somewhat on the security of their machines.

Reply to:

References:
- HashKnownHosts
  - From: md@Linux.IT (Marco d'Itri)
- Re: HashKnownHosts
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: HashKnownHosts
  - From: Wouter Verhelst <wouter@debian.org>

Prev by Date: Re: [Debian-uk] Sun have (probably) patented apt-get
Next by Date: Re: Package distribution, a concept for a modern package distribution
Previous by thread: Re: HashKnownHosts
Next by thread: Re: HashKnownHosts
Index(es):
- Date
- Thread