Speaker
Description
In 2006, RFC 4255 [0] introduced a resource record that holds SSH host key verification fingerprints, named SSHFP. In order to prevent man-in-the-middle attacks, a SSH server's host key fingerprint should be verified by the client [1]. While the manual verification process is prone to errors or ignorance by the user, SSHFP records eliminate any manual interaction. However, SSHFP records must securely reach the client and provide the correct host key verification fingerprint.
In our paper "Oh SSH-it, what's my fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS" (accepted at CANS 2022, preprint [2]) we conduct a large-scale internet study (Tranco 1M and 500 million domain names from Certificate transparency logs). The results show that only about 1 in 10,000 domains has SSHFP records. Further, more than half of them are deployed without DNSSEC, thus drastically reducing security benefits.
The presentation aims to remind of this (niche) SSHFP record and present the paper's methodology and results. To end on a positive note, we will show a proper deployment and possible improvements for current tools (i.e. openssh-client).
[0] https://www.rfc-editor.org/rfc/rfc4255.html
[1] https://www.rfc-editor.org/rfc/rfc4251.html
[2] https://arxiv.org/abs/2208.08846
Conflicht of Interest: Nils Wisiol
| Presentation delivery | In-person at the workshop venue |
|---|
