ssh browser? where?
thomas at jollybox.de
Sun Sep 5 16:31:49 CEST 2010
On Sunday 05 September 2010, it occurred to alex goretoy to exclaim:
> why not ssh browser traffic? why use SSL certificate authorities which
> can't be trusted in the first place?
> Is SSH not proven to be secure?
> To this day I have not seen ssh module for say Apache web server, why not?
> I understand this maybe wrong list to ask this question, but I love you
> guys so much at python and I think your smart... :)
Umn. Yes, wrong list. Still,
SSH is "secure shell". Shell ≠ WWW.
TLS/SSL is secure. Once you have an encrypted connection to the correct party,
the information you send over that connection is just as illegible to the
outsider as it'd be over an SSH connection. If you're connected to someone
other than you think you are connected to, then all the encryption in the
world won't help you. (man-in-the-middle attack)
With SSH, this isn't that big a problem: you only connect to a machine over
SSH if you have an account there. Since this tends to be a relatively small
number of machines, it's relatively easy to manually check the server's key
fingerprint. The authenticity of the server's key must be checked to prevent
an attack, and the status quo with SSH is that the user does it, which is
arguably the most secure model anyway.
On the web, you might connect to any number of servers. Manually checking
every single key would be a gargantuan and certainly not very rewarding task.
THAT's where certificate authorities come in. They're a reasonable way to
automatically check the validity of a server's key, so you don't have to. Now,
in theory, you should verify the integrity of the certificate authorities
yourself before trusting their judgement, but in practice, you leave that
daunting task to your operating system and/or web browser vendor. There are a
number of weak spots, but there are also rather strict audits going on all
over the place.
If we were to use SSH on the web, which is certainly not the point of SSH,
we'd still need some kind of certificate authority to make the whole system
More information about the Python-list