Why Key Fingerprints are Important


I admit it: I seldom verify the key fingerprint of a host I connect to against a fingerprint I have obtained through secure means. As things stand today, I consider it unlikely that somebody will stage a man-in-the-middle attack at the time I first connect to an unknown host. Today however I almost got bit.

This is an excerpt from a session I tried to initiate to the sourceforge.net compile farm.

$ ssh cf.soruceforge.net
The authenticity of host 'cf.soruceforge.net (' can't be established.
DSA key fingerprint is 50:ae:45:a6:d7:d8:a8:85:3d:a9:63:53:63:e4:46:49.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'cf.soruceforge.net' (DSA) to the list of known hosts.
dds@cf.soruceforge.net's password:

Can you spot the problem? Look at the site's name carefully again. As you see, I was quick to answer "yes" to the fingerprint question, and only hesitated when I was asked for a password. I typically use key-based authentication, so I did not expect to have to give a password.

Was this a phishing attempt? The soruceforge.net domain is advertised as being for sale, registered by "Domains, Internet" (GetNameNow). The machine hosting it runs an ssh daemon that could conceivably be used to collect passwords. On the other hand, it doesn't run a telnet and other daemons that could also be used to collect passwords. Therefore, either somebody is very picky about the perpetrated phishing attack, or simply (and most probably) the ssh port is actually used for administering the machine. In any case, I would not have felt comfortable divulging with my password on that site.

Read and post comments, or share through   

Last modified: Monday, January 8, 2007 1:35 pm

Creative Commons Licence

Unless otherwise expressly stated, all original material on this page created by Diomidis Spinellis is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.