Changes between Version 18 and Version 19 of faq/security/fingerprints


Ignore:
Timestamp:
Feb 20, 2017, 9:41:44 AM (2 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • faq/security/fingerprints

    v18 v19  
    66With the ssh protocol, servers are identified by "fingerprints." Fingerprints are extremely difficult to forge, so if your program reports that the server you are connecting to has a fingerprint that matches the true fingerprint of the server, you can safely connect.
    77
    8 Coming Soon ... directions for verifying MFPL server fingerprints.
     8There are several approaches to confirming a fingerprint.
     9
     10== TOFU ==
     11
     12TOFO stands for Trust on First Use. It is the most commonly used method for checking fingerprints. It means that you blindly accept the fingerprint offered the first time you connect. Then, you rely on your ssh/sftp program to warn you if the fingerprint ever changes (all ssh/sftp programs will provide you this warning).
     13
     14This method assumes that your communications are not being tampered with the first time you connect, but may be tampered with later. It is reasonably secure, but does run a risk if your initial connection to a server is compromised.
     15
     16== Request Confirmation ==
     17
     18If you want to be more sure that you are connecting to the right server, you can take the following steps:
     19
     20 * Do not enter your web site's domain name as the server name. Only connect to the mayfirst domain name of the server, e.g. `marx.mayfirst.org` or `june.mayfirst.org`. Sometimes we move sites from one server to another. By using the real server name, you can more easily keep track of key changes.
     21 * Before connecting for the first time, [/new open a ticket] requesting the fingerprint of the server in question.
     22
     23== Use the Monkeysphere ==
     24
     25If you are a Linux user, you can [https://monkeysphere.info install the monkeysphere] to use OpenPGP to verify the key fingerprints. All May First/People Link servers have been signed by an MF/PL administrator.