undefined | Better HN

0 pointscsours6y ago0 comments

OT: Why can't I put ssh://nethack@alt.org in my browser? Why isn't the browser a ssh client?

I'm sure there's an extension or some such, and I know there are a lot of admin portals that have ssh accessible from the browser.

edit: for instance here's is one such extension: https://chrome.google.com/webstore/detail/secure-shell-app/p...

0 comments

Cyberdog6y ago

The browser is already a browser, mail client, download manager, office suite, multimedia player, game console, chat client, videoconferencing system…

I'm okay with the browser being allowed to not do things sometimes, even if that thing is basically encrypted Telnet.

csoursOP6y ago

I can't edit anymore, but I've thought about this all day, and I think it comes back to trust. It is easy to configure weak keys or keys without passphrases or all sorts of things that you don't want exposed to the internet. Or your server may have poor config so you don't even want people to know that your server exists.

I do wonder, though if it is possible to do use whitelisted features of ssh, like strong keys with strong passphrases, good crypto libraries, etc.

I mean people already type their passwords into a browser.

somacert6y ago

Personally I would like to see shttp:// (http over ssh) as a valid protocol.

Realistically, I know this would end up being just as bad and broken as every other web tech.

However due to the superb openssh implementation I tend to view ssh as the superior transport technology vs tls

tialaramex6y ago

Different audiences mean very different constraints, policy and technology for success between TLS and SSH.

Most obviously for trust. TOFU is simple and while not fool-proof it's at least easy to think about the consequences. Using SSH with certificates (which somebody is bound to mention) is an afterthought and it shows.

There's also a very different default thinking about who is authenticating to who and why. In TLS the server must authenticate and clients largely do not. In SSH the server's "authentication" is often limited to just proving possession of some private key corresponding to a public key, but the client must provide a username and state up front how they're planning to authenticate before proceeding.

This is why that FIDO OpenSSH integration results in a file on your laptop (or whatever client) with local information whereas WebAuthn (FIDO integration for HTTPS) doesn't do anything like that.

As you'd expect although the underlying primitives aren't dissimilar (Diffie-Hellman style key agreement, AES encrypt everything, bind identity to encrypted session using public key signatures) the details are tailored to their application. TLS isn't a better SSH and SSH isn't a better TLS.

ta9999991716y ago

It doesn't have to be. Mail the keys.

bmn__6y ago

> Why can't I put ssh://nethack@alt.org in my browser?

Try KDE Konqueror, see http://enwp.org/KIO

j / k navigate · click thread line to collapse