undefined | Better HN

0 pointsloeg5y ago0 comments

The mechanism SSH uses is called Trust on First Use ("TOFU") and is closer to what used to be HTTPS certificate pinning. In this scheme, certificates never expire, and if they do, clients warn about the unexpected change in certificate.

It is different from the CA PKI system, where the client trusts any certificate signed by a trusted CA without prompting the user at all, and doesn't prompt the user if the certificate for a site changes.

0 comments

zozbot2345y ago

Self-signed certificates give you basically this. It's a bit of a hassle to mark them as trusted, but you only have to do it once.

loegOP5y ago

That has not been my experience with current versions of Chrome.

j / k navigate · click thread line to collapse

0 comments

zozbot2345y ago

Self-signed certificates give you basically this. It's a bit of a hassle to mark them as trusted, but you only have to do it once.

loegOP5y ago

That has not been my experience with current versions of Chrome.

j / k navigate · click thread line to collapse