SSH suggested key verification


#1

On the control panel, under users->ssh keys (https://panel.dreamhost.com/index.cgi?tree=users.sshkeys&), I think the suggested way to verify connection authenticity, is wrong.

There’s there posted the ssh keys presented by two of dreamhost’s servers (traffic.dreamhost.com, and one more), and the user is expected to verify connection integrity by means of requesting the ssh keys for those servers and expect to match the ones provided on the mentioned website page.

Problem is, if the connection isn’t authentic and there’s actual someone in between, it is pretty straight forward to swap the keys on your website to some kept stored in a dictionary against those domains. And the user is lead to believe (very confident) that the wrong keys are actually correct.

I highly suggest using network perspective to be confident about connection authenticity.


#2

That’s not as straightforward as you’re imagining. Your connection to the DreamHost Panel is protected by SSL, so the identity of the server is confirmed by your browser when you connect. So long as you don’t connect to another web site and mistake it for the DreamHost Panel, or accept an invalid certificate in your browser when you connect, there is no way for a man-in-the-middle to substitute content into the Panel.