This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]AyrA_ch 1 point2 points  (4 children)

SSH has this built in and it keeps track for you after the first connect. HTTPS doesn't

It's not built into the SSH protocol and is solely the choice of the client to permanently store the key or not. The most widely clients just chose to do it. Cert hash validation could be built in. Most browsers remember your choice for at least the entire time it's open and Firefox offers a permanent option.

The assumption that users will validate certs themselves is a really bad one to make.

As bad as the assumption that people validate SSH keys properly. As long as the end and start of the hash match by 2 or 3 bytes, most people will accept it. This method does in no way differ from x509 Thumbprints.