Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Before a bunch of you run off and make more of these “because it’s cool”, they’ll likely lose access to stripe once stripes security team pay attention and realize that this can be trivially man in the middled and doesn’t actually offer the equivalent protection to https.

I wrote up a little demo and explainer at

   https://mitm.terminal.shop.rag.pub
  
   ssh mitm.terminal.shop.rag.pub


> I wrote up a little demo and explainer at

They give you the ed25519 host key to insert into your known_hosts file on their homepage, which itself is served over TLS with all of the protections you describe in your article. They could go into more detail on being careful with not falling into the tofu trap perhaps, but I don't see that there's an inherent PCI-critical problem here. ssh tells you who, cryptographically, you're connecting to.

If I mess with my DNS and point it at your "little demo", this happens:

    $ ssh foo@terminal.shop
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Anyone ignoring a big scary warning like that probably isn't going to brew the coffee properly anyway.

And guess what? My browser lets me bypass HTTPS warnings too! Yes, even when HSTS is enabled I can take steps to bypass the warning.


Except in their marketing materials they just say `ssh terminal.shop`

Users will fall into the TOFU trap, most users who've sent them cash certainly did.

Most users won't put their credit card credentials into a page that they've had to bypass a cert warning on.


Hmm, I'm having trouble finding that site. Sick sunset at rag.pub though!


It’s available via ssh and https

That shots from my parents balcony in Bermuda




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: