Hacker News new | past | comments | ask | show | jobs | submit login

First time you connect to sshd, the server has no idea who you are.

That's not a problem if you signup by first connecting to the sshd and getting a custom signup URL.




How do you know that the sshd you connect to is authentic and not a MITM? More importantly, how does the sshd know that the incoming connection is you and not a MITM?


How do you know that the sshd you connect to is authentic and not a MITM?

You'd need the server fingerprint on the site (served over https, of course).

More importantly, how does the sshd know that the incoming connection is you and not a MITM?

But that's the point, there is no "you" to authenticate, since you're signing up for a new account. The sshd generates a token URL and then stores your fingerprint with that token. Then you can use that token to login to the actual site and fill in your information.

If you're MITMing someone, the server shouldn't care, it's the client's job to make sure it's talking to the right server. See above.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: