On Tue, Jun 22, 2004 at 03:18:42PM -0400, Will Backman wrote:
> http://www.openbsd.org/anoncvs.html#CVSROOT lists anoncvs servers.
> When I connect, cvs uses ssh as the RSH (thanks), but it gives me the
> RSA fingerprint and asks me if I want to continue. I'd love to know if
> I should, as this the the most vulnerable portion of a ssh connection.
> Would it be helpful to have the RSA fingerprints included in the list of
> information for the servers?

As I run a mirror myself, I feel obliged to answer although you should
have used misc@ or openbsd-mirrors@list.rt.fm for your question.

The point is that if an attacker has the possibility to impersonate an
official CVS mirror (thereby having a different ssh fingerprint), he
would most likely also be able to impersonate a web mirror or the main
site where the fingerprints are served, e. g. via anoncvs.html.
This way, he could assure you that the false fingerprint you get is the
official one, thus making you use his trojaned mirror.

If you say now that we have HTTPS, then do not overlook that having
a secure connection does not mean to have the connection to the genuine
OpenBSD mirror resp. master server. For this, we should distribute some
certificates or RSA fingerprints on the official CD sets, for example.
(But hey, how do you know that your CDs haven't been tampered with?

Honestly, I agree that a list of fingerprints on anoncvs.html could be
helpful, but nonetheless no guarantee for not being tricked.

Perhaps your question could be subject to further discussion on
openbsd-mirrors@list.rt.fm. I will cc it to that list, as that is the
right place for the topic.

Greets,
--
Alexander "grunk" von Gernler PGP-Key 0xEBC27515
https://openbsd.informatik.uni-erlangen.de - Free, functional, secure.