And it's just not true: ever wondered what those fingerprints are that nobody cares about and blindly goes for "yes" in SSH? The vast majority of SSH users would have no idea if they got MitM-ed.
WebAuthn helps prevent just that.
And it's just not true: ever wondered what those fingerprints are that nobody cares about and blindly goes for "yes" in SSH? The vast majority of SSH users would have no idea if they got MitM-ed.
WebAuthn helps prevent just that.
WebAuthn won't help you if you are signing-up on a phishing site.
Well if you sign up on a phishing site, they won't be able to access the legit site with your credentials...
Niеther an ssh MITM can use your private key on a legit server. A middleman doesn't need it in most cases, however. My point was that the situation with ssh is basically the same as with webauthn.
> Niеther an ssh MITM can use your private key on a legit server
Of course they can: that's precisely the meaning of MITM.
They don't get direct access to your private key (because they wouldn't need to stay in the middle anymore at that point), but they will ask you to sign the challenge sent by the legit server, which you will happily do if you don't realise that you are not talking to the legit server.
WebAuthn prevents that MitM part.
I guess you're saying that a challenge is tightly packed with a server ID and processed by the webauthn client lib, so a middleman cannot separate and forward the same challenge from its own server. I don't know the exact details of the ssh protocol, but I see no reason why ssh can't do the same.
If we are simply talking about ssh users ignoring fingerprint warnings then I don't see how this is an ssh weakness. A fingerprint change warning is basically saying "you're connecting to a phishing site" as I see it.
> If we are simply talking about ssh users ignoring fingerprint warnings then I don't see how this is an ssh weakness.
I didn't say it was an SSH weakness. I said that it was not "solved" problem in that most users I have seen completely ignore those warnings from SSH. So the problem persists even though SSH does it right.
With WebAuthn, the problem disappears. So that's an improvement for the users.
Don't get me wrong: I love SSH. I just think it's wrong to say that WebAuthn doesn't bring any kind of security to users.