#tchh22 | SSH host key verification fingerprints in the DNS – A large-scale analysis of an unknown feature and its implications.
Talk | Security | 50 min | Englisch
DO | 11:15 | Bahnhof Pauli
Developers often interact with SSH servers. When establishing a connection, the server’s host keys are verified against the local database or displayed to the user for manual verification . Since this process is prone to human errors or ignorance by the user, the connection’s security is at risk, i.e. by man-in-the-middle attacks. In 2006, RFC 4255  introduced a resource record that holds SSH host key verification fingerprints, named SSHFP, which eliminate any manual interaction. However, SSHFP records must securely reach the client and provide the correct host key verification fingerprint. In our paper „Oh SSH-it, what’s my fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS“ (to be published at CANS 2022, preprint ) we conduct a large-scale internet study (Tranco 1M and 500 million domain names from Certificate transparency logs). The results show that only about 1 in 10,000 domains has SSHFP records. Further, more than half of them are deployed without DNSSEC, thus drastically reducing security benefits.
In this session we hope to introduce and motivate the use of SSHFP DNS records and DNSSEC to improve the overall security.
Sebastian Neef is a PhD candidate at the security in telecommunications chair at TU Berlin. His interest in IT security sparked at the age of 16 and by the end of his A-levels he was a freelancer doing IT (Security) contract work and bug bounties. Since his computer science studies, he organizes the „AG Rechnersicherheit“ meetup at the university and plays and organizes CTFs as part of ENOFLAG.