Security and TOFU
Giedrius
iksius at gmail.com
Mon Nov 14 15:07:28 UTC 2016
What I am thinking about is not security of SSL or encryption
algorithms but rather trust-on-first-use method. As I understand this
method mostly relies on users ability to check and validate
certificate fingerprints. It might be ok for SSH where users can be
expected to be IT and security savvy, but in my opinion it is not ok
for a regular user. First of all certificate validation is not
enforced in any way, so the average user most often would just ignore
this step. Also, certificate fingerprints are quite complicated and
can make validation error prone or may discourage the validation step
altogether (I am not sure how feasable it is, but an attacker could
try to generate its own certificates which would produce similar
fingerprints). Are such my wories invalid?
As I said, I am not security expert and I would be very glad if
someone corrected me :)
Giedrius
> Nothing in this life is completely fail- or hack-proof, but I think KDE
> Connect security is, at this point, pretty decent :)
>
> Since the recent version 1.0, it uses SSL and trust-on-first-use, like SSH
> (which you could say is not hack-proof either, nothing is). Of course, SSH
> has likely been audited way more than kdeconnect, so if you are a security
> specialist and want to check kdeconnect for implementation errors or other
> security flaws, it would be of great help!
>
> Albert
>
> On Sun, Nov 13, 2016 at 6:50 PM, ixius ixius <iksius at gmail.com> wrote:
>
> > Hello,
> >
> > I am concerned about security aspect of the kde-connect pairing procedure.
> > I am no expert in security but as I understand the pairing of the devices
> > currently is not completely fail-(or hack-)proof. Am I right or am I
> > missing something? And if I am not wrong, I wonder if there are any plans
> > to solve the issues?
> >
More information about the KDEConnect
mailing list