Hi NANOG, Our research group at Carnegie Mellon has created a new tool called Perspectives to help authenticate remote hosts without requiring a full-blown PKI. Given the increased vulnerability to "man-in-the-middle" attacks due to the recent DNS issue, this tool seems relevant to anyone using SSH or HTTPS with self-signed certificates (It also can help clients avoid the annoying security error page Firefox 3 now shows for all sites using self-signed SSL certificates). http://www.cs.cmu.edu/~perspectives/ How it works: Perspectives uses network probes from multiple network locations and over time to get a better idea if the unauthenticated key your SSH client or browser received from the network is in fact the server's valid key. We have a few such probing servers, which we call "network notaries", scattered through the Internet, meaning that you can easily check if a key is likely to be valid even if it has not been signed by a certificate authority. The first time a notary is queried for a particular destination, they probe "on-demand" and return information about the key currently used by that sever. Once they know about a server, the notary will contact it daily to build up a history of the keys that server has used over time. Subsequent client queries can take advantage of historical key information as well. You can play with this approach using one of three "clients" we've created: * a web interface which shows a graphical timeline of the keys used by a server ( http://moo.cmcl.cs.cmu.edu/perspectives/ ) * a modified version of openSSH that contacts notaries and reports the results when the key received from the remove server differs from the cached key (http://www.cs.cmu.edu/~perspectives/openssh.html ) * a firefox extension (version 3+ only) that queries notaries and can override the annoying security error page firefox gives you for any self-signed certificate. ( http://www.cs.cmu.edu/~perspectives/firefox.html ) An academic paper and more general information is available at: http://www.cs.cmu.edu/~perspectives/ All the code is open-source and we welcome feedback. Thanks for your time, Dan Wendlandt & the Perspectives Team -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Dan Wendlandt 650-906-2650 http://www.cs.cmu.edu/~dwendlan/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~