It feels like just yesterday I was paying for certs, or worst, just running without.
Can't believe its been ten years.
replies(1):
Can't believe its been ten years.
They usually counter with “but SSH uses TOFU” because they don't see, and can't be convinced of, the problem of not verifying the server key signature⁰. I can be fairly sure that I'm talking to the daemon that I've just setup myself without explicitly checking the signature¹, but that particular side-channel assurance doesn't apply to, for example, a client connecting to our SFTP endpoint for the first time² to send us sensitive data.
--
[0] Basically, they get away with doing SSH wrong, and want to get away with doing HTTPS wrong the same way.
[1] Though I still should, really, and actually do in DayJob.
[2] Surprisingly few banks' tech teams bother to verify SSH server signatures on first connection, I know because the ones in our documentation were wrong for a time and no one queried the matter before I noticed it when reviewing that documentation while adding further details. I doubt they'd even notice the signature changing unexpectedly even though that could mean something very serious is going on.