Open viraptor opened 6 months ago
This sentence is probably not clear enough, it is targeted to a good part of SSH users that rely on self-generated SSH host heys that require manually checking the host key on first use, otherwise machine-in-the-middle attacks could occur. Many people usually do not check that fingerprint upon first use. (We have a lot of students at university simply skipping that prompt)
I wrote "more secure" for this scenario, in the sense that CA-signed certificates are not subject to this. But you if you use OpenSSH certificates of similar mechanism, you can get comparable security guarantees. The README was aimed to a large audience and is expected to be relatively short. If you have better wordings that are less ambiguous and concise, it would be a great help. That claim was probably a bit strong because a lot of people are picking on this sentence. I can rephrase it myself, but I'll work on a few other issues before.
The readme states:
but that's very vague. In what scenarios is it more secure / why? Does the comparison include SSHFP? Why is it more secure than CA signed host keys? etc.