+6
Under review
Alexander Blach (Developer) 4 years ago in General • updated 4 years ago 2

To detect man-in-the-middle attacks SSH clients are supposed to check the host key of the server, for example by comparing it with a known good key. Should the client neglect to check the server key (or an attacker manage to steal the private key of the server) the connection becomes vulnerable to active man-in-the-middle attacks when using password-based authentication.


Add host key checking to Textastic.

Yes please. IMO, encryption without verification is as good as no encryption at all. 


Also, note that even if we grant the assertion that MITM is impossible when using public key auth, you still can't trust data you obtain without checking the host key. That is, even if an attacker cannot steal your credentials and log in to the real server as you, they can pretend to be the server you wish to connect to and feed you bad data.


There are iOS apps that do this - iSSH and iTeleport both do, for instance. 


Thanks for your consideration. 

Panic's Prompt also checks host keys, but Textastic is far from alone in the not-checking camp. It would make a great app stand out even more, if this was added.