sshkeygen.com: A web-based ssh key generator

This is so very, very, wrong — enough so that my first thought was, “this web site brought to you by China and the letters ‘M’, ‘S’, and ‘S'”.

I’m curious how many people were stupid enough to use this to generate keys that they actually use in production, but I’m afraid the answer would seriously depress me.

7 thoughts on “sshkeygen.com: A web-based ssh key generator

  1. Its not even using https!! The first thing on their todo list apparently is:
    “buy a SSL certificate or self-sign so key transfer is not in the clear ”

    You’d think they’d mention that the site should not be used for serious work in BIG BOLD LETTERS on the front page.
    LOL!

  2. Hi, thanks for providing the link. I found it extremely useful and I’ve used it on a number of occasions…

    …to make other people giggle.

    Sorry, I just had the overwhelming urge to do a Triumph, the Insult Comic Dog impression.

  3. I blogged about this nearly two years ago, and at the time I mailed the site’s maintainer explaining that it’s a bad idea, in the hope that it was essentially naïveté. As far as I can see, I never got a response. At this point I am making the assumption that it’s malicious.

    Here’s the text of the mail I sent, so that people can judge for themselves whether it was reasonable.

    Hi, I’m the maintainer of the OpenSSH packages in Debian GNU/Linux. I’m also personal friends with a number of people on the PuTTY team, and am confident they’d say much the same thing as I do here.

    I saw http://www.sshkeygen.com/ today – I do hope this is a joke? Nobody should ever use an SSH key that they haven’t generated themselves. There is no way that any individual or organisation should ever trust somebody else to generate keys for them, no matter how carefully and honestly the private keys are escrowed; this is why every SSH implementation I’m aware of that supports public key authentication comes with its own key generation utility.

    If it’s a joke, I encourage you to rethink whether you want to be responsible for the consequences. While on some levels I can see the Schadenfreude in having inexperienced people think that generating a key on a remote system via the web is somehow best practice, SSH keys are used for very serious purposes and I don’t think they should be taken lightly.

    If this is serious, I would be happy to explain to you at more length why this is a Really Bad Idea. I recently spent hundreds of hours cleaning up after the Debian OpenSSL random number generation vulnerability, and would hate for more people to have to clean up after compromised keys!

    Since apparently this (unintentionally or otherwise) dangerous site has been linked to from a few places already, I suggest that this web site be entirely replaced with instructions on how to generate and install SSH keys on a variety of platforms, and a notice that keys previously generated using this site should be considered compromised and should be regenerated locally.

    I have no commercial interest in this – you aren’t taking away any of my business or anything. However, I don’t want innocent people to have their systems compromised as a result.

  4. Interesting, the guy asks for company name, ip..

    My theory is that he is trying to fish strongly clueless admins, in order to add bots to his botnet.

    o.O

    A way to test this would be, of course, putting there a honeypot, and waiting a few days :)

  5. It’s not accessible anymore. However other sites exist that propose to give you access to your ssh server trough an ajax interface (like serfish.com), and this is no better…

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>