One of the machines that I am using is a vhost hosted at a german hosting provider called "1und1". Clearly, I am accessing this machine using ssh. So a few weeks ago, to my surprise, my ssh warned me about the host key having changed.
Honored by the thought that someone might take the effort to mount a man-in-the-middle attack for this particular box, my rational brain told me that I should call the tech support of the hosting provider first and ask if any event might've lead to a change in keys.
After a rather lengthy interaction with the tech support (who first tried to brush me off by telling me to "just accept the new key"), I finally got them to tell me that they upgraded the OS and that the key had changed. After about 20 minutes of discussion, I finally got them to read the new key to me over the phone, and all was good.
Then, today, the warning cropped up again. I called tech support, a bit annoyed by these frequent changes. My experience was less than stellar - the advice I received was:
- "Just accept the new key"
- "The key is likely going to change all the time due to frequent relocations of the vhost so you should always accept it"
- "No, there is no way that they can notify me over the phone or in a signed email when the key changes"
- "It is highly unlikely that any change that would notify you would be implemented"
- "If I am concerned about security, I should really buy an SSL certificate from them" (wtf ??)
- "No, it is not possible to read me the key fingerprint over the phone"
I started becoming slightly agitated at this point. I will speak with them again tomorrow, perhabs I'll be lucky enough to get to 3rd-level-support instead of 2nd level. Hrm. As if "customer service" is a computer game, with increasingly difficult levels.
So. Summary: 1und1 seems to think crypto is useless and we should all use telnet. Excellent :-/