Fix it - If you Can! Towards Understanding the Impact of Tool Support and Domain Owners’ Reactions to SSHFP Misconfigurations

Misconfigured SSHFP records might lead to SSH users not carefully verifying host key fingerprints, making SSH connections vulnerable to Man-in-the-Middle attacks. To warn domain owners about SSHFP misconfigurations and the potential security implications, we conducted a 2 × 3 randomized controlled notification experiment. We sent notifications to n = 518 domain owners with misconfigured SSHFP records. Following up on contradictory results from related work, we investigated the effects of tool support. While we see that the sender of the notification itself has no effect, our results suggest that tool support might increase remediation when the sender of the notification is different than the institution providing the tool. ... mehrFurthermore, we analyzed domain owners’ responses
to our notification to identify reasons for (non-) remediation. While only 27% remediated the misconfiguration after our notification, we identified valuable explanations for individual remediation behavior in the responses we received (n = 52), supporting the argument that remediation rate should not be considered a success measure for a notification campaign but instead individual challenges faced by domain owners should be taken into account.

Misconfigured SSHFP records might lead to SSH users not carefully verifying host key fingerprints, making SSH connections vulnerable to Man-in-the-Middle attacks. To warn domain owners about SSHFP misconfigurations and the
potential security implications, we conducted a 2 × 3 randomized controlled notification experiment. We sent notifications to n = 518 domain owners with misconfigured SSHFP records. Following up on contradictory results from related work, we investigated the effects of tool support. While we see that the sender of the notification itself has no effect, our results suggest that tool support might increase remediation when the sender of the notification is different than the institution providing the tool. ... mehrFurthermore, we analyzed domain owners’ responses
to our notification to identify reasons for (non-) remediation. While only 27% remediated the misconfiguration after our notification, we identified valuable explanations for individual remediation behavior in the responses we received (n = 52), supporting the argument that remediation rate should not be considered a success measure for a notification campaign but instead individual challenges faced by domain owners should be taken into account.