If you are reading this blog, odds are you are an System Administrator or at very least someone with technical skill and Linux knowledge. Following this train of thought, giving our connected world, leads us to the fact that you have used ssh at some point. And chances are you seen this prompt:
The authenticity of host 'mx1.alpha-labs.net (18.104.22.168)' can't be established.
RSA key fingerprint is 50:88:9e:56:e9:2a:2f:d7:7f:e7:a9:3d:0f:23:9e:52.
Are you sure you want to continue connecting (yes/no)?
Be honest: Did you ever really read this passage? I wager you typed “yes” to get on with the job at hand. This however, is a major security concern. You see, encryption is only awesome if you talk to the right person. What use is the most sophisticated encryption if you encrypt with your enemy?
You need to be sure you talk to the right guy, or in this case the right server. The fingerprint printed above should be checked against a trusted source, be it written, given in person or phone call. No one does this, period. So everyone is just typing yes — or even worse: Disabling this check altogether (please don’t).
Do you know DNSSEC? With a fully trusted path coming from the root name servers “.” across the tld registries (.net) all the way down to the local system administrator on fqdn level (alpha-labs.net) or even lower (mx1.alpha-labs.net).