-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trust On First Use. It's a key-exchange method where you trust the first time you grab a key, and use that, instead of a cert-authority or anything like that. It's used for SSH iirc, though I could be wrong. The idea behind it is that unless the MITM performs a MITM the first time and every time thereafter, you'll at least notice the attack, and likely prevent it. I was going to provide a Wikipedia link, but I couldn't seem to find one, other than this one hidden in a user page. [1]https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use On 07/26/2013 09:06 AM, tz wrote: > Sorry for being slow, but what is TOFUing? > > On Fri, Jul 26, 2013 at 8:27 AM, Andy Isaacson <[2]adi@hexapodia.org [3]> wrote: > > > I've run my primary browser with no trusted CAs, manually TOFUing > certificates for sites, for months on end. It's slightly easier than > "view source" to use control-shift-K (in Firefox) and reload the page, > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - [4]http://www.enigmail.net/ iQIcBAEBAgAGBQJR8rjVAAoJED2aKxR1HF9BsDkQAOiqrPvw6ClM5mZ3zdMgzZQ1 jsyKmZMCOEUJtrlJA2LGN6ybhQ0ESCubrBD9izHOt80fTqpYoDkd27ziwGeEUw/m h3+VATV0zr0Pr569e71sIhsRs3rlGXJfDeoyDDJrb/t+fbSDXccecIpz8uQiByb6 hAAIqFGjFSozikAtdRfbeiXGBQQD6nlzzT6/FWZ5jygX4XElRvcF/ElEfsFJ2N6+ 4oRMt6irhirDzPSCFuXtbSrNXZ+GQ7k3YRt2uC6uLzHEjpatbdVw420AQlm3fEZs IN20NTIRHlJl81sB1a37d30JjqLI35f1HbUHBBuFO25ArUnTRQoN973D6vnSAZLj v8/LFCYM+rhpabpZ21e2kBywJoo+t1iy9506VbGNyfZV4xxxVPaBVpwmANfoK0SO MeHXfz8sTR7wjiMc/m735GLRCZMonYcejZ0BY9wDTBC9iCjaGB+6bFgcV4cop4vt WakfqQKp1j+qrly5sZcRZG8AWQzCGlUbEkfXuknmEVSxED0zEE6DZlnEbYOftvoG 8M1Z8hMAI+sO4mhbyDEBbsY3y+GbfyShLFmyxR82HXh7Vw/NyYjkE4Px9uoGGwPl hTgXOTxB/teA0jpVVO96SFG1YrhCt+98LlcCAKwM/xuv5jPVp9ipz0QuyF9C3AE3 EJfQHrhI/qyfoBCklYt+ =iakG -----END PGP SIGNATURE----- References 1. https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use 2. mailto:adi@hexapodia.org 3. mailto:adi@hexapodia.org 4. http://www.enigmail.net/