[Security threat] Host ECDSA key fingerprint mismatch on gitlab.gnome.org

Dear administrators,

When cloning repositories from git@git.gitlab.gnome.org, a warning is printed that the authenticity of the host cannot be established (as is usual for the first connection), and a manual fingerprint check must be performed to establish authenticity to prevent a man-in-the-middle attack. The returned ECDSA key fingerprint is SHA256:TiA9po6nO6jFso7wQNy4xLlth10lIfjv1dxuDabVIqw.

However, the fingerprint displayed on https://gitlab.gnome.org/help/instance_configuration reads SHA256:c3uvVfoSe4/y5pbBfU7ntdUNliGTa2mDmqjcu2C+8ms, which clearly doesn’t match.

This means that there is either a misconfiguration/out of date webpage, or a MITM attack, and as such this mismatch may pose a security threat. Could you verify if this issue occurs on your machines as well?

Example log with ssh on gitlab.gnome.org:

$ ssh ssh.gitlab.gnome.org
The authenticity of host 'ssh.gitlab.gnome.org (8.43.85.27)' can't be established.
ECDSA key fingerprint is SHA256:TiA9po6nO6jFso7wQNy4xLlth10lIfjv1dxuDabVIqw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? _

https://gitlab.gnome.org/help/instance_configuration: SHA256:c3uvVfoSe4/y5pbBfU7ntdUNliGTa2mDmqjcu2C+8ms < Does not match.

Example with gitlab.com, which does not have this issue:

$ ssh ssh gitlab.com
The authenticity of host 'gitlab.com (172.65.251.78)' can't be established.
ECDSA key fingerprint is SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw.
Are you sure you want to continue connecting (yes/no/[fingerprint])? _

https://gitlab.com/help/instance_configuration: SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw < Matches.

Thanks,
Anashe

1 Like

This was already discussed at Publish fingerprint for OpenShift?.

1 Like