mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-07-16 02:27:32 -05:00
08f1e2a506
This mitigates CVE-2020-14002: if you're in the habit of clicking OK to unknown host keys (the TOFU policy - trust on first use), then an active attacker looking to exploit that policy to substitute their own host key in your first connection to a server can use the host key algorithm order in your KEXINIT to (not wholly reliably) detect whether you have a key already stored for this host, and if so, abort their attack to avoid giving themself away. However, for users who _don't_ use the TOFU policy and instead check new host keys out of band, the dynamic policy is more useful. So it's provided as a configurable option.