The first time SSH connects to a server, it may not know the server’s key. It shows a fingerprint, asks for a decision and records the result. On later connections, a changed key produces a warning.

This is trust on first use, or TOFU. It is not perfect identification. It is a small, honest mechanism for detecting change.

The weakness is in the name. The first use is trusted. An attacker who controls that first encounter can be remembered as the legitimate host. Users also learn to click through warnings, especially when servers are rebuilt and keys change for harmless reasons.

Yet TOFU has survived because it chooses a tractable problem. It does not attempt to build one global authority able to pre-certify every server. It creates local memory: this is the key I saw for this name before.

Detection instead of omniscience

Many trustworthy systems work this way. They cannot prevent every bad state, so they make important changes observable. Certificate Transparency logs issued web certificates. Signal lets people compare safety numbers. File-integrity tools remember hashes.

The design pattern is modest:

  1. establish a local reference;
  2. preserve it;
  3. warn clearly when it changes;
  4. give the user a way to verify the new state;
  5. do not make routine maintenance indistinguishable from attack.

TOFU’s lesson is not to trust first encounters casually. It is that local continuity can sometimes outperform a grand certification system whose authority nobody understands.

Further reading