Glossary of Security Terms: TOFU

Trust On First Use (TOFU) is a security model in which a client needs to create a trust relationship with an unknown server. To do that, clients will look for identifiers (for example public keys) stored locally. If an identifier
is found, the client can establish the connection. If no identifier is found, the client can prompt the user to determine if the client should trust the identifier.

TOFU is used in the SSH protocol, in HTTP Public Key Pinning (HPKP) where the browsers will accept the first public key returned by the server, and in

Strict-Transport-Security

Learn more

• HTTP Public Key Pinning (HPKP)

• Public-Key-Pins

• Wikipedia: TOFU

View Previous Terms:

• Block cipher mode of operation
• Certificate authority
• Challenge-response authentication
• Cipher
• Cipher suite
• Ciphertext
• CORS
• CORS-safelisted request header
• CORS-safelisted response header
• Cross-site scripting
• Cryptanalysis
• Cryptographic hash function
• Cryptography
• CSP
• CSRF
• Decryption
• Digital certificate
• DTLS (Datagram Transport Layer Security)
• Encryption
• Forbidden header name
• Forbidden response header name
• Hash
• HMAC
• HPKP
• HSTS
• HTTPS
• Key
• MitM
• OWASP
• Preflight request
• Public-key cryptography
• Reporting directive
• Robots.txt
• Same-origin policy
• Session Hijacking
• SQL Injection
• Symmetric-key cryptography
• Transport Layer Security (TLS)

Credits

• Source: https://developer.mozilla.org/en-US/docs/Glossary/TOFU
• Published under Open CC Attribution ShareAlike 3.0 license