concept

Trust On First Use

Trust On First Use (TOFU) is a security model where a system automatically trusts an entity, such as a server or device, upon the first encounter, without prior verification. This trust is then persisted for future interactions, often based on the initial authentication or key exchange. It is commonly used in scenarios where establishing trust beforehand is impractical, such as in SSH connections or self-signed certificates.

Also known as: TOFU, Trust on First Use, Trust Upon First Use, Trust at First Use, First-Use Trust
🧊Why learn Trust On First Use?

Developers should learn TOFU when working with systems that require secure initial connections but lack a pre-established trust infrastructure, such as in IoT devices, peer-to-peer networks, or development environments. It simplifies deployment by avoiding complex certificate authorities or manual verification steps, though it introduces risks if the first interaction is compromised, so it's best used in controlled or low-risk settings.

Compare Trust On First Use

Trust On First Use vs Certificate AuthoritiesTrust On First Use vs Mutual AuthenticationTrust On First Use vs Pre Shared Keys

Learning Resources

📄
Wikipedia: Trust On First Use
docs
📝
SSH TOFU Explained
tutorial
📄
TOFU in Security Models
docs
🎬
YouTube: Understanding TOFU
video
📚
Book: 'Security Engineering' by Ross Anderson
book

Related Tools

SshPublic Key InfrastructureCertificate ManagementSecurity ModelsAuthentication Protocols

Alternatives to Trust On First Use

Certificate AuthoritiesMutual AuthenticationPre Shared Keys