On Tue, May 3, 2011 at 10:22 AM, Mark Moellering <m...@msen.com> wrote: > Everyone, > I am looking into setting up a webserver to hold some very sensitive > information. I am trying to figure out which is more secure, forcing any > web connections to be done using an ssh tunnel or forcing ssl. > I have not been able to figure out if one is definitively much more secure > than another or if they are close to the same. I would have initially > thought the ssh tunnel was more secure but knowing that ssl can use AES-256, > I am now wondering if that isn't adding a complexity for little extra > security. > > Thanks in advance > > Mark Moellering
I don't think there is any extra security in tunneling an HTTP connection over SSH. Use authentication is a different matter, but the encryption algorithms are the same. Most web servers have an option of configuring what ciphers are allowed (same as OpenSSH, by the way), so you can easily restrict HTTPS connections to just AES-256 or any other cipher you prefer. The bigger issue will be how to prevent MITM attacks. With SSH, you have to make sure that the clients have the correct public key ahead of time or provide a way to verify the key during the first connection. With HTTPS you can get a certificate from an existing CA, which allows clients to verify the server identity without any extra work on your part. As an alternative, you can create your own CA and distribute the public key to the clients, which is pretty similar to SSH, except that it's much easier to change the server certificate later on. - Max _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"