On Sun, Mar 28, 2010 at 7:16 PM, Michael Richardson <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > >>>>>> "Chris" == Chris Travers <[email protected]> writes: > >> As far as I'm concerned, SSH tunnels (from windows, using > >> passwords), SSL (HTTPS), IPsec (using PSK), and OpenVPN (often > >> using PSK) are all pretty much equivalent in security. HTTPS is > >> the simplest to support. > > Chris> Properly configured, I would generally agree with this. The > Chris> only thing I would add is that I would only put HTTPS in that > Chris> category for access to LedgerSMB if client-side certificates > Chris> are verified. HTTPS otherwise is nothing more than an > Chris> anti-eavesdropping measure and fails to provide the > Chris> additional level of protection that requiring a pre-shared > Chris> key in the other options provides. > > I disagree.
I don't think you do, actually ;-) We probably just are talking past eachother. > > If you are using passwords with SSH, IPsec (PSK), or OpenVPN, then it is > equivalent to HTTPS using passwords. Sure there are some minor > differences in terms of resistance to SYN attacks, and stuff like that, > but I think that is minor. > > What I'm implying is that if you are not using client-side > certificates/RSA-keys for your SSH, IPsec or OpenVPN security (on top of > your port-80 ledgersmb), then it's not really very secure at all. You > might as well stick with HTTPS using passwords. I wouldn't suggest using client cert validation instead of passwords. However, what client cert validation buys you is the fact that only authorized terminals are supposed to even get to the password prompt. This drastically reduces the security exposure that the application has. IOW: HTTPS along with client certs to get a connection, plus passwords at the application level. Best Wishes, Chris Travers ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Ledger-smb-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/ledger-smb-users
