> From: owner-openssl-us...@openssl.org On Behalf Of greenelephant > Sent: Sunday, 05 June, 2011 05:20
> Thanks for the reply Dave. I am grateful for your advice. I > am a novice as you have probably gathered. > If I am not wrong in my judgement you seem to have some expertise on > cryptology. Some, not a whole lot. > I have stated SSL in my first post that I would like help > with as you know. > But with your expertise is there a better solution to use > except SSL in > terms of security using openssl? SSL/TLS (preferably the newest version supported, today usually TLS 1.1 or maybe 1.2) is a good general solution for security of Internet endpoint communication (particularly, but not only, web traffic using HTTPS). OpenSSL is a good implementation of SSL/TLS, plus some related (crypto) functionality, but not the only one; any other conforming and well-tested implementation available to you should be fine. For examples, Java includes its own SSL/TLS implementation (for Java), and I understand dot-NET does (for C#, VB, etc.) There are other protocols that may be better in specific situations (e.g. SSH as below) or necessary (e.g. IPsec and DNSsec are done at a level below where SSL can work). > Also is SSL an ideal security solution for secured FTP > transmissions using > the openssl module to enable me to subvert any efforts to > sabotage or breach > security perpetrated by intruders or hackers using the > methods of attacks > (side channeling for instance) previously mentioned? FTP over SSL (FTPS) is a secure means of file transfer, if supported by both your server(s) and your client(s), which in my experience is not very common. When it is supported, the server and client code determines what module is used; it might be OpenSSL or something else. Another good and in my experience more common method of securing file transfer is SFTP, part of the SSH protocol suite. The crypto used in SSH is generally similar (though not identical) to SSL/TLS, and in fact the most widespread implementation OpenSSH uses libcrypto from OpenSSL, but the trust model is different (simpler). Instead of creating and verifying certificates, SSH requires you to manually verify a key fingerprint on the first connection between a given client and server (or else manually pre-transfer the encoded publickey). This isn't very good for communications with strangers (like sites you found on Google), but works okay for people that already have some contact (like your friends, customers of your company, etc). Another approach is to secure the files themselves, rather than just the transfer. That is, encrypt and perhaps sign the files when (or before) they are placed on the sending system(s), transfer them using plain FTP or HTTP or other, and decrypt and perhaps verify them on the receiving system(s). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
