OT: Security question (openssl vs openssh)
Everyone, I am looking into setting up a webserver to hold some very sensitive information. I am trying to figure out which is more secure, forcing any web connections to be done using an ssh tunnel or forcing ssl. I have not been able to figure out if one is definitively much more secure than another or if they are close to the same. I would have initially thought the ssh tunnel was more secure but knowing that ssl can use AES-256, I am now wondering if that isn't adding a complexity for little extra security. Thanks in advance Mark Moellering ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OT: Security question (openssl vs openssh)
On Tue, May 3, 2011 at 10:22 AM, Mark Moellering m...@msen.com wrote: Everyone, I am looking into setting up a webserver to hold some very sensitive information. I am trying to figure out which is more secure, forcing any web connections to be done using an ssh tunnel or forcing ssl. I have not been able to figure out if one is definitively much more secure than another or if they are close to the same. I would have initially thought the ssh tunnel was more secure but knowing that ssl can use AES-256, I am now wondering if that isn't adding a complexity for little extra security. Thanks in advance Mark Moellering I don't think there is any extra security in tunneling an HTTP connection over SSH. Use authentication is a different matter, but the encryption algorithms are the same. Most web servers have an option of configuring what ciphers are allowed (same as OpenSSH, by the way), so you can easily restrict HTTPS connections to just AES-256 or any other cipher you prefer. The bigger issue will be how to prevent MITM attacks. With SSH, you have to make sure that the clients have the correct public key ahead of time or provide a way to verify the key during the first connection. With HTTPS you can get a certificate from an existing CA, which allows clients to verify the server identity without any extra work on your part. As an alternative, you can create your own CA and distribute the public key to the clients, which is pretty similar to SSH, except that it's much easier to change the server certificate later on. - Max ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OT: Security question (openssl vs openssh)
On 5/3/11 10:22 AM, Mark Moellering wrote: Everyone, I am looking into setting up a webserver to hold some very sensitive information. I am trying to figure out which is more secure, forcing any web connections to be done using an ssh tunnel or forcing ssl. I have not been able to figure out if one is definitively much more secure than another or if they are close to the same. I would have initially thought the ssh tunnel was more secure but knowing that ssl can use AES-256, I am now wondering if that isn't adding a complexity for little extra security. Thanks in advance Mark Moellering I'd say that that's a really hard problem to answer definitively, but my gut reaction is that the less complex solution is less likely to involve configuration screw-ups which compromise security. Particularly if other administrators are or will be involved, that which is too clever just begs for innocent, even if clueless, changes that compromise assumptions upon which the security depends. In any case, I'd worry more about how I handle user authentication and authorization than squeezing the last little drop of warm fuzzies out of the encryption setup. To the extent that if you already have a fully trusted infrastructure in place for ssh keys, you might want to consider using ssh tunnels for that reason alone. Or, to put it another way, if your security is going to fall, it's much more likely that it's going to involve a poor configuration choice, a user that screws up big time, or a back door to the data, than a successful technical attack against TSL or SSH. --Jon Radel j...@radel.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: OT: Security question (openssl vs openssh)
On Tue, May 03, 2011, Mark Moellering wrote: Everyone, I am looking into setting up a webserver to hold some very sensitive information. I am trying to figure out which is more secure, forcing any web connections to be done using an ssh tunnel or forcing ssl. I have not been able to figure out if one is definitively much more secure than another or if they are close to the same. I would have initially thought the ssh tunnel was more secure but knowing that ssl can use AES-256, I am now wondering if that isn't adding a complexity for little extra security. Our solution for critical services like this is to run the service only on a private LAN segment which is available from the outside world only through an OpenVPN connection. The OpenVPN connection requires unique keys for each client which are easily revoked if a laptop is lost or stolen or on employee termination. It also isolates the web service from other external attacks via insecure PHP scripts and such. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 If the personal freedoms guaranteed by the Constitution inhibit the government's ability to govern the people, we should look to limit those guarantees. -- President Bill Clinton, August 12, 1993 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org