Date: Tue, 3 May 2011 10:57:01 -0400 From: Maxim Khitrov <max@mxcrypt.com> To: Mark Moellering <mark@msen.com> Cc: FreeBSD <freebsd-questions@freebsd.org> Subject: Re: OT: Security question (openssl vs openssh) Message-ID: <BANLkTimPzDLUXez%2BZyB10pxDRzmfYvvHOA@mail.gmail.com> In-Reply-To: <4DC00FB5.7080306@msen.com> References: <4DC00FB5.7080306@msen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 3, 2011 at 10:22 AM, Mark Moellering <mark@msen.com> wrote: > Everyone, > I am looking into setting up a webserver to hold some very sensitive > information. =C2=A0I am trying to figure out which is more secure, forcin= g any > web connections to be done using an ssh tunnel or forcing ssl. > I have not been able to figure out if one is definitively much more secur= e > than another or if they are close to the same. =C2=A0I would have initial= ly > thought the ssh tunnel was more secure but knowing that ssl can use AES-2= 56, > I am now wondering if that isn't adding a complexity for little extra > security. > > Thanks in advance > > Mark Moellering I don't think there is any extra security in tunneling an HTTP connection over SSH. Use authentication is a different matter, but the encryption algorithms are the same. Most web servers have an option of configuring what ciphers are allowed (same as OpenSSH, by the way), so you can easily restrict HTTPS connections to just AES-256 or any other cipher you prefer. The bigger issue will be how to prevent MITM attacks. With SSH, you have to make sure that the clients have the correct public key ahead of time or provide a way to verify the key during the first connection. With HTTPS you can get a certificate from an existing CA, which allows clients to verify the server identity without any extra work on your part. As an alternative, you can create your own CA and distribute the public key to the clients, which is pretty similar to SSH, except that it's much easier to change the server certificate later on. - Max
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BANLkTimPzDLUXez%2BZyB10pxDRzmfYvvHOA>