From owner-freebsd-questions@FreeBSD.ORG Tue May 3 14:57:33 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44F7D106564A for ; Tue, 3 May 2011 14:57:33 +0000 (UTC) (envelope-from max@mxcrypt.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id D0BF18FC12 for ; Tue, 3 May 2011 14:57:32 +0000 (UTC) Received: by wwc33 with SMTP id 33so167053wwc.31 for ; Tue, 03 May 2011 07:57:31 -0700 (PDT) Received: by 10.216.239.71 with SMTP id b49mr6286927wer.107.1304434651497; Tue, 03 May 2011 07:57:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.70.21 with HTTP; Tue, 3 May 2011 07:57:01 -0700 (PDT) In-Reply-To: <4DC00FB5.7080306@msen.com> References: <4DC00FB5.7080306@msen.com> From: Maxim Khitrov Date: Tue, 3 May 2011 10:57:01 -0400 Message-ID: To: Mark Moellering Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: FreeBSD Subject: Re: OT: Security question (openssl vs openssh) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2011 14:57:33 -0000 On Tue, May 3, 2011 at 10:22 AM, Mark Moellering wrote: > Everyone, > I am looking into setting up a webserver to hold some very sensitive > information. =C2=A0I am trying to figure out which is more secure, forcin= g any > web connections to be done using an ssh tunnel or forcing ssl. > I have not been able to figure out if one is definitively much more secur= e > than another or if they are close to the same. =C2=A0I would have initial= ly > thought the ssh tunnel was more secure but knowing that ssl can use AES-2= 56, > I am now wondering if that isn't adding a complexity for little extra > security. > > Thanks in advance > > Mark Moellering I don't think there is any extra security in tunneling an HTTP connection over SSH. Use authentication is a different matter, but the encryption algorithms are the same. Most web servers have an option of configuring what ciphers are allowed (same as OpenSSH, by the way), so you can easily restrict HTTPS connections to just AES-256 or any other cipher you prefer. The bigger issue will be how to prevent MITM attacks. With SSH, you have to make sure that the clients have the correct public key ahead of time or provide a way to verify the key during the first connection. With HTTPS you can get a certificate from an existing CA, which allows clients to verify the server identity without any extra work on your part. As an alternative, you can create your own CA and distribute the public key to the clients, which is pretty similar to SSH, except that it's much easier to change the server certificate later on. - Max