OT: Security question (openssl vs openssh)

Maxim Khitrov max at mxcrypt.com
Tue May 3 14:57:33 UTC 2011

On Tue, May 3, 2011 at 10:22 AM, Mark Moellering <mark at msen.com> wrote:
> Everyone,
> I am looking into setting up a webserver to hold some very sensitive
> information.  I am trying to figure out which is more secure, forcing any
> web connections to be done using an ssh tunnel or forcing ssl.
> I have not been able to figure out if one is definitively much more secure
> than another or if they are close to the same.  I would have initially
> thought the ssh tunnel was more secure but knowing that ssl can use AES-256,
> I am now wondering if that isn't adding a complexity for little extra
> security.
> Thanks in advance
> Mark Moellering

I don't think there is any extra security in tunneling an HTTP
connection over SSH. Use authentication is a different matter, but the
encryption algorithms are the same. Most web servers have an option of
configuring what ciphers are allowed (same as OpenSSH, by the way), so
you can easily restrict HTTPS connections to just AES-256 or any other
cipher you prefer.

The bigger issue will be how to prevent MITM attacks. With SSH, you
have to make sure that the clients have the correct public key ahead
of time or provide a way to verify the key during the first

With HTTPS you can get a certificate from an existing CA, which allows
clients to verify the server identity without any extra work on your
part. As an alternative, you can create your own CA and distribute the
public key to the clients, which is pretty similar to SSH, except that
it's much easier to change the server certificate later on.

- Max

More information about the freebsd-questions mailing list