OT: Security question (openssl vs openssh)
jon at radel.com
Tue May 3 15:01:33 UTC 2011
On 5/3/11 10:22 AM, Mark Moellering wrote:
> I am looking into setting up a webserver to hold some very sensitive
> information. I am trying to figure out which is more secure, forcing any
> web connections to be done using an ssh tunnel or forcing ssl.
> I have not been able to figure out if one is definitively much more
> secure than another or if they are close to the same. I would have
> initially thought the ssh tunnel was more secure but knowing that ssl
> can use AES-256, I am now wondering if that isn't adding a complexity
> for little extra security.
> Thanks in advance
> Mark Moellering
I'd say that that's a really hard problem to answer definitively, but my
gut reaction is that the less complex solution is less likely to involve
configuration screw-ups which compromise security. Particularly if
other administrators are or will be involved, that which is too clever
just begs for innocent, even if clueless, changes that compromise
assumptions upon which the security depends.
In any case, I'd worry more about how I handle user authentication and
authorization than squeezing the last little drop of warm fuzzies out of
the encryption setup. To the extent that if you already have a fully
trusted infrastructure in place for ssh keys, you might want to consider
using ssh tunnels for that reason alone.
Or, to put it another way, if your security is going to fall, it's much
more likely that it's going to involve a poor configuration choice, a
user that screws up big time, or a "back door" to the data, than a
successful "technical" attack against TSL or SSH.
jon at radel.com
More information about the freebsd-questions