OT: Security question (openssl vs openssh)

Jon Radel jon at radel.com
Tue May 3 15:01:33 UTC 2011

On 5/3/11 10:22 AM, Mark Moellering wrote:
> Everyone,
> I am looking into setting up a webserver to hold some very sensitive
> information. I am trying to figure out which is more secure, forcing any
> web connections to be done using an ssh tunnel or forcing ssl.
> I have not been able to figure out if one is definitively much more
> secure than another or if they are close to the same. I would have
> initially thought the ssh tunnel was more secure but knowing that ssl
> can use AES-256, I am now wondering if that isn't adding a complexity
> for little extra security.
> Thanks in advance
> Mark Moellering

I'd say that that's a really hard problem to answer definitively, but my 
gut reaction is that the less complex solution is less likely to involve 
configuration screw-ups which compromise security.  Particularly if 
other administrators are or will be involved, that which is too clever 
just begs for innocent, even if clueless, changes that compromise 
assumptions upon which the security depends.

In any case, I'd worry more about how I handle user authentication and 
authorization than squeezing the last little drop of warm fuzzies out of 
the encryption setup.  To the extent that if you already have a fully 
trusted infrastructure in place for ssh keys, you might want to consider 
using ssh tunnels for that reason alone.

Or, to put it another way, if your security is going to fall, it's much 
more likely that it's going to involve a poor configuration choice, a 
user that screws up big time, or a "back door" to the data, than a 
successful "technical" attack against TSL or SSH.

--Jon Radel
jon at radel.com

More information about the freebsd-questions mailing list