Date: Tue, 03 May 2011 11:01:25 -0400 From: Jon Radel <jon@radel.com> To: freebsd-questions@freebsd.org Subject: Re: OT: Security question (openssl vs openssh) Message-ID: <4DC018C5.6000102@radel.com> In-Reply-To: <4DC00FB5.7080306@msen.com> References: <4DC00FB5.7080306@msen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/3/11 10:22 AM, Mark Moellering wrote: > > Everyone, > I am looking into setting up a webserver to hold some very sensitive > information. I am trying to figure out which is more secure, forcing any > web connections to be done using an ssh tunnel or forcing ssl. > I have not been able to figure out if one is definitively much more > secure than another or if they are close to the same. I would have > initially thought the ssh tunnel was more secure but knowing that ssl > can use AES-256, I am now wondering if that isn't adding a complexity > for little extra security. > > Thanks in advance > > Mark Moellering I'd say that that's a really hard problem to answer definitively, but my gut reaction is that the less complex solution is less likely to involve configuration screw-ups which compromise security. Particularly if other administrators are or will be involved, that which is too clever just begs for innocent, even if clueless, changes that compromise assumptions upon which the security depends. In any case, I'd worry more about how I handle user authentication and authorization than squeezing the last little drop of warm fuzzies out of the encryption setup. To the extent that if you already have a fully trusted infrastructure in place for ssh keys, you might want to consider using ssh tunnels for that reason alone. Or, to put it another way, if your security is going to fall, it's much more likely that it's going to involve a poor configuration choice, a user that screws up big time, or a "back door" to the data, than a successful "technical" attack against TSL or SSH. --Jon Radel jon@radel.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DC018C5.6000102>