[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ProgSoc] ssh vs SSL
On Fri, Jan 19, 2001 at 12:39:56PM +1100, vik wrote:
> in terms of security, is there any difference between SSL and ssh?
> what about efficiency?
This is my understanding of the issue:
* There are two public-key encryption algorithms known to be known to
humanity at this point in time -- RSA and Diffie-Helman. Both SSL and
ssh are based on RSA but I believe that Diffie-Helman can be selected
* There are bucketloads of private-key encryption algorithms, 3Des and
blowfish seem popular, normal ssh uses 3des but you can select blowfish.
I think SSL is once again fairly similar.
* Dunno about key sizes, most of them are big these days (other than
software crippled by US export regs, keep away from anything made in USA).
* SSL uses certificates, the certificates depend on someone certifying
someone else and so on back to a central certification agency.
This seems like a foobar scheme to me, most people just sign their own
certificates. Certificates have time-outs and a heap of complexity that
no one uses nor understands, the certification agencies just use it as
an excuse to print money.
* ssh uses the host key which it will save in a local file the first time
you connect to a host and will grump out in a major way if it ever
sees that host key change. It doesn't check for integrity of the host
but does check for consistency (a much smarter idea which everyone
understands and which works reliably).
* Most people find ssh easier to setup and use than telnet-ssl,
generally SSL web servers are a pain because of the certificates.
* ssh version 1 had a bug which allowed insertion of bogus packets under
just the right circumstances. ssh version 2 is badly supported but
fixes this problem. I think that some of the ssh programs tried to do
everything via public-key encryption which showed that the degigners
had some flaws in their understanding -- it is generally accepted that
you should perform key exchange via public key then switch to a private
(symmetric) key system which is much faster. I'm fairly sure most modern
ssh clients do this so that should fix the ``bogus packet'' problem
In short, neither is perfect but ssh is getting there faster than SSL.
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to firstname.lastname@example.org.
If you are having trouble, ask email@example.com for help.