[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ProgSoc] ssh vs SSL

To: progsoc@nospam.progsoc.uts.edu.au
Subject: Re: [ProgSoc] ssh vs SSL
From: <telford@nospam.progsoc.uts.edu.au>
Date: Tue, 23 Jan 2001 21:41:04 +1100
In-Reply-To: <3A679AEC.F28F94F@nospam.progsoc.org>; from vik@nospam.progsoc.uts.edu.au on Fri, Jan 19, 2001 at 12:39:56PM +1100
List-Archive: <http://www.progsoc.uts.edu.au/lists/progsoc/>
List-Id: <progsoc.progsoc.uts.edu.au>
References: <3A679AEC.F28F94F@nospam.progsoc.org>
Resent-Date: Tue, 23 Jan 2001 21:41:26 +1100
Resent-From: progsoc@nospam.progsoc.uts.edu.au
Sender: owner-progsoc@nospam.progsoc.uts.edu.au
User-Agent: Mutt/1.2.5i

On Fri, Jan 19, 2001 at 12:39:56PM +1100, vik wrote:
> in terms of security, is there any difference between SSL and ssh?
> what about efficiency?

This is my understanding of the issue:

* There are two public-key encryption algorithms known to be known to
  humanity at this point in time -- RSA and Diffie-Helman. Both SSL and
  ssh are based on RSA but I believe that Diffie-Helman can be selected
  somehow.

* There are bucketloads of private-key encryption algorithms, 3Des and
  blowfish seem popular, normal ssh uses 3des but you can select blowfish.
  I think SSL is once again fairly similar.

* Dunno about key sizes, most of them are big these days (other than
  software crippled by US export regs, keep away from anything made in USA).

* SSL uses certificates, the certificates depend on someone certifying
  someone else and so on back to a central certification agency.
  This seems like a foobar scheme to me, most people just sign their own
  certificates. Certificates have time-outs and a heap of complexity that
  no one uses nor understands, the certification agencies just use it as
  an excuse to print money.

* ssh uses the host key which it will save in a local file the first time
  you connect to a host and will grump out in a major way if it ever
  sees that host key change. It doesn't check for integrity of the host
  but does check for consistency (a much smarter idea which everyone
  understands and which works reliably).

* Most people find ssh easier to setup and use than telnet-ssl,
  generally SSL web servers are a pain because of the certificates.

* ssh version 1 had a bug which allowed insertion of bogus packets under
  just the right circumstances. ssh version 2 is badly supported but
  fixes this problem. I think that some of the ssh programs tried to do
  everything via public-key encryption which showed that the degigners
  had some flaws in their understanding -- it is generally accepted that 
  you should perform key exchange via public key then switch to a private
  (symmetric) key system which is much faster. I'm fairly sure most modern
  ssh clients do this so that should fix the ``bogus packet'' problem
  (I think).

In short, neither is perfect but ssh is getting there faster than SSL.

	- Tel
-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@nospam.progsoc.uts.edu.au.
If you are having trouble, ask owner-progsoc@nospam.progsoc.uts.edu.au for help.

References:
- [ProgSoc] ssh vs SSL
  - From: vik <vik@nospam.progsoc.uts.edu.au>

Prev by Date: Re: [ProgSoc] TFM
Next by Date: [ProgSoc] Looking for Jobs
Prev by thread: [ProgSoc] ssh vs SSL
Next by thread: [ProgSoc] Server Not Found Error
Index(es):
- Date
- Thread