[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remote login

On Sun, Mar 28, 2010 at 7:16 PM, Michael Richardson <..hidden..> wrote:
> Hash: SHA1
>>>>>> "Chris" == Chris Travers <..hidden..> writes:
>    >> As far as I'm concerned, SSH tunnels (from windows, using
>    >> passwords), SSL (HTTPS), IPsec (using PSK), and OpenVPN (often
>    >> using PSK) are all pretty much equivalent in security.  HTTPS is
>    >> the simplest to support.
>    Chris> Properly configured, I would generally agree with this.  The
>    Chris> only thing I would add is that I would only put HTTPS in that
>    Chris> category for access to LedgerSMB if client-side certificates
>    Chris> are verified.  HTTPS otherwise is nothing more than an
>    Chris> anti-eavesdropping measure and fails to provide the
>    Chris> additional level of protection that requiring a pre-shared
>    Chris> key in the other options provides.
> I disagree.

I don't think you do, actually ;-)  We probably just are talking past eachother.
> If you are using passwords with SSH, IPsec (PSK), or OpenVPN, then it is
> equivalent to HTTPS using passwords.  Sure there are some minor
> differences in terms of resistance to SYN attacks, and stuff like that,
> but I think that is minor.
> What I'm implying is that if you are not using client-side
> certificates/RSA-keys for your SSH, IPsec or OpenVPN security (on top of
> your port-80 ledgersmb), then it's not really very secure at all.  You
> might as well stick with HTTPS using passwords.

I wouldn't suggest using client cert validation instead of passwords.
However, what client cert validation buys you is the fact that only
authorized terminals  are supposed to even get to the password prompt.
 This drastically reduces the security exposure that the application
has.  IOW:  HTTPS along with client certs to get a connection, plus
passwords at the application level.

Best Wishes,
Chris Travers