The problem: we simply have a web application running that we are trying to provide encryption and authentication. An idea was pitched of a proxy of sorts that would allow not just http traffic, but others through this tunnel securely. It was pitched specifically as ssh over ssl and the customer bit. The goal was security and ease of firewall traversal. The server side was thought to be some form of Twisted (a python server of sorts) on port 443. I'm just trying to make sure if ssh over ssl is sane or if anyone else has already done this.
Anyway: When it comes to efficiency, I don't think wrapping ssh into http (httptunnel) would be better than just digging into an ssh implementation and inserting ssl at the transport level. What do you think? Correct me if I'm wrong, if there are some issues I'm not seeing let me know Isn't the MITM risk quite avoidable, just be sure to not use the same encryption keys or algorithm? Thanks David ----- Original Message ---- From: Michael Sierchio <[EMAIL PROTECTED]> To: openssl-users@openssl.org Sent: Monday, July 2, 2007 11:14:58 AM Subject: Re: use ssl for ssh transport layer (not proxy bypassing) David Latil wrote: > I have a somewhat bizarre project on my plate. I have been tasked to come up > with a secure proxy of sorts that uses SSH over SSL (I mean to actually > encrypt SSH with SSL, not just tunnel through a proxy). In the end, we would > be using port forwarding over SSH for HTTP traffic. > > being SSH is an application level protocol, I don't see why I could not > replace the standard TCP connection that it uses with SSL. Why you ask? the > theory is if encryption via SSL is secure then if you doubly encrypt using > SSH then you are doubly secure, supposedly there is some form of data > compression built into SSH that may be benefitial, you could go through the > firewall friendly port 443, and you could use other higher level protocols > through the SSH port forwarding feature. > > I'm not very experienced programming with SSL, but I'm heavily researching > the concepts at this stage, I'm a bit skeptical to say the least of the > cost/benefits of this. > > I sure would appreciate if someone could tell me if this is a bad idea and > why, the more I know now at this time the better. It would only be a bad idea if you were actually to implement it. ;-) What's the problem you're trying to solve? What set of requirements is driving this (e.g. firewall traversal where SSH is not permitted, even on port 443, but HTTPS is)? Double encryption isn't always like belt-plus-suspenders -- sometimes it's like pulling your zipper up, then down. Google MITM (Meet in the Middle) Attack. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ____________________________________________________________________________________ Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
