I suppose it depends on what you consider authentication. The way I see it, a certificate can prove the transmission is from the correct source, but that doesn't mean its the correct sender. (Just like those old WWII movies where the allied guys take out the sentries then speak german into the radio to fool the guys on the other end.) I can think of a number of situations where the individual could have the correct certificate but not be the correct person. (Though admitably, this is quite unlikely, I was trying to give a simplified explanation in my original post, by emphasizing that ssl is a tunneling protocol, while ssh is remote login one)
>From: "Shawn Nunley" <[EMAIL PROTECTED]> >Reply-To: <[EMAIL PROTECTED]> >To: "'Chris Berry'" <[EMAIL PROTECTED]> >Subject: RE: RE: Telnet/SSL v SSH >Date: Wed, 25 Sep 2002 15:14:27 -0700 > >Chris, > >I'm perplexed that you don't think SSL has authentication... what makes >you think it does not? The most important part of an SSL handshake is >in fact the authentication. Verifying certificates is a pretty darn >good way to identify each end of a connection. It's not your classic >user-authentication, but in the sense it provides assurance to the >client that he is talking to Amazon.com instead of some imposter (IE >bugs not withstanding) it is extremely secure. For organizations that >want to use client authentication, it is very secure for that too. >Either or both ends of an SSL session can be authenticated by their >certificate (if they have one). Granted, very few people make use of >the client-authentication part of SSL, but that makes sense for >ecommerce because it's the store trying to prove who they are, not the >customer. > >What did I miss? > >-Shawn > > >-----Original Message----- >From: Chris Berry [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, September 24, 2002 3:24 PM >To: [EMAIL PROTECTED] >Subject: Re: RE: Telnet/SSL v SSH > >I tend to agree that this has already been aswered, but I'll say it in >another way so we can get past this. > >SSL-Secure Sockets Layer: Basically an add on bandaid type approach to >make >inheirently insecure connections like telnet and ftp more secure by >encrypting transmissions at the SOCKET level. This system does not have > >nearly the same robustness as SSH from the perspective of >Authentication, >and secure design. > Advantages: You can use this with all the legacy apps out there, its > >widely supported and implemented. > Disadvantages: Poor authentication system. (your conversation is >sort of >safe, but are you sure you're talking to who you think you are talking >to?) > >SSH-Secure Shell: This approach is a basically a complete rewrite of >all >the old remote control software (telnet, ftp, rpc, etc.) in a secure way > >that provides built in encryption and authentication. > Advantages: Security from the ground up, not an add on after the >fact. > Disadvantages: Although its been out for quite some time, its not >nearly as pervasive or widely supported by applications. > >I hope that helps. If its still not enough check the following: > >www.openssl.org >www.openssh.com > >If you want a better answer ask a more specific question. > > >From: voguemaster <[EMAIL PROTECTED]> > >Reply-To: [EMAIL PROTECTED] > >To: [EMAIL PROTECTED], netsec novice <[EMAIL PROTECTED]>,Brad >Arlt > ><[EMAIL PROTECTED]>,Daniel Miessler <[EMAIL PROTECTED]> > >CC: [EMAIL PROTECTED] > >Subject: Re: RE: Telnet/SSL v SSH > >Date: Tue, 24 Sep 2002 11:54:17 +0200 > > > >Pardon me, but when have ppl given me that information ?? > > > >The only hint I have about the diff between SSH and SSL is the message > >I replied to. When I was talking about elaborating on tunneling I was > >basically asking what can I do with tunneling. Neither the SSL or the >SSH > >websites give any real hint to this, not that I have found. > > > >Just one example: can I code a client/server applications and encrypt >and > >do authentication with SSL/SSH tunneling ? I've no idea, not from the > >things I've read about those two. Yeah, SSH is a secure login and shell > >for a remote system. That I know. It's more than that, isn't it ?? > > > >I'm sorry if you're impatient about my post, but I don't recall people > >answering > >me and me being a nag about it all over again.. Maybe it's just my >memory, > >but who knows.. > > > >E > > > >23/09/02 22:52:12, Daniel Miessler <[EMAIL PROTECTED]> wrote: > > > > >> Can you elaborate more on SSL tunneling vs. SSH tunneling ? > > >> What are they used for and what can I do with them, and maybe > > >> point to some good resources ? > > > > > >Friend, like 10 people have all given you the basics on the >differences, > > >and now you ask to be told what they are used for and what you can do > > >with them? > > > > > >You asked for a resource - I give you Google. > > > > > >http://www.google.com > > > > > >If you put both of your terms into Google you will get more than >enough > > >information to help you out. Just as a friendly piece of advise >though, > > >don't ask a question on a newsgroup, have people answer you very >nicely, > > >and then come back and basically say, "That's nice, tell me again - >this > > >time in more detail." It's rude. > > > > > >Good luck on your search, man. > > > > > >--danielrm26 > > > > > > > > >> -----Original Message----- > > >> From: voguemaster [mailto:[EMAIL PROTECTED]] > > >> Sent: Saturday, September 21, 2002 5:16 PM > > >> To: netsec novice; Brad Arlt > > >> Cc: [EMAIL PROTECTED] > > >> Subject: Re: Telnet/SSL v SSH > > >> > > >> Question: > > >> > > >> > > >> Thanks > > >> Eli > > >> > > >> 20/09/02 18:47:23, Brad Arlt <[EMAIL PROTECTED]> wrote: > > >> > > >> >On Thu, Sep 19, 2002 at 10:02:49PM +0000, netsec novice wrote: > > >> >> Can someone help me understand the difference between SSH and > > >Telnet over > > >> >> SSL? > > >> > > > >> >I will only talk about SSH v2 (and Telnet/SSL). > > >> > > > >> >On the most basic level there is little difference. SSH is a >remote > > >> >tty encryption standard. Telnet/SSL is a remote tty encryption > > >> >standard. At this level the only real difference is one can find >SSH > > >> >clients and servers. I don't think I have *ever* spotted a > > >Telnet/SSL > > >> >server. Telnet client/servers using SSL wrappers on each side, >yes; > > >> >but never a real implimenation. > > >> > > > >> >Now I am a bit of an SSH snob, so my differences list is pretty >much > > >> >SSH can do this and Telnet/SSL can't. > > >> > > > >> > - SSH is an encryption framework with special provisions > > >specifically > > >> > for remote logins > > >> > + a mechanism to pretect statistical analysis of the initial > > >> > password > > >> > + an authentication layer to allow for multiple tty sessions >with > > >> > only one sign on > > >> > + multiple authentication methods and extensable authentication > > >> > methods that allow you to pick what is right for you > > >> > > > >> >- SSH (as implied above) is more than a single tunnle for a data > > >stream > > >> > it provides TCP tcp tunneling, X11 proxing, and TTY connections > > >> > through a *single* connection > > >> > > > >> >- SSH doesn't need to use PKI for it to work (some commercial > > >> > versions can if you like), this is nice if you don't want > > >> > to setup a PKI framework for remote logins > > >> > > > >> >- SSH provides a file transfer framework > > >> > > > >> >- Telnet/SSL uses, well, SSL. So if you are lucky and have >hardware > > >> > SSL encoding/decoding Telnet/SSL will be way more efficient. > > >> > > > >> >The one saving grace of Telnet/SSL IMHO would be if you have >hardware > > >> >SSL acceloraters, its performance will scream compared to SSH. > > >Crypto > > >> >acceloraters might level the playing field a bit, but hardware SSL > > >> >(those network appliances that are design to free up your web >servers > > >> >from the burden of SSL) would still make Telnet/SSL appealing. > > >> > > > >> >This speed is only a concern, in practice, if you are transfering > > >large > > >> >amounts of data. This would include file transfers, and a large > > >number > > >> >of connections to a single machine. > > >> > > > >> >We have serveral compute servers that routinely handle 30 - 50 > > >> >connections without problem. Any more connections than that and >the > > >> >server resources are strained, not from ssh, but from all the >things > > >> >people are doing on the server (compiling, simulating the >universe, > > >> >etc). The servers are Sun Ultra 2, with a very modest processor >and > > >> >an OK amount of RAM. > > >> > > > >>---------------------------------------------------------------------- >- > > >> > __o Bradley Arlt Security Team > > >Lead > > >> > _ \<_ [EMAIL PROTECTED] University Of > > >Calgary > > >> >(_)/(_) I should be biking right now. Computer Science > > >> > > > >> > > > >> "There's so many different worlds > > >> So many different suns > > >> And we have just one world > > >> But we live in different ones.." > > >> > > >> - Dire Straits > > > > >"There's so many different worlds > > So many different suns > > And we have just one world > > But we live in different ones.." > > > > - Dire Straits > > > > >Chris Berry >[EMAIL PROTECTED] >Systems Administrator >JM Associates > >"I have found the way, and the way is Perl." > > >_________________________________________________________________ >Join the world's largest e-mail service with MSN Hotmail. >http://www.hotmail.com Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ Join the world�s largest e-mail service with MSN Hotmail. http://www.hotmail.com
