[mdlug] General questions on internet security
Carl T. Miller
millerc at cantonpl.org
Sun Aug 19 16:27:47 EDT 2007
Drew wrote:
> I'm looking for a knowledgeable answer on the following: Does
> ssh (and sftp) encrypt the
> entire session, or just the username-password info? Also, do "secure"
> webpages that get
> username-password info from the user (eg, Monster, Gmail, etc.)
> encrypt both username
> and password, or just the password? (Or neither?) How strong is the
> encryption in either
> case?
Ssh and sftp encrypt the entire session. Of course this
doesn't mean that it hides the protocol, the source or the
destination. It just encrypts the stuff being transferred.
Secure webpages encrypt in the same way. The only catch
is that a webpage may have a mix of secured and unsecured
items. If you see a padlock locked in your browser, it means
all is well. If the padlock in open, nothing is encrypted.
If you see anything else with the padlock, it means something
isn't right.
The strength of the encryption depends on how the server
is configured. Almost all websites use 128 bit encryption
these days (click on the padlock and read up if you want to
know about a particular website). Ssh version 2 is considered
safe, while version 1 isn't. I don't know of a way to verify
the encryptikn strength of ssh, other than to ask the server
operator.
c
More information about the mdlug
mailing list