[mdlug] General questions on internet security

[Robert Meier]

Drew,

> ... Does ssh (and sftp) encrypt the entire session,
> or just the username-password info?

The username/password/host authentication as well as the entire session
is encrypted using a host and/or user public key.
See sshd(8) and RFC 2228 for details.

> ... Also, do "secure" webpages that get username-password info from
> the user (eg, Monster, Gmail, etc.) encrypt both username
> and password, or just the password? (Or neither?).

https uses Diffie-Hellman secret key agreement to protect negotiation of
subsequent protocols.  In most cases the negotiated agreement is to
continue using the same secret key.  The entire page request and reply
is protected.  Protection of subsequent requests/replies requires
key/protocols persistence at a higher level.  See RFC 2660 for details.

Your browser should inform you when you are using https (e.g. by a lock
icon in the lower right corner of firefox display).  Most browser also
include further details in a "Page Info" dialog (e.g. under the Tools
menu in firefox).

> How strong is the encryption in either case?

See the page info reported by your browser for details on that page.
In most cases, the default, Diffie-Hellman X9.42 algorithm is used.
IIRC, the secret key is 128 bits by default.



Be aware that some sites calling themselves "secure",
will protect the login page but then pass the data in the clear,
or will pass the login/password in the clear,
and only encrypt the subsequent data,
or may claim "security" without protecting either.
Note your browser's report (e.g. icon) of whether or not https is in use.

Hopefully helpful,
-- 
Robert Meier

Did Schroedinger and Heisenberg collide? or not?