[mdlug] General questions on internet security

[Daud Lee Lambert]

----- Original Message ----- 
From: "Carl T. Miller" <millerc at cantonpl.org>
To: "MDLUG's Main discussion list" <mdlug at mdlug.org>


> Drew wrote:
> >      I'm looking for a knowledgeable answer on the following: Does
> > ssh (and sftp) encrypt the
> > entire session, or just the username-password info?

Entire session,  including any tunneled TCP streams and X windows traffic.

> > Also, do "secure" webpages that get
> > username-password info from the user (eg, Monster, Gmail, etc.)
> > encrypt both username
> > and password, or just the password? (Or neither?) How strong is the
> > encryption in either case?

Generally the username and password are sent together,  along with other
data,  in a single SSL-encrypted request.  For actual high-security websites
(my bank, my church, the Wayne State and Michigan State student-services and
student-email websites, etc.) the entire session is encrypted.  For other
websites (Slashdot, Sourceforge, most of Yahoo!, parts of Google, parts of
Ebay) the signin itself is encrypted,  but then the website returns a cookie
and/or hidden form variables and/or URL components that temporarily identify
the user's session and are passed unencrypted.  Someone snooping on your
connection in real time could probably hijack your Google searches,  but not
much else.

If you want to force an ssh client to use only protocol 2,  pass the "-2"
command-line option.  PuTTY also has such an option in the GUI.  Ubuntu's
SSH server's default configuration only accepts protocol 2 connections.

Data in non-initial packets of SSH should be indistinguishable from data in
non-initial packets of HTTPS.  However, the connection can be distinguished
by examining the first few packets (in SSH the server sends its
version-string first,  while in HTTPS the client sends a hello message
first).  Both are secure if used properly.

--
DLL