SSH versus SSL (ftp)

[SagaLore]

I'm looking for a way to secure data transfer from our clients into our network. Currently we just have an ftp server, I set it up so it has a read-only directory and a write-only directory (blind put). No password authentication since it's all in plaintext anyway.

I've looked at https solutions but they're very very slow and unreliable.

So I'm researching sftp, which uses the SSH protocol. But then I keep running into some kind of FTP over SSL. Not sure which direction to go.

Anybody know which is faster? Which is more secure? Which is easier for the client-end?

 

[Nothinman]

Both will require client changes. Personally, I would use sftp because I already have ssh on all my boxes and sftp basically comes with it.

And here's an sftp server if you want to check it out : http://support.jgaa.com/index.php?cmd=ShowProduct&ID=518&PHPSESSID=b0f5d1e91

 

[eigen]

If going with SSL make sure you go with ver2.Not sure which/how many vendors still using ver1.

 

[SagaLore]

Originally posted by: Nothinman
Both will require client changes. Personally, I would use sftp because I already have ssh on all my boxes and sftp basically comes with it.

And here's an sftp server if you want to check it out : http://support.jgaa.com/index.php?cmd=ShowProduct&ID=518&PHPSESSID=b0f5d1e91

which is better though?

 

[Nothinman]

They're difference ideas to the same problem, both have advantages and disadvantages. For me sftp would be better because it's already there and it runs from a known-secure daemon, OpenSSH. There's also the possible benefit of compression, I'm not sure about ftp-ssl but I know OpenSSH supports stream compression that can help performance on slow connections.

 

[buleyb]

Originally posted by: Nothinman
They're difference ideas to the same problem, both have advantages and disadvantages. For me sftp would be better because it's already there and it runs from a known-secure daemon, OpenSSH. There's also the possible benefit of compression, I'm not sure about ftp-ssl but I know OpenSSH supports stream compression that can help performance on slow connections.

I agree with everything but the OpenSSH 'known-secure' stuff. They have security patches all the time to problems that don't exist in many commercial products. But they're free, so I use them too

setting up SSH/SFTP is a good solution because they're so tightly bound. You can also tunnel FTP through some SSH clients that have modifications to allow FTP tunnels. SSL solutions work, but I haven't found any that were as easy to setup as SSH packages.

 

[n0cmonkey]

Originally posted by: buleyb

Originally posted by: Nothinman
They're difference ideas to the same problem, both have advantages and disadvantages. For me sftp would be better because it's already there and it runs from a known-secure daemon, OpenSSH. There's also the possible benefit of compression, I'm not sure about ftp-ssl but I know OpenSSH supports stream compression that can help performance on slow connections.

I agree with everything but the OpenSSH 'known-secure' stuff. They have security patches all the time to problems that don't exist in many commercial products. But they're free, so I use them too

While I don't disagree with the statement 100%, you might notice that commercial SSH clients and servers also have patches that do not affect OpenSSH.

 

[n0cmonkey]

Originally posted by: Nothinman
They're difference ideas to the same problem, both have advantages and disadvantages. For me sftp would be better because it's already there and it runs from a known-secure daemon, OpenSSH. There's also the possible benefit of compression, I'm not sure about ftp-ssl but I know OpenSSH supports stream compression that can help performance on slow connections.

If I remember what I read on misc@openbsd previously, the compression can actually slow things down. It is also a big part of the encryption.

 

[Nothinman]

If I remember what I read on misc@openbsd previously, the compression can actually slow things down. It is also a big part of the encryption.

There's a lot of variables. But for me it feels faster when I tunnel IMAP through SSH if I use blowfish encryption and compression, but for all I know it could just be the faster cipher that's causing the speedups.

I agree with everything but the OpenSSH 'known-secure' stuff. They have security patches all the time to problems that don't exist in many commercial products. But they're free, so I use them too

known-secure was probably the wrong term, but I still trust OpenSSH more than the commercial variants.

 

[Buddha Bart]

SFTP or FTP over SSL are both pretty much equal in terms of security. Certianly close enough that anyone but the NSA shouldn't care. I would make the decision based on who your users are, and how much of a pain in the ass its going to be to get them to download/setup/get used to new client software.

 

[SagaLore]

Originally posted by: Buddha Bart
SFTP or FTP over SSL are both pretty much equal in terms of security. Certianly close enough that anyone but the NSA shouldn't care. I would make the decision based on who your users are, and how much of a pain in the ass its going to be to get them to download/setup/get used to new client software.

The decision maker is going to be which solution has a free, fully-contained agent. I don't mind if the client downloads the agent file to run the sftp or ftp/ssl, but they can't install any software.

 

[buleyb]

Originally posted by: n0cmonkey

Originally posted by: buleyb

Originally posted by: Nothinman
They're difference ideas to the same problem, both have advantages and disadvantages. For me sftp would be better because it's already there and it runs from a known-secure daemon, OpenSSH. There's also the possible benefit of compression, I'm not sure about ftp-ssl but I know OpenSSH supports stream compression that can help performance on slow connections.

I agree with everything but the OpenSSH 'known-secure' stuff. They have security patches all the time to problems that don't exist in many commercial products. But they're free, so I use them too

While I don't disagree with the statement 100%, you might notice that commercial SSH clients and servers also have patches that do not affect OpenSSH.

a very true statement, and one that I won't argue with.

And above all else, I trust SSH Communications versions, but I'm no student anymore, and they aren't free anymore

 

[Nothinman]

The decision maker is going to be which solution has a free, fully-contained agent. I don't mind if the client downloads the agent file to run the sftp or ftp/ssl, but they can't install any software.

If that's all you want you can just use scp (part of ssh) and give them a copy of WinSCP. It's a decently written GUI tool that should be no harder for them to use than an FTP client.

 

[Intelman07]

A few good servers I know of are RaidenFTPD and Secure-FTP. Both support lots of security options and ssl.

 

[n0cmonkey]

Originally posted by: buleyb

Originally posted by: n0cmonkey

Originally posted by: buleyb

Originally posted by: Nothinman
They're difference ideas to the same problem, both have advantages and disadvantages. For me sftp would be better because it's already there and it runs from a known-secure daemon, OpenSSH. There's also the possible benefit of compression, I'm not sure about ftp-ssl but I know OpenSSH supports stream compression that can help performance on slow connections.

I agree with everything but the OpenSSH 'known-secure' stuff. They have security patches all the time to problems that don't exist in many commercial products. But they're free, so I use them too

While I don't disagree with the statement 100%, you might notice that commercial SSH clients and servers also have patches that do not affect OpenSSH.

a very true statement, and one that I won't argue with.

And above all else, I trust SSH Communications versions, but I'm no student anymore, and they aren't free anymore

I'll take open source OpenSSH over the alternatives.