PDA

View Full Version : Help me understand SSL vs SSH, OpenSSH, MacFUSE, etc.?


jiclark
09-13-2007, 11:29 AM
I'm trying to get a better understanding of the whole Secure Sockets world. I've read that you can use these tools to create much more secure connections for using open wireless networks (internet cafes, etc.), and to securely and directly connect to other computers over the internet (to your home or work computer, for instance).

If you're conversant in all of this, could you try and give me a concise explanation of how it all works, and what tools do what? It's not that I want anyone to do my research for me, it's that I really don't know where to start, and don't want to waste time just trying to figure out where to start... The problem is (as in a couple of the places linked below), I don't know enough to understand what a lot of the various web sites are telling me; their "explanations" assume an underlying knowledge that I just don't have...

Links:

A recent hint here at Mac OS X Hints.com regarding MacFUSE:
[www.macosxhints.com]

Direct link to MacFusion page (GUI for MacFUSE):
[www.sccs.swarthmore.edu]

Gideon Softworks' "Secure Shell Helper":
[www.gideonsoftworks.com]

Another more recent Mac OS X Hints.com hint on SSH keys that left me totally confused:
[www.macosxhints.com]

Questions:

1) What tool is best/easiest for creating a secure connection on an open wireless network, say at an internet cafe?

2) Does MacFUSE/MacFusion look like a worthwhile (safe?) system to use to create a SSH tunnel to a remote machine? [Am I even using the correct terminology here?]

3) On a side note, there's a comment in that first Mac OS X Hints.com thread that mentions slow file transfers using AFP over TCP. I've been puzzled for years now about why this is. I can create an AFP connection to a remote server in a client's office, but the damn thing is glacial using the Finder. DotMac/iDisk is the same. Using an FTP program (or something like Goliath for iDisk), it's much more usable... Is there a tool in the SSL/SSH shed that would get around the slowness of WAN AFP access, with the added benefit of better security?

Of course, I very much appreciate any and all input on this. Even if it's just to point me in the direction of a resource that would be a good place to begin furthering my education about all of this ...

Many, many thanks in advance for your help!
John

Alex Yeh
09-13-2007, 12:52 PM
SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) is mostly used to secure web communications. A url that starts with https uses SSL. SSL relies upon a “certificate authority” to vouch for the identity of the entities involved in a secure session. Some well-known CA’s include Verisign, Thawte, and GoDaddy. Unlike SSH, SSL only encrypts the connection to another computer; it does not include tools for doing anything on that computer.
SSH (http://en.wikipedia.org/wiki/Ssh) is used to connect to another computer in a network, LAN or WAN, and either use it as if it were your own computer, or transfer files to and from it, like FTP. Unlike SSL, SSH does not have a central authority to vouch for each entity. Instead, you have to know or trust that the key fingerprint for a remote entity is correct.


As far as I understand, FUSE is like WebDav, but for SSH. If you don’t know what WebDav is, then think back to the days of AppleTalk - you could mount AppleTalk sharepoints on your desktop and copy files to and from them as if they were actually on your computer. Same idea.

trythis
09-13-2007, 02:06 PM
OpenSSH is an open source implementation of SSH.

If you are worried about secure connections for general internet activity from cafés, etc., you may be thinking of VPNs and Tunneling (Virtual Private Network). If you don't have VPN access through your work (easiest way), you can create a home-based VPN with open source tools using your own router and home computers and internet connection....but it can get tricky...but it's doable.

jiclark
09-13-2007, 02:14 PM
Thanks guys. Lots more reading to do!

trythis, doesn't tunneling usually happen via SSH? Seems I've read of a way to use some other online source to create a tunnel for surfing on an open wireless network, but I don't remember details (obviously)...

I'll keep studying!
John

trythis
09-13-2007, 02:14 PM
Speaking of GUIs, one option is FUGU

http://www.versiontracker.com/dyn/moreinfo/macosx/15693

It is a GUI for SFTP and SCP (drawback - I don't think it is UB, so will run under Rosetta on Intel). SFTP requires that the machine you're connecting to is an FTP server. SCP requires enabling SSH access on the remote machine. Either of these would likely be faster than AFP over TCP, and more secure.

P.S. dotmac/iDisk uses WebDAV and has ALWAYS been, in my personal estimation, intolerably slow.

tlarkin
09-13-2007, 02:17 PM
a really good source for technology terminology and description of what it is and how it is used

www.wikipedia.org

jiclark
09-13-2007, 02:18 PM
P.S. dotmac/iDisk uses WebDAV and has ALWAYS been, in my personal estimation, intolerably slow.

And why the heck is that?? It seems so stupid for Apple to keep putting their money behind technologies that just don't stack up! Really makes one wonder about who's running the show there sometimes, eh?

Thanks for the reply; I'll check out FUGU, and it won't be a problem that it's not a UB, since I'm still running a PowerBook G4...

John

trythis
09-13-2007, 02:33 PM
Thanks guys. Lots more reading to do!

trythis, doesn't tunneling usually happen via SSH? Seems I've read of a way to use some other online source to create a tunnel for surfing on an open wireless network, but I don't remember details (obviously)...

I'll keep studying!
John

There are all kinds of intersections with these technologies and the rabbit hole goes very, very deep, so I tread lightly when I say that, yes, SSH can be used for tunneling, but it is not necessarily used for VPNs, but for SSH tunnels which have their own set of uses. VPNs can use numerous other protocols, including SSL and TLS, IPSec, TCP, PPTP for their connections.

OpenVPN might be a good place to start your research.

http://openvpn.net/

I will say, though, that if increased security at open networks is your concern for general internet use and moderate file exchange with your home network, SSH, SSL, SCP and SFTP, etc., and their associated GUI applications might be a much easier and possibly suitable solution for you. You can quickly get in way over your head with this networking security stuff.:eek:

trevor
09-13-2007, 02:40 PM
SFTP requires that the machine you're connecting to is an FTP server.

This is not true. sftp only requires ssh, and does not require ftp, nor is it even related in any way to ftp other than it's name and the general style of the way it operates.

Trevor

Quantumstate
09-13-2007, 03:05 PM
John, there's not much limit to what you can network with SSH, as long as you have control over the remote end. I prefer SSH whenever possible because there's no chance of a corporate/govt backdoor. (open source)

But in many cases you do not have control over the other end, so SSL is still very secure. When a web URL is https, you are reaching the other end through an encrypted SSL tunnel. When you set Mail to sPOP and sSMTP, you are getting/sending your email through an encrypted SSL tunnel. Only catch with getting your email through SSL is OS X can never darned remember that it's OK for it to accept the remote mailserver's certificate, no matter how many times you say it's OK. Nuisance.

But if you have control over the remote computer you can do everything via SSH, including mounting a remote drive locally through an SSH tunnel (sshfs), and extending every remote service to your local machine as if it was being provided locally. For example, my remote Debian machine runs dnsmasq, a DNS caching nameserver. I use reverse tunneling to bring port 53 on that machine to port 2253 on my local machine. So I set my local DNS IP to 127.0.0.1:2253 and whenever I have a DNS request my machine reaches into its own bellybutton, tunnels out to the remote machine, and the remote DNS server executes the request.

Also I bring VNC from the remote machine to my local one, port 5900 there to 2259 here. Very secure, and I just set my RealVNC client on the Mac to 127.0.0.1:2259 to get my remote Debian desktop through a reverse SSH tunnel. (And that is on Desktop 3 of VirtueWindows)

The remote server does not have to listen to 53 or any other port, on an external interface (enhancing security), only localhost. None of my remote services have to listen to the public interface (Squid, Apache, NTP, VNC). The only public port listening on the remote machine is 22 (SSH, which code is constantly combed over by the most security-fanatical and mathematically-ingenious crowd you can imagine). And no public ports are open on the local machine. Having no services listening to the public interface greatly increases security. The only vulnerability then is when you actually invite someone in, by clicking on a malicious link.

I've explained these things in detail in other threads here over the past few weeks, and frankly I think that's where gruffell got the idea for his hint.

trevor
09-13-2007, 04:42 PM
I prefer SSH whenever possible because there's no chance of a corporate/govt backdoor. (open source)

But in many cases you do not have control over the other end, so SSL is still very secure.

That's an interesting statement. Surely OpenSSL (http://www.openssl.org/)'s open source credentials are unassailable? OpenSSL source code can be freely downloaded (http://www.openssl.org/source/) and verified anytime you would like. Or where could the corporate/ government backdoor be installed, if we're both thinking in our most paranoid ways?

Trevor

Quantumstate
09-13-2007, 05:44 PM
True, OpenSSL's open-source, but OpenSSL is not the primary app used. More in the minority, in fact. Further, any generally-recognized cert will be issued by a corporate certificate authority, also of whom I am suspicious.

That said, I use Thawte's Freemail Cert for functions where I need a random person to be able to rely on my signed/encrypted email. But I use SSH & GPG wherever possible.

trevor
09-13-2007, 06:19 PM
This is a very interesting subject to me, I hope nobody minds if we are wandering slightly off-topic.

Hmmmm. Checking what Netcraft (http://www.netcraft.com/) says now...

Well, I certainly wouldn't completely trust IIS servers whether or not running SSL, that's very true. But Apache-SSL (http://www.apache-ssl.org/) is open source, mod_ssl (http://www.modssl.org/) is open source, and Stronghold may or may not have started as open source but now that Red Hat owns it, it is also open source (cite: Red Hat (http://www.redhat.com/about/presscenter/2002/press_stronghold.html)). So I *think* that all of the main Apache-based SSL implementations are open source, right?

http://news.netcraft.com/archives/images/ssl-dev-share-timeline.gif

...and it looks like back in 2006, Apache overtook IIS in the number of SSL servers. (Cite: Netcraft: Apache Now the Leader in SSL Servers (http://news.netcraft.com/archives/2006/04/26/apache_now_the_leader_in_ssl_servers.html))

Trevor

Quantumstate
09-13-2007, 08:02 PM
Wow, Apache has really taken off. And Novell isn't even on the map anymore. I am a bit out of date. (Been at this since 1980)

Sure, I agree that Apache and mod_ssl are not corporo-compromised. But what about the certificate authorities? All it takes is one connexion into their database of generated certs, to have every private key they've provided for customers. And thanks to Republicans, this is now legal without a warrant! Fsck that.

I don't know what's wrong with the grid on that chart, but it looks like IIS is around 45%, aand that is 45% too much for me. I just expect every M$ app and every bit of M$ workproduct (.doc, .xls, .ppt, etc, etc) to have hooks and breadcrumbs and timebombs and backdoors. NeoOffice for me.

And the same goes for G00gle and their atrocious privacy practices. I have never used G00gle for searches. Clusty is every bit as thorough, and it categorizes hits. You guys can let G00gle and Carnivore data-mine your every search until they know how many fillings you have, but I'll go start a hippie commune in the forest when they knock on the door asking for a DNA sample.

Quantumstate
09-13-2007, 08:13 PM
(And YAY, I'm over 300 posts!)
.