2

If we establish the connections between two peers using two way SSL with strict configuration(TLS1.3 ,strict cipher etc..) and disabling client initiated re-negotiation. And likewise we establish the ssh connection,then which connection will be considered more secure ?

Can a two way ssl connection be as secure as ssh ?

yeah_well
  • 3,699
  • 1
  • 13
  • 30
Jayesh Sahu
  • 21
  • 1
  • 1
    This depends on a lot of different things... We'd need to know the _exact_ configuration you're using for TLS as well as for SSH, as well as your precise threat model. – forest Jul 30 '19 at 05:32
  • AES256+EDH <\br> TLS1.3 only <\br> strong dhparam configured – Jayesh Sahu Jul 30 '19 at 05:44
  • 2
    You need to provide more detail than that, and a threat model. This still isn't nearly enough to answer such a broad question. I mean, neither TLS nor SSH are "insecure" if used correctly... – forest Jul 30 '19 at 05:46
  • I am doing some research and not done any specific threat modeling for the same. But data on the wire should be secure and threat can be considered from outside only(Assuming no internal threat). – Jayesh Sahu Jul 30 '19 at 06:49
  • If you force TLS 1.3 you don't have to worry about renegotiation, because it no longer exists; also 1.3 no longer allows configurable DH groups so 'dhparam configured' is ignored and useless. If you mean "AES256+EDH" as an OpenSSL cipherlist, that identifies old (<=1.2) ciphersuites that are ignored and useless in 1.3; if you mean it as a generic description, it is (1) incomplete and (2) very weird, because only OpenSSL ever used the spelling EDH (plus now all upstream-supported versions consider it obsolete). – dave_thompson_085 Jul 31 '19 at 06:41
  • Thanks Dave, Your comments clears many doubts. I am analyzing the security aspect of two way SSL and I will correct EDH cipher thing. My description is not clear because I was just trying to find out the risk and could not find exact comparison on google. – Jayesh Sahu Aug 01 '19 at 03:04

1 Answers1

3

Unless you have a specific threat model, they both provide equally secure cryptography. There are some differences in how they are used and what threats apply to them, such as TLS typically using the web PKI (Public Key Infrastructure) for authentication whereas SSH relies on TOFU (Trust-On-First-Use). The former trusts Certificate Authorities, whereas the latter relies on at an initial connection that is not compromised. So yes, TLS can be just as secure as SSH.

forest
  • 64,616
  • 20
  • 206
  • 257