How secure is secure? 128bit vs 1024bit webhosting services

[logicalconfusion]

Earlier today I realized that my domain service uses plain old FTP to transfer data. So, after watching an old hak5 ep I called their office to see if they offer SSH shells or third party discounted VPN access. I was schocked when the lady on the other end said "Please hold. I'll look into it for you." She didn't know the difference btw SSH and VPN! I was advised to log in using IE when I told her that I'm a road warrior.

She couldn't answer any of my questions regarding pub wifi security. I immediately demanded to talk to a tech in tier III who speaks ENGLISH. She placed the call on hold for five mins and transferred the call to Joe. Joe had no clue wtf I was talking about. He thought I was trying to setup a plain old webpage to share cupcake and purne juice recipes. He told me to think of my website as house in cyber space.

Joe for some strange reason avoided using words like encryption. To pat Joe on the back I asked him how I can send strippers to my house in cyber space without all the jeahovah's witnesses in the neighborhood knocking down the front door. He scrathed his head and then recommended establishing a secure SSL connection to their corporate network, which according to him implements 128bit SSL.

To make a long story short, Joe ended up recommending a premium 400$ per yr VPS service that implements SSL and recommended developing custom scripts to run on their server. According to Joe, its possible to host a proprietary script/application on their server that encrypts info on the fly off a SSL tunnel. Imagine hak5.org stored on an encrypted server that only allows certain key holders to view info. My question here is two fold.

How secure is 128bit? Most cc companies use 1024bit authentication. Secondly, Whats the best way to encrypt info stored on a hosting service using a key - like Truecypt volumes?

[Jason Cooper]

O.K. this can be a bit confusing until you understand the difference between symmetric encryption and asymmetric encryption. Key length for asymmetric need to be a lot bigger than those used in symmetric encryption (if you want to read more about it check out the wikipedia page on Key Sizes [ http://en.wikipedia.org/wiki/Key_size ]).

Now SSL/TLS uses both asymmetric and symmetric, asymmetric at the establish the tunnel and symmetrical for data flowing through the tunnel. So sometime you will see recommendations that you should be using at least 2048bit encryption and others that you should be using at least 128bit. Really you need to follow both bits of advice, but it is quite easy.

1) When generating your public/private key pair for your server (usually done as part of getting the SSL certificate sorted) make sure it is at least 2048bits in length.

2) When configuring your SSL server make sure that it is configured to only use strong symmetrical ciphers. [ http://httpd.apache.org/docs/2.4/ssl/ssl_howto.html ]

Encrypting information stored on a hosted service really comes down to what are you trying to protect it from? If you are trying to protect it from other users on the hosted service then Truecrypt volumes won't work as once mounted their contents is only really protected by the OS's file permissions. If you are wanting to protect it from other users then a virtual server would be a better way to go (provided you have the skill to configure and maintain one) as then you don't have any other users.

One thing I can tell you is that 400$ per yr for a VPS sounds far too much unless it is going to be really heavily used.

Out of interest have you tried connecting to your hosted service via sftp? I find that while sometimes the phone support staff don't know what sftp is but the people responsible for the server have it running as a side effect of having SSH on the machine.

[digininja]

Earlier today I realized that my domain service uses plain old FTP to transfer data. So, after watching an old hak5 ep I called their office to see if they offer SSH shells or third party discounted VPN access. I was schocked when the lady on the other end said "Please hold. I'll look into it for you." She didn't know the difference btw SSH and VPN! I was advised to log in using IE when I told her that I'm a road warrior.

You are lucky if the initial person who answers the phone at a hosting company knows what either of those are, they are generally there to help with really basic stuff like forgotten passwords. Most hosting companies unfortunately still rely on FTP, a lot give the reason that it is a well known tool with lots of advice on how to use it and lots of supported apps.

She couldn't answer any of my questions regarding pub wifi security. I immediately demanded to talk to a tech in tier III who speaks ENGLISH. She placed the call on hold for five mins and transferred the call to Joe. Joe had no clue wtf I was talking about. He thought I was trying to setup a plain old webpage to share cupcake and purne juice recipes. He told me to think of my website as house in cyber space.

I wouldn't expect a hosting company support person to help with wifi security, it isn't really their job. My advice, don't admin your server on any network you don't trust. If you need to log in via the web to use the site then either do it from home or the office. If you need to do it from the road look at getting a VPN provider which would allow you to have an encrypted tunnel between you and them so basically block anyone on the local network from seeing what you are doing. Enabling HTTPS correctly would protect your traffic as well as you make sure that it hasn't been stripped in any way.

I wouldn't do FTP from any network you don't trust, always do that from a trusted network.

Joe for some strange reason avoided using words like encryption. To pat Joe on the back I asked him how I can send strippers to my house in cyber space without all the jeahovah's witnesses in the neighborhood knocking down the front door. He scrathed his head and then recommended establishing a secure SSL connection to their corporate network, which according to him implements 128bit SSL.

What bits of your site are you trying to protect? Is there really a difference between your content and a site about cupcakes? Is what you are putting up there public anyway or is it all going to be behind some kind of login system? If it is public any way then it doesn't need to be protected.

To make a long story short, Joe ended up recommending a premium 400$ per yr VPS service that implements SSL and recommended developing custom scripts to run on their server. According to Joe, its possible to host a proprietary script/application on their server that encrypts info on the fly off a SSL tunnel. Imagine hak5.org stored on an encrypted server that only allows certain key holders to view info. My question here is two fold.

That is the way I host my sites, I have a dedicated server that only a couple of people have access to. The only remote access is through SSH and I make sure I keep it patched to keep up security levels.

If you want something similar have a look at Linode or Amazon EC2, both of these give you a dedicated VPS that you can set up however you want and they come by default with SSH enabled. They should be less than $400/year.

How secure is 128bit? Most cc companies use 1024bit authentication. Secondly, Whats the best way to encrypt info stored on a hosting service using a key - like Truecypt volumes?

On a basic hosting platform you aren't going to be able to encrypt your data while at rest and most of the time there isn't really much point in doing so. The web server needs access to the pages so any encrypted storage needs to be unlocked while in use which means anyone who has access to the filesystem has access to your files.

Truecrypt wouldn't help as you would have an encrypted lump that the web server couldn't see inside.

The only real option is to use full disk encryption which you can't do on shared hosting. Also that only protects once the power has been pulled, again, while the power is on anyone can see the files as they are unlocked.

The bit lengths are all dependent on what you are doing with them, you are probably talking about the size of keys used for the SSL certificate, in which case the current recommended length is at least 2096bits.

[Jason Cooper]

The bit lengths are all dependent on what you are doing with them, you are probably talking about the size of keys used for the SSL certificate, in which case the current recommended length is at least 2096bits.

Why 2096 instead of the more common 2048? Are some attack tools out there coded to work with only standard key sizes?

[digininja]

Sorry, typo 2048. Didn't seem right when I typed it.

[logicalconfusion]

The only real option is to use full disk encryption which you can't do on shared hosting. Also that only protects once the power has been pulled, again, while the power is on anyone can see the files as they are unlocked.

The bit lengths are all dependent on what you are doing with them, you are probably talking about the size of keys used for the SSL certificate, in which case the current recommended length is at least 2048bits.

@Jason Cooper I'm confused! You mentioned symmetry and asymmetry. The technology is really based on factorization of large like, 2300000^23, prime numbers, based on my research. The wiki page you referenced outlines the procedure for implementing keys based on RSA's standards. So, it appears that a third party is in charge of the initial transfer of encrypted, authenticated, info. Now before I discuss this here any further I want to know if the RSA algorithms are up for public scrutiny.

[Jason Cooper]

Symmetrical encryption is where the same key is used to both encode and decode the message.

Asymmetrical encryption is where there are two keys, a public and a private key. Any thing encrypted with one of the keys can't be decrypted with the same key, but it can be decrypted with the other key. Asymmetrical encryption is sometimes referred to as public key encryption.

AES, RC4, DES, etc are all Symmetrical ciphers. They are very fast to encrypt/decrypt but all parties involved require the same key, which makes key distribution a major concern.

RSA, ELGamal, Elliptic curves are all Asymmetrical. Key distribution is easier as you just need to pass public keys about (proving that a public key is your public key can get a bit tricky though). Times to encrypt/decrypt though is slow compared to symmetrical ciphers.

SSL/TLS uses a combination of the two, using asymmetrical encryption to secure and verify the host (and possibly the client as well) before deciding on a key and symmetrical cipher to use for the rest of the communication.

All the ciphers and protocols used in SSL/TLS are publicly available for you to read through, just Google for whichever bit it is you want to learn about, and if you want a good introduction to encryption then try The Code Book by Simon Singh.