|
|
|
|
09-08-2006, 02:59 PM
|
#1 |
Backup secure enough?
I want to do remote backups and need opinions whether this is secure
enough? Not looking for bomber proof security but at least a decent security level so the weekend hacker can't open my files. 1. Backup file is 256-bit encrypted 2. Transfer via regular ftp 3. Store on the server used for my web hosting in a password protected folder Some of the options I've considered 1. Transfer via SSL ftp transfer: but if the file transferred is already encrypted, does a SSL transfer add any value? 2. I suspect a password protected web folder can rather easily be craked, however, the backup file being 256-bit encrypted, how likely / easily can this be cracked? Thanks for your feedback! S goglorieux@hotmail.com |
|
|
|
09-08-2006, 03:22 PM
|
#2 |
|
Posts: n/a
|
Re: Backup secure enough?
writes:
> I want to do remote backups and need opinions whether this is secure > enough? Not looking for bomber proof security but at least a decent > security level so the weekend hacker can't open my files. > > 1. Backup file is 256-bit encrypted Excellent. > 2. Transfer via regular ftp Ironic. > 3. Store on the server used for my web hosting in a password protected > folder Reasonable. > Some of the options I've considered > > 1. Transfer via SSL ftp transfer: but if the file transferred is > already encrypted, does a SSL transfer add any value? It does as the login credentials to get to the file are not transmitted in sniffable plain text, which makes it harder for someone to get ther hands on your encrypted file to begin with. > 2. I suspect a password protected web folder can rather easily be > craked, however, the backup file being 256-bit encrypted, how likely / > easily can this be cracked? What algorithm? Assuming it's a decent one, it'd take a very determined attacker with a shitload of compute power, and more years than he's likely to be alive to crack it. -- Todd H. http://www.toddh.net/ |
|
|
|
09-08-2006, 05:50 PM
|
#3 |
|
Posts: n/a
|
Re: Backup secure enough?
Todd H. wrote:
> > Some of the options I've considered > > > > 1. Transfer via SSL ftp transfer: but if the file transferred is > > already encrypted, does a SSL transfer add any value? > > It does as the login credentials to get to the file are not > transmitted in sniffable plain text, which makes it harder for someone > to get ther hands on your encrypted file to begin with. If someone has the ability to sniff credentials in this manner, they already have the file anyway. It's not a wise thing to use unencrypted auth in general, but the real threat here is something more along the lines of a DoS attack than data theft. |
|
|
|
09-08-2006, 06:11 PM
|
#4 |
|
Posts: n/a
|
Re: Backup secure enough?
Nomen Nescio <> writes:
> Todd H. wrote: > > > > Some of the options I've considered > > > > > > 1. Transfer via SSL ftp transfer: but if the file transferred is > > > already encrypted, does a SSL transfer add any value? > > > > It does as the login credentials to get to the file are not > > transmitted in sniffable plain text, which makes it harder for someone > > to get ther hands on your encrypted file to begin with. > > If someone has the ability to sniff credentials in this manner, they > already have the file anyway. But with SSL ftp, you can make them break 2 pieces of strong encryption (the SSL first, then the encryption of the file) rather than just one (the file's encryption). > It's not a wise thing to use unencrypted auth in general, but the > real threat here is something more along the lines of a DoS attack > than data theft. ???? -- Todd H. http://www.toddh.net/ |
|
|
|
09-08-2006, 09:28 PM
|
#5 |
|
Posts: n/a
|
Re: Backup secure enough?
Todd H. wrote:
> Nomen Nescio <> writes: > > > Todd H. wrote: > > > > > > Some of the options I've considered > > > > > > > > 1. Transfer via SSL ftp transfer: but if the file transferred is > > > > already encrypted, does a SSL transfer add any value? > > > > > > It does as the login credentials to get to the file are not > > > transmitted in sniffable plain text, which makes it harder for someone > > > to get ther hands on your encrypted file to begin with. > > > > If someone has the ability to sniff credentials in this manner, they > > already have the file anyway. > > But with SSL ftp, you can make them break 2 pieces of strong > encryption (the SSL first, then the encryption of the file) rather > than just one (the file's encryption). It's assumed they can't break either one. But the SSL encrypted ftp session can be circumvented almost trivially by substituting certificates (MITM) especially with typical FTP clients that don't check/warn users about odd certificates. Or "valid" certificates with easily obtained CA signatures. The data content itself should be secure either way. SSL really isn't adding anything at all to the mix outside obscuring authorization, and that's easy enough for an attacker to compromise if they're in a position with enough authority to mishandle your traffic at all. It's a little more involved than just sniffing/logging of course, but not that much. > > It's not a wise thing to use unencrypted auth in general, but the > > real threat here is something more along the lines of a DoS attack > > than data theft. > > ???? I'm thinking along the lines of an attacker using your login information to change passwords, delete data, etc. Things that don't compromise the data itself, just make it inaccessible. That's the real threat that's addressed by SSL in this scenario, not encrypting and securing the already secured data itself. |
|
|
|
09-09-2006, 04:45 PM
|
#6 |
|
Posts: n/a
|
Re: Backup secure enough?
Thanks very much for your comments, they have been very useful.
Have a good weekend S Anonyma a écrit : > Todd H. wrote: > > > Nomen Nescio <> writes: > > > > > Todd H. wrote: > > > > > > > > Some of the options I've considered > > > > > > > > > > 1. Transfer via SSL ftp transfer: but if the file transferred is > > > > > already encrypted, does a SSL transfer add any value? > > > > > > > > It does as the login credentials to get to the file are not > > > > transmitted in sniffable plain text, which makes it harder for someone > > > > to get ther hands on your encrypted file to begin with. > > > > > > If someone has the ability to sniff credentials in this manner, they > > > already have the file anyway. > > > > But with SSL ftp, you can make them break 2 pieces of strong > > encryption (the SSL first, then the encryption of the file) rather > > than just one (the file's encryption). > > It's assumed they can't break either one. But the SSL encrypted ftp > session can be circumvented almost trivially by substituting > certificates (MITM) especially with typical FTP clients that don't > check/warn users about odd certificates. Or "valid" certificates with > easily obtained CA signatures. > > The data content itself should be secure either way. SSL really isn't > adding anything at all to the mix outside obscuring authorization, and > that's easy enough for an attacker to compromise if they're in a > position with enough authority to mishandle your traffic at all. It's a > little more involved than just sniffing/logging of course, but not that > much. > > > > It's not a wise thing to use unencrypted auth in general, but the > > > real threat here is something more along the lines of a DoS attack > > > than data theft. > > > > ???? > > I'm thinking along the lines of an attacker using your login > information to change passwords, delete data, etc. Things that don't > compromise the data itself, just make it inaccessible. That's the real > threat that's addressed by SSL in this scenario, not encrypting and > securing the already secured data itself. |
|
|
|
09-09-2006, 06:40 PM
|
#7 |
|
Posts: n/a
|
Re: Backup secure enough?
wrote:
> I want to do remote backups and need opinions whether this is secure > enough? Not looking for bomber proof security but at least a decent > security level so the weekend hacker can't open my files. > > 1. Backup file is 256-bit encrypted > 2. Transfer via regular ftp > 3. Store on the server used for my web hosting in a password protected > folder > > Some of the options I've considered > > 1. Transfer via SSL ftp transfer: but if the file transferred is > already encrypted, does a SSL transfer add any value? > 2. I suspect a password protected web folder can rather easily be > craked, however, the backup file being 256-bit encrypted, how likely / > easily can this be cracked? > > Thanks for your feedback! > > S > You've had some excellent and authoritative responses on the web backup, but what about in-house backup? I make a nightly clone backup to an 80 gig external hard drive. If I wanted, I could then put it in a safe. The reason for a clone rather than a matrix is that restoring a clone does not require the specific software that created it, and individual files and folders are available without doing a complete restore. There are probably many of these systems. Mine is a drive in a nice case from Apricorn. I understand Norton also has something called "Ghost". -- Remove "-nubby-" to correspond. |
|
|
|
09-09-2006, 06:57 PM
|
#8 |
|
Posts: n/a
|
Re: Backup secure enough?
On Sat, 09 Sep 2006 10:40:16 -0700, Gualtier Malde wrote:
> wrote: >> I want to do remote backups and need opinions whether this is secure >> enough? Not looking for bomber proof security but at least a decent >> security level so the weekend hacker can't open my files. >> >> 1. Backup file is 256-bit encrypted >> 2. Transfer via regular ftp >> 3. Store on the server used for my web hosting in a password protected >> folder >> >> Some of the options I've considered >> >> 1. Transfer via SSL ftp transfer: but if the file transferred is >> already encrypted, does a SSL transfer add any value? >> 2. I suspect a password protected web folder can rather easily be >> craked, however, the backup file being 256-bit encrypted, how likely / >> easily can this be cracked? >> >> Thanks for your feedback! >> >> S >> > You've had some excellent and authoritative responses on the web backup, but what about in-house > backup? I make a nightly clone backup to an 80 gig external hard drive. If I wanted, I could then > put it in a safe. The reason for a clone rather than a matrix is that restoring a clone does not > require the specific software that created it, and individual files and folders are available > without doing a complete restore. What kind of software do you use? > > There are probably many of these systems. Mine is a drive in a nice case from Apricorn. I > understand Norton also has something called "Ghost". I think with Norton you have to restore cmpletely, you can't do just files or folders individually? |
|
|
|
09-10-2006, 03:49 PM
|
#9 |
|
Posts: n/a
|
Re: Backup secure enough?
traveler 66 wrote:
> I think with Norton you have to restore cmpletely, you can't do just files > or folders individually? Completely clueless as usual.... http://www.symantec.com/home_homeoff...r&pvid=ghost10 "Restores individual files or entire hard drive" Have you EVER managed to post something that DIDN'T make you look like a drooling retard? I didn't think so. |
|
|
|
09-10-2006, 05:58 PM
|
#10 |
|
Posts: n/a
|
Re: Backup secure enough?
On Sun, 10 Sep 2006 16:49:35 +0200 (CEST), George Orwell wrote:
> traveler 66 wrote: > >> I think with Norton you have to restore cmpletely, you can't do just files >> or folders individually? > > Completely clueless as usual.... > > http://www.symantec.com/home_homeoff...r&pvid=ghost10 > > "Restores individual files or entire hard drive" > > Have you EVER managed to post something that DIDN'T make you look like > a drooling retard? > > I didn't think so. Go play trolls somewhere else. |
|
|
