comp.os.linux.networking

David Brown writes:

>Unruh wrote:
>> Jack Snodgrass writes:
>>
>
>>
>>> If you use rsyncd, it's faster ( non-ssh ) and you can do
>>
>> It is faster because it is unencrypted. Not a great idea if you are backing
>> up unless you do not care if everyone can read the stuff being transfered.
>>

>Unencrypted transfers are only faster than encrypted ones if the
>bottleneck is processor speed, rather than link speed (or if you are

No, unencrypted transfers are always faster but the speed difference is
negligible if the link is the slowest item.


>passing compressible data over a link that does transparent compression,
>such as openvpn or ssh -C, since encrypted data is uncompressible). For
>many online backup operations, the link is the bottleneck, so encryption
>is free.

>However, the idea of "always use encryption because everyone can read
>the data being transferred" is basically FUD in most cases. If you've
>got a backup running between two sites, then the data moves from the one
>server, through your switches and gateways on to your ISP, through the
>internet infrastructure, and back out at the other side. At what point
>is it realistic to think that an attacker would be listening in to this

"through your switches and gateways on to your ISP, through the
internet infrastructure, and back out at the other side"



>traffic? It is *very* difficult to compromise the security of a decent
>ISP in order to sniff out traffic like that - hacking into the trunk
>internet exchanges would be even harder. Even if you managed it, with

It depends on who is doing the sniffing. "Reading passport applications" is
even harder.


>rsync you only get bits of changed data - you'd need to monitor the line
>(capturing enormous quantities of data) for months to get anything
>sensible. It is *vastly* easier for an attacker to use other methods

Nonesense. Any file you created today is sent out in its entirety.


>(bribe one of your IT staff, for example, or steal some login passwords)
>if they want to get your data. So unless you are doing a backup of a
>nuclear missile design, encryption on an rsync backup will only make a
>realistic difference if your network topology is such that the traffic
>is accessible by more people (such as the notorious "disgruntled employee").

>Of course, since encryption here is free, it is still worth using even
>for its tiny real-world benefits. If nothing else, it keeps you in the
>habit for when it *does* matter.

Yes. Precisely.



>Security is a process, and it starts with thinking about the situation,
>not with automatic rules that must always be applied at all times.

And as a process it should not be such that it needs to be thought about
each time it is used. It should be robust, even to human forgetfulness.
Making it a habit is part of that process.