3

I just get a Linux server from a third-party. Then I create a SSH tunnel via SecureCRT: https://www.vandyke.com/support/tips/socksproxy.html , where the Linux server is used as the Gateway Server.

However, the Linux server is not 100% safe since it is managed by a third-party. Now if I connect to a HTTPS server via the SSH tunnel, will the password sent to the HTTPS server be stolen by the administrators of the Linux server?

7ochem
  • 280
  • 1
  • 3
  • 12
alancc
  • 141
  • 12

1 Answers1

5

HTTPS over a third-party SSH tunnel is no less secure than SSH over untrusted networks and internet is by definition an untrusted network.

HTTPS encrypts end-to-end and no party in-between can decrypt the message unless they possessed the keys (or downgraded the connection, or tricked the user to trust attacker's certificate, but no attack on HTTPS is facilitated by using an underlying tunneling protocol).

Also you don't send any password to the HTTPS server. A password might be a part of the data transmitted over the secure HTTPS channel, but no password is used for the HTTPS implementation/connection itself.

techraf
  • 4,243
  • 8
  • 29
  • 44
  • HTTPS does not warn when the public key changes (unless it's invalid) but SSH usually does warn when the public (host) key changes. So the "trick the user to trust an altered key" part is the most insecure I guess. – Daniel W. Feb 17 '17 at 16:50
  • True, it is up to the https site owner to do key pinning and hsts. – Aaron Feb 17 '17 at 16:51