Unofficial DreamHost Blog

I’ve been using a couple of wireless hotspots the last few days, and while very convenient, it made me think about security. The problem is that every time you check your mail, transfer files with FTP or connect to a server via telnet all the data, including your username and passwords, are transferred over the internet in plain text and therefore in danger of eavesdropping and password sniffing.

Luckily DreamHost provides SFTP, SSH and SSL encrypted POP3/SMTP so you can easily get all your communication encrypted.

Remote Access

Telnet is an internet protocol that allows you to open a shell on the server to interact with the command line. Telnet is a powerful tool that lets you run programs on the server, edit your documents/files directly on the server or configure settings like crontab and procmail. The secure alternative to Telnet is SSH (Secure Shell). The biggest difference between Telnet and SSH is that SSH clients encrypt all the traffic between the user’s machine and the server.

If you want shell access at DreamHost you need to enable it in the Users Area of the Control Panel. If you’re already using Telnet, you don’t need to change anything.

PuTTY seems to be the most popular SSH client (and its codebase is widely used in other software packages), but there exist plenty of alternative clients.

First time you use SSH to connect to a server, you will see a warning like this:

The server’s host key was not found in the cache. You have no guarantee that the server is the computer you think it is.

This host key check is an extra security feature of PuTTY. It checks the signature of the server every time you connect, and compares it to your last connection in order to verify you’re really connecting to the same server. First time you connect to a server, PuTTY has nothing to compare with, and therefore ask you what to do.

More info in the Knowledge Base: How do I use Telnet or SSH to access my site.

File Transfer

While FTP is the most widely used file transfer protocol, SFTP is the secure alternative. DreamHost supports both SFTP and SCP on all accounts, but it requires you to enable shell access in the Control Panel.

WinSCP and FileZilla are both free Open Source SFTP clients. Alternative clients can be found at freessh.org. WinSCP’s SSH and SCP code is based on PuTTY, so if you’re used to PuTTY, you will recognise similarities in the user interface.

The icons show that the connection is encrypted (using aes and SSL version 2) and that compression is enabled.

More info in the Knowledge Base: SCP / SFTP. 

Email

DreamHost supports both SSL IMAP and POP3, and a couple of weeks ago they started to offer secure SMTP. SSL provides endpoint authentication and communications privacy over the internet using cryptography. While SSL is most commonly used with HTTP to form HTTPS (secure webpages for applications such as e-commerce and banking), the same technique can be used to secure your communication with a mail server.

All you have to do is to tell your email program to use SSL. In Microsoft Outlook / Outlook Express you do this by selecting “This server requires a secure connection (SSL)” in the accounts dialog box for both POP (incoming mail) and SMTP (outgoing mail). In Mozilla Thunderbird the setting is called “Use secure connection (SSL)”. The port numbers should automatically be updated, otherwise use port 995 for POP (instead of 110) and 25 for SMTP (no change). If your ISP blocks port 25 you can sometimes use port 465 instead.

Outlook Express settings…

Outlook Express securing the connection, before it logins to the email account…

The only caveat of using SSL email is an annoying warning since the SSL certificate is registered for mail.dreamhost.com and not for mail.yourdomain.com.

The server you are connected to is using a security certificate that could not be verified.

I will provide a workaround for this annoyance in my next blog post.

This entry was posted on Monday, February 20th, 2006 at 08:49 and is filed under DreamHost, Features, Tips. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.