Re: Question about rsync

Unruh wrote:
Jack Snodgrass <jacks_temp_id_bf2142@xxxxxxxxxxx> writes:

<snip>

If you use rsyncd, it's faster ( non-ssh ) and you can do

It is faster because it is unencrypted. Not a great idea if you are backing
up unless you do not care if everyone can read the stuff being transfered.


Unencrypted transfers are only faster than encrypted ones if the bottleneck is processor speed, rather than link speed (or if you are passing compressible data over a link that does transparent compression, such as openvpn or ssh -C, since encrypted data is uncompressible). For many online backup operations, the link is the bottleneck, so encryption is free.

However, the idea of "always use encryption because everyone can read the data being transferred" is basically FUD in most cases. If you've got a backup running between two sites, then the data moves from the one server, through your switches and gateways on to your ISP, through the internet infrastructure, and back out at the other side. At what point is it realistic to think that an attacker would be listening in to this traffic? It is *very* difficult to compromise the security of a decent ISP in order to sniff out traffic like that - hacking into the trunk internet exchanges would be even harder. Even if you managed it, with rsync you only get bits of changed data - you'd need to monitor the line (capturing enormous quantities of data) for months to get anything sensible. It is *vastly* easier for an attacker to use other methods (bribe one of your IT staff, for example, or steal some login passwords) if they want to get your data. So unless you are doing a backup of a nuclear missile design, encryption on an rsync backup will only make a realistic difference if your network topology is such that the traffic is accessible by more people (such as the notorious "disgruntled employee").

Of course, since encryption here is free, it is still worth using even for its tiny real-world benefits. If nothing else, it keeps you in the habit for when it *does* matter.

Security is a process, and it starts with thinking about the situation, not with automatic rules that must always be applied at all times.
.

Relevant Pages

  • Re: Slow FTPS thruput
    ... without TLS and about 160 seconds with TLS. ... When we went to using encrypted data transfers we noticed ... Do you have hardware encryption support? ... process used in the TLS/SSL handshake and the encryption process ...
    (bit.listserv.ibm-main)
  • Re: Encrypted transfers to/from vendors
    ... Some actually don't like -encrypted- transfers because they can't ... detect and filter malware. ... point encryption is in place as the auditors and 'experts' insist. ... We don't have to care, ...
    (bit.listserv.ibm-main)
  • Re: Copying files without scp
    ... I'm looking for a method to perform this copy task without the overhead ... of encryption for infrequent, high-volume transfers (hundreds to ... I haven't hit a case in years where the encryption overhead was actually ... can be done just as well over rsh. ...
    (freebsd-questions)
  • ssh vs. rsh speed difference
    ... I have a client-server application which transfers much data ... via scp and it's taking a long time, ... How do I turn encryption off in OpenSSH 3.9 to test this ...
    (comp.security.ssh)
  • Re: 2 GB for free online backup
    ... Thanks for all the replies, Larry, David, and R.McCarty. ... Server data backup. ... PS--any reputable company uses customer-controlled encryption and the ...
    (microsoft.public.windowsxp.general)