RE: Encryption for FTP/MAil/Web

From: Myers Chad (chad.myers@recall.com)
Date: 10/25/01


Message-ID: <ECBFCB3F6E6AD511A30D0008C74546473335AD@mail01.recall.com>
From: Myers Chad <chad.myers@recall.com>
To: 'Rafael 'Dido' Sevilla' <sevillar@team.ph.inter.net>, Christian Mengler <menglerc@synktech.net>
Subject: RE: Encryption for FTP/MAil/Web
Date: Wed, 24 Oct 2001 22:11:33 -0400

Sorry to pop in on this late in the discussion, but I just now started
digging through my mail. I actually spent several days researching
various methods of secure file transfer a month or so ago, and wound
up deciding on ssl-ftp. Primary decision was because I needed an
authentication mechanism besides OS login, and I didn't see anything
in the ssh/sftp arena that provided it. I didn't want to create
customer accounts in the OS.

> On Mon, Oct 22, 2001 at 11:28:41AM +1100, Christian Mengler wrote:
> > Hey,
> > I've been looking into FTP encryption for the last few
> dayz, I found that
> > SSH only encrypts the authentication process, but not the
> transfering of
> > data.

Depends on the version; v1 sftp did this. v2 sftp (f-secure and openssh)
are actually encrypting the entire session. Tunneling ftp through ssh
will depend on how you configure the tunnel.

> Huh? Then why is it when I use SCP to copy files between two machines
> on a crossed Ethernet cable, the speed of the copy is
> substantially less
> than using HTTP or (unencrypted) FTP? I also see SSH
> processes on both
> boxes consuming non-negligible CPU cycles. Tcpdump also
> shows gibberish
> where my files should be.

The gibberish part is to be expected, since it's encrypted data. The
speed issue isn't you alone. I've seen it, as have several others.
Not sure why scp sucks so badly in the speed department compared to
other transfer methods.

> > Although SSL, i read that it encrypts not only the
> authentication, but
> > also the data. Im not quite sure on what SSL FTP daemons
> are out there,
> > there is a few for *nix, eg SurgeFTP (www.freshmeat.net),
> but im not sure on
> > the availability for windows. But its worth a try looking for FTP
> > clients/servers supporting SSL :)

Yes, ssl-ftp can encrypt the control & data channel; it's not
required to do so, but it is allowed per the RFC, and the few
ssl-ftp servers I found had it as a configurable option.

> If you want a cheaper solution, you can try using Stunnel on
> a standard
> FTP daemon. It was only by using stunnel I was able to get ncftp to
> connect to an SSL-FTP server... I haven't yet seen any standalone
> FTP-SSL clients yet, not even for Unix.

I'm not sure about unix, but there are at least 2 ssl-ftp clients for
Windows - ws-ftpd pro (v7) and CuteFTP Pro. CuteFTP Pro also has
support for sftp, http, and https as well. Rather nifty it seemed.
As for ssl-ftp servers, I only found one RFC compliant one for Windows;
ws-ftp server (www.ipswitch.com). For Unix, there are at least a handful;
the one that sticks in mind right now is ProFTPd (open source).

One minor detail you need to be aware of with ssl-ftp; because it
runs through the normal ftp ports, some firewalls (FW1 & SecureRemote)
see the encrypted ftp commands going over the ftp ports, can't parse
them because they are encrypted, and then silently drop the packets.
This, even when allow-all is configured. If Secure Remote is even
running on the client system, you won't be able to get a ssl-ftp
connection up until you disable Secure Remote from auto-starting and
then reboot the system (yes, I really mean reboot). Pix does work
properly once you disable the ftp fixup protocol; I haven't tested
with any others.

-Chad



Relevant Pages

  • Re: firewalls that can ssl ftp?
    ... Secure Transfers ... Bruce Schneier's Blowfish encryption for data transfers. ... Secure SSL based Web Administration Portal ... Works with other FTP Clients/Servers ...
    (Security-Basics)
  • Re: How to secure FTP?
    ... >> So I am also hearing in this thread that secure FTP isn't really ... It's meant more for encryption than anything else? ... > and password are required by the server in order to log on, ... > other mechanisms (such as SSL) that are supported by a number of third ...
    (microsoft.public.inetserver.iis.ftp)
  • RE: Encryption for FTP/MAil/Web
    ... Subject: Encryption for FTP/MAil/Web ... SSH only encrypts the authentication process, ... Im not quite sure on what SSL FTP daemons are out there, ...
    (Security-Basics)
  • Re: Secure FTP hosting
    ... A number of FTP hosting ... > SSL encryption which only protects files IN TRANSIT; ... using an encrypted FTP client is the way to go; ... > upload folder to a different folder or delete the files from the local PC ...
    (sci.med.transcription)