Re: is that a good offer for a server installation?

From: Joachim Schipper (jDOTschipper_at_math.uu.nl)
Date: 07/02/05 

Date: 02 Jul 2005 13:37:21 GMT

Moe Trin <ibuprofin@painkiller.example.tld> wrote:
> In the Usenet newsgroup alt.computer.security, in article
> <4ESwe.29182$D7.795471@twister1.libero.it>, Giuseppe wrote:

>>and they told him that ftp is not secure for this and their program is
>>based upon http. "It could be seriously risky for his customer privacy" !!!
>
> FTP is not a secure protocol (everything is sent un-encoded), but neither
> is 'http' unless you say 'https' - notice the 's' for secure on the end.
>
>>1) do you relly think that http is more secure than ftp?
>
> No - but the secure version is.
>
>>2) do you think http is the right solution for uploading so large files?
>
> 500 Megs? Wouldn't be the way I'd do it, but you also have to think of the
> other end of the connection - those customers. Do they know how to use
> anything other than Microsoft Outlook Express? If the customers are the
> common click and drool idiots, https is the correct solution. If they are
> skilled, AND they have the right computer program, then there are other
> alternatives - scp and sftp being only a few of many.

There are a lot of 'secured FTP' (very different from SFTP, confusingly;
we're talking FTP with SSL/TLS support here) implementations out there.
Finding something compatible may be non-trivial, though. (Hint:
vsftpd-with-ssl can be accessed by at least CoreFTP and lftp, for
Windows and *nix clients; the first offers a free 'light' version, and
the second is open source.)

The proposed security does not sound impressive - MD5 isn't that secure,
especially if you have customers who are likely to choose the most
bloody obvious passwords - and the actual contents are sent in the
clear (!). Any decent secured-FTP daemon will SSL/TLS-encrypt the
command stream, and a good one will encrypt the data stream as well.
[Though you may wish to consider efficiency vs. security for the data
stream.]
In both cases, 'unsecured' HTTP or FTP is a nightmare, but 'secured'
(i.e., over SSL/TLS) HTTP or FTP is good.

If we are talking this size of file, you'll want to have support for
resuming uploads. FTP has this; I've never seen it work over HTTP,
mostly because it requires quite a bit of client-side logic. HTTP would
require all sorts of weird, non-portable ActiveX or Javascript mess; any
decent FTP client has this built-in.

Additionally, Apache is less secure than one would like. It's not
insecure by any stretch, but a good FTP daemon like vsftpd is very
difficult to crack.

OTOH, vsftpd does not have all the options you might wish for, many
other major FTP daemons are comparable to Apache in security, and
FTP-over-SSL is a headache (i.e., impossible) to properly firewall.

So, there are valid reasons for not using FTP - but there are valid
reasons to use one as well.

But if we are talking the common 'click and drool idiots', I agree that
being easy may be more important than actually working well. In this
case, go with some ugly web app. Be sure to triple-audit it first.

I've never rendered or received commercial installation services, but
the price seems quite high to me. Shopping around is a good idea.

                Joachim

Relevant Pages

  • Re: How 2 secure PC-PC data transfer
    ... The assumption that you are going to open your machine to attack is one of the worst ideas ... I have no idea what you mean by "not that secure". ... connecting a parallel port cable from PC to PC will work. ... If you have a front-end software that blocks all incoming FTP requests from the WAN (look ...
    (microsoft.public.vc.mfc)
  • Re: is that a good offer for a server installation?
    ... > customers to be downloaded and then worked. ... > and they told him that ftp is not secure for this and their program is ... > 1) do you relly think that http is more secure than ftp? ...
    (alt.computer.security)
  • Re: VBS and TCP port
    ... get,post http = 80 ... ftp = 21 ... secure, there is another ... You are basically thinking of how to ...
    (microsoft.public.scripting.wsh)
  • Re: Fedora Core 2 Update: kernel-2.6.6-1.435
    ... >In fact, I use ftp upload too, only because the client requires it. ... guessing all those options move me to HTTP anyway, ... can stick with HTTPS and get a decently secure connection. ...
    (Fedora)
  • Re: How many CALs do I need?
    ... > FTP Server: Box will have FTP. ... > 1 login name and password that everyone would share. ... > Secure Web Pages: Our website will have a 'secure' section that you must ... > logging in at any given time, but it will all be under the same account ...
    (microsoft.public.windows.server.sbs)