Re: FTP
From: those who know me have no need of my name (not-a-real-address@usa.net)
Date: 01/15/03
- Next message: Lance Delacroix: "Re: Do I need a router? (pt 2)"
- Previous message: Walter Roberson: "Re: FTP"
- In reply to: chis2k: "FTP"
- Next in thread: SomeBlokeCalledRapunzelSyndrome: "Re: FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: those who know me have no need of my name <not-a-real-address@usa.net> Date: 15 Jan 2003 07:36:34 GMT
in comp.security.misc i read:
>I have a webdesigner who insists it is ok to send data in a Access database
>from a website to my computer VIA ftp. this Access file contains unencrypted
>credit card numbers. I will only be transfering it up and down once a day.
>Is this secure? Should I worry?
depends. often it'll be insecure. if kerberos, srp or ssl/tls are used
then it's fine, but who knows if your ftp server supports any of those
possibilities, because as usual, even with it said dozens or hundreds of
times each day, your query is missing vital information. what platform is
the ftp server, and which server software is used? what platform is the
ftp client, and which software is used? can you influence either?
guesses: 1) anyone using access on a web site is just the sort of person
that doesn't really know much of anything, so your designer is probably an
idiot and the transfer would be insecure even if the systems supported
better. 2) your server is the stock ms windows pos, in which case the ftp
service doesn't have any secure options, meaning the ftp session cannot be
secured. 3) your research should have provided all these details, meaning
that your abilities (or perhaps desires) are meager.
potential solutions: 1) have your designer fetch the database using ssl.
be very careful of this, as improper configuration will allow anyone to
fetch it. 2) run a batch job that encrypts a copy of the file using gnupg.
in this scenario you don't provide access to the database, only the
encrypted copy which can be placed anywhere. scenario (1) requires that
you properly configure a directory to be password and ssl protected, where
(2) is a harder to get working so you and your designer find it acceptable.
but (1) is easy to get wrong so if you aren't sure of your abilities do
(2). or provide more info and hope for something else, but if my guesses
are right (even if you hate the way i've phrased them) then there really
aren't any other solutions that are secure.
-- bringing you boring signatures for 17 years
- Next message: Lance Delacroix: "Re: Do I need a router? (pt 2)"
- Previous message: Walter Roberson: "Re: FTP"
- In reply to: chis2k: "FTP"
- Next in thread: SomeBlokeCalledRapunzelSyndrome: "Re: FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
