Re: Does FTP still send cleartext passwords?

From: Alun Jones (alun@texis.com)
Date: 03/07/03 

From: alun@texis.com (Alun Jones)
Date: Fri, 07 Mar 2003 15:25:21 GMT

In article <567f0a34.0303070053.a1cddfd@posting.google.com>,
michael.owen@hushmail.com (Mike) wrote:
>Standard FTP implementations are completely unencrypted. The RFC does
>not mention encryption.

"The" RFC? How about RFC 2228, on which the FTP over SSL / TLS draft is
based? Given the large number of existing implementations of FTP over SSL /
TLS, is there any doubt that the draft will become RFC when the IETF finally
moves itself? The draft's author has made a formal request for publication,
which has so far languished in the IETF's internal gears.

>Thus the quote "FTP is still totally
>unencrypted" is accurate. People can write SSL-enabled versions of it,
>but if the encryption isn't part of the FTP rfc, then the protocol
>ain't encrypted. This doesn't mean your server isn't a good idea, just
>that its functionality is not standard.

Are we talking "documented IETF RFC standard", or "destined to be an RFC, and
already so widely implemented that it is a de-facto standard"?

>Just out of curiosity, does your server do anything that an SSH server
>and SFTP bits don't do?

Sure. It acts like an FTP server. It does everything that an FTP server
already does, in a way that FTP users are already familiar with. SFTP is an
entirely new protocol, and doesn't behave the same way. I'm not suggesting
that SFTP is a bad protocol, just that (despite its confusing name), it isn't
based on FTP.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.

Relevant Pages

  • Re: FTP strangeness
    ... So, it looks like SmartFTP is off the list as a client for VMS, Cerberus ... As demonstrated more than just VMS ftp servers do the latter - for situations ... In any case an FTP client should comply with the robustness principle of RFC ... A Server-FTP SHOULD use the reply codes defined in RFC-959 ...
    (comp.os.vms)
  • Re: [Full-disclosure] Security issue in Filezilla 3.0.9.2:passwordsare stored in plain text (sit
    ... RFC2640 is about internationalization of FTP, ... SIZE extension, and has a 4.4 but no 4.4.3 subsection. ... So which RFC were you talking about? ... jobs to do other than posting RFC titles on Internet mailing lists. ...
    (Full-Disclosure)
  • Re: FTPFindFirstFile unicode
    ... it supports RFC 2640 ("Internationalization of the File Transfer Protocol") ... Most servers don't. ... How to connect to ftp using telnet: ...
    (microsoft.public.vc.mfc)
  • Re: Do we need a DCL debugger?
    ... An FTP client uses NLST to return the list of filenames. ... The LIST command is ONLY meant to be used as display output. ... As the RFC states about the LIST ...
    (comp.os.vms)
  • Re: firewalls that can ssl ftp?
    ... Secure Transfers ... Bruce Schneier's Blowfish encryption for data transfers. ... Secure SSL based Web Administration Portal ... Works with other FTP Clients/Servers ...
    (Security-Basics)