Re: Secure file transfer

On Dec 16, 8:02 pm, "Sebastian G." <se...@xxxxxxxxx> wrote:
ev...@xxxxxxxxxxxxxxxxxxx wrote:
On Dec 16, 5:04 pm, "Sebastian G." <se...@xxxxxxxxx> wrote:
ev...@xxxxxxxxxxxxxxxxxxx wrote:
In Core FTP, is it better to use AUTH SSL or SSH/SFTP?
SSL. SSH/SFTP only protects the data transfer channel, not the command channel.

I don't know enough about it to understand how that addresses which is
better to use.

SSL encrypts and authenticates both command and data channel, SSH/SFTP only
the latter. The consequence is that authentication credentials on SFTP
session are transfered in clear text and can be easily sniffed. And since no
authentication takes places, and attacker can insert arbitrary commands or
replys.

Well, are you doing implicit or explitic SSL authentication?

Not being familiar with these terms, and failing to find definitions
that I could understand, I don't know.

Well, it's trivial: Implicit means that you connect to port 990 and start an
SSL/TSL session right away, assuming that the server understands it.
Explitic SSL means that you first connect to port 21, send some clear text
commands telling the server to start an SSL session, and then doing further
communication on this new session.

As you can see, in the first case any commands send to the server asking for
SSL sessions are utterly useless, and since they would mean you're
requesting for the explicit SSL mode, are typically rejected with the 500 -
Not Implemented error (since the server only wants to support implicit SSL).

Ok, thanks. Now, just to make sure I understand this...

Core FTP has three options: AUTH TLS (which does not work in the
host's system), SSL Direct-FTPS (which also does not work) and AUTH
SSL, which does work in terms of allowing a connection, but with the
response to AUTH SSL:

500 This security scheme is not implemented. (Then it proceeds with my
login.)

But it IS implemented, at least in terms of encrypting my login and
any data I transfer?

Thanks.
.

Relevant Pages

  • RE: Load balancing with NTLM or Basic authentication.
    ... Microsoft SQL Server Support Professional ... So it is able to maintain the SSL session with the client. ... >So our last piece of the puzzle was the issue of authentication. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Secure file transfer
    ... SSL encrypts and authenticates both command and data channel, ... The consequence is that authentication credentials on SFTP session are transfered in clear text and can be easily sniffed. ... Implicit means that you connect to port 990 and start an SSL/TSL session right away, assuming that the server understands it. ... Explitic SSL means that you first connect to port 21, send some clear text commands telling the server to start an SSL session, and then doing further communication on this new session. ...
    (comp.security.misc)
  • SSL and IPS (was RE: ssh and ids)
    ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
    (Focus-IDS)
  • Re: Reality Check: Session Hijacking
    ... choice to force the visitor to accept session cookies to keep the session ... cookie is simply a cookie that dies when the browser is closed, ... Note that the visitor will not see the new URL in the browser (it still says ... implementing "if not SSL then unset isAuthenticated". ...
    (comp.lang.php)
  • RE: Load balancing with NTLM or Basic authentication.
    ... The load balancer we’re going to use has the capability to be issue an SSL ... So it is able to maintain the SSL session with the client. ... application server. ... So our last piece of the puzzle was the issue of authentication. ...
    (microsoft.public.inetserver.iis.security)