Re: What is the difference between ftp encryption types SSL, TLS, SFTP and SSH ?


Ertugrul Soeylemez wrote:


The downside of SFTP is that there is no trusted arbitrator (a CA in
SSL/TLS terminology). This is good for small networks, but very bad for

There's also the lack of control over where the client can see: this is
built into most FTP and HTTP/HTTPS tools, but is most definitely *not*
built into SFTP. The version of SSH from ssh.com may finally support it
well, I haven't had a chance to try that in a while, but the OpenSSH
server does not include anything resembling a real chroot cage. What is
unfortunately labeled as chroot operation is only for a small set of
operations, not general access. So an SFTP client generally has access
to the entire filesystem of any OpenSSH based SFTP server.

This is a very serious access management problem: There have been
various patches and proposals for years to address it, such as those at
http://sourceforge.net/projects/chrootssh/, but they've never been
accepted into the OpenSSH main code line.

If you want normal upload/download, you want client access and GUI
access built into most operating systems, it's really hard to beat
WebDAV over HTTPS.

In short: Prefer SFTP for home networks and small companies; prefer
SSL/TLS for large enterprise networks.

Small companies are also notorious for foolishness such as users with
un-password-protected SSH keys on NFS accessible directories, or on
backup tapes that others can restore from. As much as I love SSH as a
remote access tool, the default client behavior of allowing
passphrase-less keys is a very serious problem. Like the tendency of
Subversion clients to store passphrases in local clear-text, I'd love
to see it disabled by default.

Hmm. You know, that's actually a good feature idea to add as an
ssh_config default option....

.

Relevant Pages

  • Re: just simple facts
    ... if u dont have client.. ... ISP would recommend to hide their problem of authentication so u dont have ... I want to know what enabling 'Client for Microsoft Networks' ... DUN will then redial ...
    (microsoft.public.win2000.security)
  • Re: 802.1X Setup using Server 03 and Aironet 1200 Series WAP help
    ... Office/Home Office or Small Organization Networks" ... communication between the wireless client and IAS just was not ... most of the 170 pg Microsoft pdf located at the link below. ... Windows" documentation http://technet.microsoft.com/en-us/library/bb457068.aspx ...
    (microsoft.public.internet.radius)
  • Re: MS Client Binding on External NIC
    ... Looks like unchecking Client for MS Networks on the external NIC doesn't buy ... a whole lot of additional security with SBS 2003 Standard. ... Merv Porter [SBS MVP] ...
    (microsoft.public.windows.server.sbs)
  • Re: just simple facts
    ... I do use Client to browse local network but not on my dialup adapter. ... I want to know what enabling 'Client for Microsoft Networks' ... >> Why would an ISP 'recommend' it be installed for Internet access? ...
    (microsoft.public.win2000.security)
  • Re: Is Zotob A MS Plot . . . .
    ... >>> properly secure a network or node so that even exploits don't impact ... > around 1500 as we pick up another client with 9 offices. ... > connecting plants had to run even when the front office networks ... its negligent mistakes! ...
    (microsoft.public.windowsxp.general)