Just wanted to let everybody know that Scott's concerns were sufficient to get the company to stay with sftp on the new server.

THANK YOU SCOTT!!!!

John McKee

-----Original message-----
From: jmmckee jmmckee@xxxxxxxxxxxxxx
Date: Fri, 03 Sep 2010 13:08:14 -0500
To: "Midrange Systems Technical Discussion" midrange-l@xxxxxxxxxxxx
Subject: Re: FTP-S

Thank you Scott. Your email WILL be sanitized, as requested. I needed another person's opinion to attempt to change a direction, and your opinion will likely outweigh mine at my place of work.

John McKee
-----Original message-----
From: Scott Klement midrange-l@xxxxxxxxxxxxxxxx
Date: Fri, 03 Sep 2010 11:18:20 -0500
To: Midrange Systems Technical Discussion midrange-l@xxxxxxxxxxxx
Subject: Re: FTP-S

Please remove my e-mail address (you can keep my name) and indicate that
this is an opinion. It does not carry a warranty, promise of support,
or guarantee of fitness for a given purpose. (I think people on these
mailing lists generally understand that -- but someone receiving the
e-mail out of context might not.)

Then go ahead and send it if you like.

On 9/3/2010 11:00 AM, jmmckee wrote:
Thank you Scott.

I would like to send your comments to this DP manager, as you put into clear words concepts that would appear to be confusing to some oeople. I looked at the parameters for the FTP command and wondered why the distinction on data and command encryption.

May I forward your original comments to this manager?

John McKee

-----Original message-----
From: Scott Klement midrange-l@xxxxxxxxxxxxxxxx
Date: Fri, 03 Sep 2010 10:22:07 -0500
To: Midrange Systems Technical Discussion midrange-l@xxxxxxxxxxxx
Subject: Re: FTP-S

IMHO, this is rather misguided.

sftp is a highly-secure protocol, it's always encrypted from end-to-end.

FTPS is also highly-secure, but it has the ability to turn encryption
on/off at different points in the conversation. In theory, FTPS _could_
be as secure as sftp. But in practice, it almost never is.

FTP is a very old protocol. The first standard for it was published in
1971, when the Internet was only a handful of computers, and they all
trusted each other. Some of the things that FTP does are, quite
frankly, a really bad idea in today's world.

It uses a different port for every file transfer, forcing firewalls to
have a whole range of ephemeral ports open. Not a good idea for security.

It calculates the IP address and port number during the conversation,
and sends them over the control channel. In order to make that work
with NAT, the NAT router has to read every packet, and change the data
in the packet. That can't work if the data is encrypted (the NAT router
can no longer read it -- duh, it's encrypted!)

So FTPS typically uses the encryption only for the userid/password, and
then drops back to plain-text mode. That's not nearly as secure as
sftp, which stays encrypted throughout the conversation.

Frankly, the problem with FTPS is they tried to "put lipstick on a pig".
They took a protocol that had some serious flaws already, and tried to
add cryptography to it... and it's just not as good as the totally
re-imagined sftp protocol (which was designed for security from the
ground up.)

To me (someone who has spent a lot of time studying the inner workings
of these protocols) the idea that FTPS is *more* secure than sftp is
absolutely ludicrous.

If your problem is that SSH allows interactive logins as well as file
transfers, then you should change your SSH configuration to disallow the
interactive logins for those users.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.