RE: CRIME FTP

From: Nate McAlmond (NateM@private)
Date: Fri May 09 2003 - 06:29:16 PDT

  • Next message: George Heuston: "CRIME FW: [Information_technology] Daily News 5/09/03"

    If you must use FTP, instead of a VPN, then you should consider encrypting
    your data with something like PGP.
    Nate
    
    -----Original Message-----
    From: Louis Jurgens [mailto:louis@sage-inc.com] 
    Sent: Friday, May 09, 2003 4:09 AM
    To: crime@private
    Subject: Re: CRIME FTP
    
    FTP was originally built 30yrs ago when few worried about passwords
    or data sent in the clear. Another solution for you might be a proprietary
    link designed to move files in a secure manner. Depends on what you're
    trying to do; if you absolutely must use ftp protocol, then you're wedded
    to that.
    
    If all you want to do is move files securely from one point to
    another, there is at least one solution that uses a secure, encrypted
    tunnel (sort of like SSL) to protect data in transit. Authentication is by
    username/password, but p/w is hashed and never appears on the link
    in the clear. It's not ftp, but it could serve your purpose.
    
    Louis
    
    -----Original Message-----
    From: Seth Arnold
    Sent: 5/7/2003 11:03 AM
    To: crime@private
    Subject: Re: CRIME FTP
    
    
    On Wed, May 07, 2003 at 09:49:12AM -0700, Keith Proffitt wrote:
     > Does anyone know if FTP (File Transfer Protocol) can have password
     > protection to prevent inappropriate access?
     > Or is FTP by nature not protected by authentication? Keith Proffitt
    
    FTP only has password-protected access, though by tradition passwords
    are not checked for the user named "anonymous". (Also by tradition,
    people's email addresses are generally used as the password.)
    
    FTP's problem is that the password and data is sent in clear text,
    susceptible to sniffing by intermediaries. (Active or passive.) A VPN is
    one simple solution. Perhaps a better generic solution is to use sftp,
    part of the OpenSSH project. (There are Windows sftp clients.) This will
    prevent the password from being sent in the clear over the wire.
    
    -- 
    Is Shock-and-Awe so different from Terror?
    



    This archive was generated by hypermail 2b30 : Fri May 09 2003 - 06:29:24 PDT