Sunday, March 13, 2005

Dont use FTP. It is insecure.

FTP (File Transfer Protocol) is widely used for transferring files to and from servers.

How FTP works: An FTP client connects to an FTP server (usually denoted by the ftp:// protocol), using a username and password. Once the user is connected, s/he can download or upload files depending upon the permissions set up by the server adminstrator.

Why is it insecure? Like its HTTP cousin, the FTP protocol also uses plain text to transfer data back and forth between the server and the client. All communication is done in clear text. Even the username and password that you type in to connect to the server is sent over the wire in plain text. NO encryption of ANY kind is used in the entire communication. If someone sniffs the ftp username and password, s/he could easily connect to the server and could potentially delete the files.

The solution: Use SFTP (Secure FTP). SFTP is a totally different beast than FTP. SFTP uses SSH as transport for all communciations between the client and the server. Now, because it uses SSH as a means of transport, the entire communication between the server and client is encrypted and totally secure. WinSCP is a great SFTP client that provides the same consistent user interface as other popular FTP clients.

Any system administrator worth his salt, should disable telnet and ftp for the servers they maintain. I strongly recommend using SSH logins only for terminal access as well as SFTP.

Comments:
Yes, FTP is insecure, but there's nothing wrong with using it to provide anonymous public downloads. Here's an FTP server that provides no authentication and does not allow uploads:

http://cr.yp.to/publicfile.html
 
You are correct. There is nothing wrong with hosting an FTP site for anonymous downloads or uploads. The problem happens when you need to specify a username and password to authenticate with an FTP site. Now, because FTP usernames and passwords are sent in clear text, they become vulnerable to password sniffing which leads to compromised security.
 
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

Copyright Anand Jain 2004, 2005. All rights reserved.
Webmaster