Sunday, March 13, 2005
Dont use FTP. It is insecure.
How FTP works: An FTP client connects to an FTP server (usually denoted by the ftp:// protocol), using a username and password. Once the user is connected, s/he can download or upload files depending upon the permissions set up by the server adminstrator.
Why is it insecure? Like its HTTP cousin, the FTP protocol also uses plain text to transfer data back and forth between the server and the client. All communication is done in clear text. Even the username and password that you type in to connect to the server is sent over the wire in plain text. NO encryption of ANY kind is used in the entire communication. If someone sniffs the ftp username and password, s/he could easily connect to the server and could potentially delete the files.
The solution: Use SFTP (Secure FTP). SFTP is a totally different beast than FTP. SFTP uses SSH as transport for all communciations between the client and the server. Now, because it uses SSH as a means of transport, the entire communication between the server and client is encrypted and totally secure. WinSCP is a great SFTP client that provides the same consistent user interface as other popular FTP clients.
Any system administrator worth his salt, should disable telnet and ftp for the servers they maintain. I strongly recommend using SSH logins only for terminal access as well as SFTP.
Copyright Anand Jain 2004, 2005. All rights