Secure Coding mailing list archives
RE: virtual server - security
From: "Alun Jones" <alun () texis com>
Date: Thu, 01 Apr 2004 17:01:24 +0100
[EMAIL PROTECTED] <> wrote on Wednesday, March 31, 2004 11:35 AM:
Sniffing on the LAN isn't my main concern, it's the concentration points inbetween A and B. Good idea on the SSL wrapper on Telnet, although the original poster said they doesn't want to offer shell access. I'm not quite sure the security community's concensus would agree that FTP is better than SCP/SFTP. I certainly don't, but I've already made that point. So that leaves us with flaws in implementation *and* plaintext usernames/passwords. That doesn't give me warm fuzzies.
Could I interrupt this rather unenlightening exchange for just a moment to point out that you can have your cake _and_ secure it? There's a good couple of dozen implementations of the draft standard for FTP over SSL / TLS listed at http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html, not to mention any of a number of other FTP schemes that avoid passing usernames and passwords around in plaintext (S/Key, SASL, etc). You can have the comfort of FTP, the protocol you've come to love, at the same time as using a secure communications protocol that has become trusted by millions (although, with the number of "didn't read the instructions" mistakes made by some of the implementations, goodness only knows why). Okay, if I go on with this much longer, it'll turn into an advert, so I'll leave it at that. Alun. ~~~~ -- Texas Imperial Software | Find us at http://www.wftpd.com or email 1602 Harvest Moon Place | [EMAIL PROTECTED] Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
Current thread:
- RE: virtual server - security Alun Jones (Apr 01)
- <Possible follow-ups>
- Re: virtual server - security James Walden (Apr 01)