From owner-freebsd-security Tue Jun 12 14: 9:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id A2B4C37B40A for ; Tue, 12 Jun 2001 14:09:14 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6att.ericy.com [138.85.92.14]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f5CL99812712; Tue, 12 Jun 2001 16:09:09 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f5CL97r27405; Tue, 12 Jun 2001 16:09:07 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f5CL96G04074; Tue, 12 Jun 2001 17:09:06 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Tue, 12 Jun 2001 17:09:05 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id MY4P5THR; Tue, 12 Jun 2001 17:09:02 -0400 From: "Antoine Beaupre (LMC)" To: Jamie Norwood Cc: "Antoine Beaupre (LMC)" , freebsd-security@FreeBSD.ORG Message-ID: <3B2684EC.2010205@lmc.ericsson.se> Date: Tue, 12 Jun 2001 17:09:00 -0400 Organization: LMC, Ericsson Research Canada User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:0.9.1) Gecko/20010607 X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: OT: yet another discussion FTP vs HTTP (was: IPFW almost works now.) References: <657B20E93E93D4118F9700D0B73CE3EA0166D97D@goofy.epylon.lan> <20010612152856.A72299@mushhaven.net> <3B267827.5090002@lmc.ericsson.se> <20010612162749.A73655@mushhaven.net> <3B2680EB.9040007@lmc.ericsson.se> <20010612165814.B74054@mushhaven.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jamie Norwood wrote: >>>No, it has a host of limitations all it's own, not the least of which is >>>that is is actually less efficient at transfering files, >>> >>I heard a few things regarding that, all contradictory. :) Could you >>give me a few examples/explanations/references as to why it is less >>efficient? I'd be curious. > > I have to admit I have nothing on hand, so will concede that battle for lack > of ammunition. I could easily be wrong. Yay! ;) >>>and that it has limited CLI tools. >>> >>I think that would be the biggest limitation. HTTP could technically >>override FTP's functionalities using the PUT and DELETE actions, but the >>only clients actually implementing this functionality are either dead >>(netscape 3) or forgotten (amaya). :) > > The question is why bother? If, as you say above, there is no difference > between the two other than interface, what makes HTTP better than FTP? > FTP has suited well for CLI work for many years. (Continued below) One less data connection. :) Actually, I think I agree with you on a few points, see below. >>>Remember, not every computer has a monitor, mouse, and >>>web browser! >>> >>Yeah... but every computer should at least have something like >>lynx/links/w3m/wget/fetch/whatever... >> >>You don't need a fully featured web browser to download/upload files to >>a webserver. Only to display them. Same for ftp. > > But they make it unessacarily convoluted to browse for wanted files. HTTP is > not, in this case, an adequet substitute for FTP. Yes, these methods .work., > but are more of a kludge than anything. Exactly. That is what I was looking for. Browsing of files over HTTP is "patchy". Some kind of workaround involving HTML. It sucks. :) >>>I would love to see something quality replace FTP. Maybe SFTP will, but it >>>is still young, and if SSH is any indication, the onlt commercial support >>>for it will be very expensive (IE, SecureCRT/SecureFX at about $100 each). >>> >>SFTP is not really an alternative. From what I understand, it is only >>built over ssh and therefore needs a corresponding shell account (if you >>exclude the RSA auth). > > SFTP is only needed over FTP in circumstances where security is needed, which > is any time a password is involved. I think you misunderstood. If you need to allow ftp access, *securly*, you must use sftp, and then, you must provide the user with a shell account, which is by definition a higher security risk, unless you disable the shell account and use only RSA auth. Which is completly user-unfriendly. > Anonymous FTP doesn't need SFTP. Agreed. Anonymous FTP still rocks. But then again... why have a root process running for anonymous ftp? :) >>It is surprising we (the internet community) haven't come up with a >>viable replacement. > > No, it isn't, because I don't really think there is a need for an elaborate > replacement. What is so broken about FTP? I must admit I do not have pretty strong ammo against ftp. It is a pain on firewall setups, though. [snip] > Jamie A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message