Date: Wed, 13 Jun 2001 17:31:20 +0200 From: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu> To: freebsd-security@FreeBSD.ORG Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) Message-ID: <20010613173119.A24077@petra.hos.u-szeged.hu> In-Reply-To: <3B278030.3020305@lmc.ericsson.se>; from Antoine.Beaupre@ericsson.ca on Wed, Jun 13, 2001 at 11:01:04AM -0400 References: <200106131442.f5DEgNB10141@cwsys.cwsent.com> <3B278030.3020305@lmc.ericsson.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 13, 2001 at 11:01:04AM -0400, Antoine Beaupre (LMC) wrote: > Cy Schubert - ITSD Open Systems Group wrote: > > On virtually every mailing list I'm on I've been advocating the > > deprecation of FTP, only to get flamed by advocates of FTP. The reason > > FTP is still used is because people want to use it. Until the majority > > can be educated (convinced) it will continue to be used. Code (CGI > > scripts, etc.) to perform uploads would be the start of the demise of > > FTP. > > > Actually, I think that nothing short of: > > > - the (possible?) merge of mod_put in the main distro of Apache coupled with > > - the implementation of PUT and DELETE methods on the client side (Netscape, IE and friends) along with > > - some kind of standardization of the process of renaming, etc > > > would do it. Since this is completly unrealistic, ftp is here to stay. Or to be replace with SFTP. And I think that it is not very sensible to expect that one protocol will go away and replaced by the other since they were designed with different aims in mind and indeed serve different purposes. - HTTP is a "display that page with hyperlinks and with multimedia" protocol, mostly read-only. Just think about it: In today's setups, the web server is simply not expected to write anthing except logs. Hence the "www" user the server runs under, and the requirement that the web server not own any files in the web root. - FTP is simply put a remote shell with some restrictions and better file transfer capabilities than telnet. The two relate to each-other in a similar way than POP and IMAP: the latter is also some sort of remote shell for manipulating mails. That's why securing either FTP or IMAP is a whole lot more difficult, but HTTP would be no better if you had to give it the ability to actually change files. In my book, CGI is not a synonim for security either. The problem here is that *any* protocol that can change files on the system vs simply reading them is potentially a whole lot more dangerous and needs a lot more attention. The fact that ftp sends its passwords in the clear is bad, but IMHO it is much worse, that POP usually does the same thing and most people do not even know that every time they check for mail (like every 5 minutes) they send their pwds in the clear! This happens a whole lot more often than ftping with your personal account IMHO. Also, everyone of us knows that SSL is not only more resource-hungry (same goes for any encrypted connection) but not even as good as it seems since client-side certs are not usual and will not be for quite some time. OTOH in anonymous file serving, where pwds are unimportant, ftp still wins. Not because there is some fundamental difference in the two protocol's handling of TCP, but because ftp servers are optimized for sustained longer downloads, while www servers were optimized for faster response and reload times with smaller files. Reusing http in ftp's role is approx as productive as abusing POP by implementing IMAP-like features in it, *if you need the functionality*. If you don't, then don't use ftp/IMAP. (anyone besides me thinking that the HTTP extensions in newer versions of MS Office are pure bs?) My take: If you already have a home dir that you can ftp to, than it is better to use ssh/scp since it is more secure. (and giving you login privs is not that more dangerous than it is to let you tamper with a daemon running as root.) If you only need to read, go with HTTP. If it is an intranet server, then hide from the Net. If you need anon file serving to the Net at large, use ftp, (or HTTP) and place it outside of your intranet, eg in a DMZ. Simple? No. But doable. And is as good as the alternatives. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010613173119.A24077>