From owner-freebsd-security Wed Jun 13 17:32:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id BE3F937B405 for ; Wed, 13 Jun 2001 17:32:34 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA32434; Wed, 13 Jun 2001 17:32:28 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda32432; Wed Jun 13 17:32:15 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.4/8.9.1) id f5E0WAB31713; Wed, 13 Jun 2001 17:32:10 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdv31707; Wed Jun 13 17:31:37 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.4/8.9.1) id f5E0VbA12744; Wed, 13 Jun 2001 17:31:37 -0700 (PDT) Message-Id: <200106140031.f5E0VbA12744@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdj12729; Wed Jun 13 17:31:25 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Jamie Norwood Cc: freebsd-security@FreeBSD.ORG Subject: Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) In-reply-to: Your message of "Wed, 13 Jun 2001 11:14:21 EDT." <20010613111421.A777@mushhaven.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 13 Jun 2001 17:31:25 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010613111421.A777@mushhaven.net>, Jamie Norwood writes: > On Wed, Jun 13, 2001 at 11:01:04AM -0400, Antoine Beaupre (LMC) wrote: > > Cy Schubert - ITSD Open Systems Group wrote: > > > On virtually every mailing list I'm on I've been advocating the > > > deprecation of FTP, only to get flamed by advocates of FTP. The reason > > > FTP is still used is because people want to use it. Until the majority > > > can be educated (convinced) it will continue to be used. Code (CGI > > > scripts, etc.) to perform uploads would be the start of the demise of > > > FTP. > > My main issue is that noone has yet given me a good reason WHY FTP should > be depreciated. All I keep hearing is most people saying 'Because HTTP > is better, though it needs to be fixed to do what FTP does', and a few > feeble cries of 'It's more secure to just have one service doing both, > and since Apache is more secure than FTP (Assuming, of course, you use > it in stock form and don't turn anything special on!), we should drop > FTP!'. > > Noone has addressed my concerns at all, and seem to mostly ignore them. > Just to be inflamatory about it, it is a common tactic when people are > presented with an argument they don't know how to counter, to just ignore > it. Because of its use of a control channel and data channel, FTP requires firewall proxies. IP Filter provides a good client-side FTP proxy however a server-side FTP proxy is unknown in the opensource community. Given the exploits of various FTP daemons, of which FreeBSD has been fortunate to have such a secure ftpd, and exploits of the FTP protocol itself, e.g FTP bounce, the wisdom of running an FTP server behind a firewall is ill advised. Secondly FTP doesn't support encryption. The FTP services that do, e.g. Kerberos, still use the goofy control and data channels, and use the FTP protocol with its vulnerability to circumvent firewalls making it difficult to impossible to firewall, posing a risk to all other servers behind the firewall. An FTP server sitting in a DMZ or better yet completely outside of a firewall (considered a hostile external system) would be acceptable though. > > My main concern is the facts that, first off, HTTP doesn't, in most of it's > current incarnations (Both client, and server), have an easy and sane way > to handle uploading files, securely or otherwise. Sftp and scp address non-anonymous FTP. HTTP POST and PUT could address anonymous FTP uploads. > > My secondary concern is ease of use. FTP is extremely easy to use, and > powerful at the same time. It has many well-written text-based applications > for it's use. HTTP has Lynx and Links, neither of which is adequet. Both > rely on having high-quality terminal emulation with no quirks, a rare > thing. I can pull up 'ftp' on any client, anywhere, and not have to worry > that curses/ncurses/xterm/whatever will not like some of it's code. I've > yet to see Lynx not look bad, and Links isn't much better. This is why FTP will never go away. In most end users' minds ease of use is more important than security. In most managers' minds $$$ are more important than security. Consider why many companies still don't support HTTPS. It's easier to not support it and most unsuspecting users don't know not to transmit their credit card information unencrypted over the Internet so they continue to purchase from sites using unsecured transactions. I think that the world as we see it today is not concerned about security issues until the cost of doing business becomes prohibitive requiring us to change. > > Tertiarily, there is the concept of statefulness. HTTP is stateless, which > is well and good for people behind firewalls and such, but FTP is stateful. > This allows us to be MUCH more interactive with the server. Applications that use HTTP PUT and POST can be just as interactive and useful. The reason we don't see any applications like this in widespread use is that the nail doesn't hurt enough for anyone to do anything about it yet. Once it does standards will change and applications will be built. It is discussions like this that cause people to to think and interact. After enough of these discussions eventually the light bulb will turn on in someone's head and we will have a new application based on HTTP or whatever else to replace FTP. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message