Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Jun 2001 17:31:25 -0700
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        Jamie Norwood <mistwolf@mushhaven.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: OT: FTP almost gone now? (was: Re: IPFW almost works now.) 
Message-ID:  <200106140031.f5E0VbA12744@cwsys.cwsent.com>
In-Reply-To: Your message of "Wed, 13 Jun 2001 11:14:21 EDT." <20010613111421.A777@mushhaven.net> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <20010613111421.A777@mushhaven.net>, Jamie Norwood writes:
> On Wed, Jun 13, 2001 at 11:01:04AM -0400, Antoine Beaupre (LMC) wrote:
> > Cy Schubert - ITSD Open Systems Group wrote:
> > > On virtually every mailing list I'm on I've been advocating the 
> > > deprecation of FTP, only to get flamed by advocates of FTP.  The reason 
> > > FTP is still used is because people want to use it.  Until the majority 
> > > can be educated (convinced) it will continue to be used.  Code (CGI 
> > > scripts, etc.) to perform uploads would be the start of the demise of 
> > > FTP.
> 
> My main issue is that noone has yet given me a good reason WHY FTP should
> be depreciated. All I keep hearing is most people saying 'Because HTTP
> is better, though it needs to be fixed to do what FTP does', and a few
> feeble cries of 'It's more secure to just have one service doing both,
> and since Apache is more secure than FTP (Assuming, of course, you use
> it in stock form and don't turn anything special on!), we should drop
> FTP!'.
> 
> Noone has addressed my concerns at all, and seem to mostly ignore them.
> Just to be inflamatory about it, it is a common tactic when people are
> presented with an argument they don't know how to counter, to just ignore
> it.

Because of its use of a control channel and data channel, FTP requires 
firewall proxies. IP Filter provides a good client-side FTP proxy 
however a server-side FTP proxy is unknown in the opensource community. 
 Given the exploits of various FTP daemons, of which FreeBSD has been 
fortunate to have such a secure ftpd, and exploits of the FTP protocol 
itself, e.g FTP bounce, the wisdom of running an FTP server behind a 
firewall is ill advised.

Secondly FTP doesn't support encryption.  The FTP services that do, 
e.g. Kerberos, still use the goofy control and data channels, and use 
the FTP protocol with its vulnerability to circumvent firewalls making 
it difficult to impossible to firewall, posing a risk to all other 
servers behind the firewall.

An FTP server sitting in a DMZ or better yet completely outside of a 
firewall (considered a hostile external system) would be acceptable 
though.

> 
> My main concern is the facts that, first off, HTTP doesn't, in most of it's
> current incarnations (Both client, and server), have an easy and sane way 
> to handle uploading files, securely or otherwise. 

Sftp and scp address non-anonymous FTP.  HTTP POST and PUT could 
address anonymous FTP uploads.

> 
> My secondary concern is ease of use. FTP is extremely easy to use, and 
> powerful at the same time. It has many well-written text-based applications
> for it's use. HTTP has Lynx and Links, neither of which is adequet. Both
> rely on having high-quality terminal emulation with no quirks, a rare 
> thing. I can pull up 'ftp' on any client, anywhere, and not have to worry
> that curses/ncurses/xterm/whatever will not like some of it's code. I've
> yet to see Lynx not look bad, and Links isn't much better. 

This is why FTP will never go away.  In most end users' minds ease of 
use is more important than security.  In most managers' minds $$$ are 
more important than security.  Consider why many companies still don't 
support HTTPS.  It's easier to not support it and most unsuspecting 
users don't know not to transmit their credit card information 
unencrypted over the Internet so they continue to purchase from sites 
using unsecured transactions.  I think that the world as we see it 
today is not concerned about security issues until the cost of doing 
business becomes prohibitive requiring us to change.

> 
> Tertiarily, there is the concept of statefulness. HTTP is stateless, which
> is well and good for people behind firewalls and such, but FTP is stateful.
> This allows us to be MUCH more interactive with the server.

Applications that use HTTP PUT and POST can be just as interactive and 
useful.  The reason we don't see any applications like this in 
widespread use is that the nail doesn't hurt enough for anyone to do 
anything about it yet.  Once it does standards will change and 
applications will be built.  It is discussions like this that cause 
people to to think and interact.  After enough of these discussions 
eventually the light bulb will turn on in someone's head and we will 
have a new application based on HTTP or whatever else to replace FTP.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200106140031.f5E0VbA12744>