ANN: FTP Commander (the ftp browser Frank asked for...)

Andre Garzia soapdog at mac.com
Tue Sep 7 18:20:16 EDT 2004


On Sep 7, 2004, at 6:58 PM, Alejandro Tejada wrote:
> Hi Andre!
>
> You really have the talent to boldly code
> what no programmer has published before.
> (from the "Star Trek" motto ;-)
>
> Andre, I have some questions about FTP,
> now that you are on it:
>


Hi Alejandro,

thanks for the cumpliments! I am a fan of Star Trek also :D I'll answer 
your questions below!



> How reliable and safe is FTP protocol?
> Could it support resume on partial uploads
> or downloads.
>

The protocol is pretty dumb. It can support  resume and partial 
uploads, it's pretty easy, I coded a FTP server in transcript and it 
does support resuming a transfer.

The protocol is not safe, let me explain why. First the client opens a 
connection to the server, this connection is called the control 
connection, thru this connection client will ensure it's commands and 
receive responses, all communication will go thru this connections 
except listing files and transfering files. When you want to list files 
or transfer files, you'll need a data connection, meaning, depending on 
your use of active FTP or passive FTP, the client or the server will 
open another socket and wait for a connection, when this new connection 
is established, it will send the file list, or the file. Danger, if 
you're using passive connections, and you ask for a file and other 
client connects to that data control port before you do, he will 
receive your file. Using active FTP the reverse situation can happen, 
another client can connect to your data control port before you and 
upload a file saying it's your upload. The only thing that prevent this 
from happening everyday is that data ports are dynamic, they are not 
fixed, for example my own FTPd server will start it's data port in the 
8059 for the first client and goes incrementing this for the next ones, 
so anyone trying to find a open control port to connect will need to 
sniff all my ports to find a open one. The point is, when you ask for a 
data port, yserver answers what is the port and you connect immediatly 
so the time window for someone to connect is pretty small, but if it 
happens, theres nothing you can do to prevent the file theft or the 
upload hijack.

See, the security is there only because the client is faster to connect 
than the "hacker" is fast to scan all your ports... I would not trust 
national security files to FTP, I would encrypt them so that user must 
decrypt after download.



> Could anyone (intentionaly) sniff the password
> used to connect to a ftp server?

I don't think so. Unless someone launch a bogus server and force a user 
to log in.


>
> What additional features does RunRev requires
> to implement the Secure FTP protocol?

I don't know about SFTP but I think if they expose the SSL functions 
for encription then we can build the protocol, and that should be safe 
for data flowing from server to client will be encrypted, anyone 
hijacking the data port will not be able to decipher it.



>
> Could i select an encripted file to
> get the users name and password from it
> and connect to a ftp server to upload files?
>

yes, you control the connection from the Rev side, you're free to send 
your own login/pass info and to send the commands.


Cheers
Andre


> (In this way the user do not have to write
> their user name and password on the machine.
> Sometimes I had wished that all login screen
> provided an option to get the user id and
> password directly from a file in cd rom or floppy)
>
> Thanks a lot Andre,
> Keep up your good work!
>
> al
>
> =====
> Visit my site:
> http://www.geocities.com/capellan2000/
>
>
> 		
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - Helps protect you from nasty viruses.
> http://promotions.yahoo.com/new_mail
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> http://lists.runrev.com/mailman/listinfo/use-revolution
>
>
-- 
Andre Alves Garzia ð 2004 ð BRAZIL
http://studio.soapdog.org



More information about the use-livecode mailing list