ANN: FTP Commander (the ftp browser Frank asked for...)

Andre Garzia soapdog at mac.com
Wed Sep 8 10:41:34 EDT 2004 

On Sep 8, 2004, at 11:24 AM, Frank D. Engel, Jr. wrote:

> This can be a useful feature, though.  You can directly transfer files 
> from one server to another by setting one to active and the other to 
> passive mode, and taking the port number and IP address of one and 
> feeding it to the other in order to have the data connection directly 
> opened between them.  That way, the data is only sent across the 
> network once, rather than being downloaded to your computer, then 
> uploaded to the other server.  It can be even more significant if 
> there is a faster network between the two servers than between the 
> client and either of the servers.
>
> However, for security purposes, the situation is even worse than you 
> seem to think.  Not only could someone else on the network "sniff" the 
> passwords...   they could sniff the port numbers and IP addresses of 
> the connections too.
>
> What's more, they wouldn't have to "hijack" the file by connecting to 
> the port you establish.  Assume someone did -- you might guess that 
> something was wrong, or at least know to check, because your client 
> would fail trying to make the connection, and the server would report 
> back through the control connection that the transfer was complete.
>
> If they just sniff the data connection itself and record the packets, 
> they could reconstruct the file as you receive it yourself, and you 
> might not have a clue that it happened.
>
>
> FTP is *very* insecure, and is really only any good for downloads of 
> public files, or for transfers across "trusted" networks.
>

Irgh!!!!!!! I always thought sniffing packets could do some stunts, but 
reconstructing the whole file from packet data always sounded as a big 
job to me, if this is indeed easy, I am really scared. Tell me,  with 
SSL available in the new Rev 2.5, do you think we can implement Secure 
FTP?

cheers
andre







>
> eMail protocols are plaintext too, btw...  often including plaintext 
> passwords, or perhaps no passwords at all in some cases.   VERY scary.
-- 
Andre Alves Garzia ð 2004
Soap Dog Studios - BRAZIL
http://studio.soapdog.org

More information about the use-livecode mailing list