secure FTP

Bernard Devlin bdrunrev at gmail.com
Wed Sep 3 08:29:25 EDT 2008


Securing FTP looks like it is going to be complex.  I searched the archive
using Nabble and came up with this discussion from 2 years back:
http://www.nabble.com/FTP-with-SSL-TLS-to5932257.html#a5935689

Now, since both Dave Cragg and Dar Scott were involved (and both know more
about networking and security than I will probably ever know), it doesn't
look like there is any simple solution.  In fact, I would think that Dar's
suggestion is probably not going to work with and would require you to
bundle addtional software with your app. (From
http://www.stunnel.org/faq/troubleshooting.html#ToC18 - stunnel is an ssl
wrapper, placed round calls to local ports and forwards them securely to a
remote port:)

>>
FTP over Stunnel won't work I just can't get ftp to work over Stunnel no
matter how hard I try.

*Answer*: Stunnel cannot be used for the FTP daemon because of the nature of
the FTP protocol which utilizes multiple ports for data transfers. There are
SSL aware FTP servers available.

Alternitively you could use a different protocol. All versions of SSH
include a program called scp which works like rcp. Recent versions of
OpenSSH include a program called sftp which has an ftp-like feel.

<<


It looks to me like the options are:
a) using a SSL compatible ftp server, then getting SSL to work with that
(unless there is some reason why Rev's SSL implementation wouldn't work with
that, but I doubt it since SSL applies at the socket level).  This would
only work with some servers, but at least it would be a Rev-only solution
(but requires an enterprise license to get SSL).  On the linux side it looks
like the major ftp servers (vsftpd, proftpd) support ssl.  Of course, if you
are not in charge of the server, then you probably have no control over
which server is used or over whether or not ssl is enabled.

b) switching to using https and posting your data to a webserver.  Requires
you to change how you handle stuff on the server, and would also have
security implications (you don't want people to be able to post files that
would replace e.g. .htaccess), but would also be a Rev-only solution

c) using an external program with your app  (e.g. scp, sftp, curl), and
bundling the executable/libraries if necessary (i.e. they won't be available
with Windows by default - by default Vista even disables the telnet
client!).  The server would obviously have to have compatible server
processes running with appropriate login permissions, and attendant security
issues (i.e. there is going to be a username capable of logging into a shell
on that server, and that will need additional consideration).

d) look into using webdav over https.  Again may require server side
changes, and also has security issues as with b).

Bernard

On Wed, Sep 3, 2008 at 9:46 AM, Jim Sims <sims at ezpzapps.com> wrote:

>
> I am looking for a way to upload files onto a server
> that is secure. I do not want my potential client
> to say "Hey! That will send passwords in the clear!!"
>
> I am looking for a method, using Rev, that can be implemented
> on OS X and Windows.
>
> sims
>
>
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>



More information about the use-livecode mailing list