[Info-vax] FTP/SSL from OpenVMS (client) to Unix Filezilla (server) failure
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Aug 8 18:19:43 EDT 2012
On 2012-08-08 21:55:09 +0000, Jose Baars said:
> Op woensdag 8 augustus 2012 15:28:38 UTC+2 schreef Stephen Hoffman het
> volgende:
>
>>
>> And yes, you could reasonably infer I'm not fond of ftp.
>>
>
> :-). In FTP's defense, most browsers, and curl too, automatically use
> passive mode to do FTP, getting rid of the server opening a random port.
Which just mean the server needs the whole of the ftp port range open
(or the whole of the ephemeral range) from the Internet, or a firewall
that sniffs ftp traffic.
And some browsers intentionally block URL-based credentials on ftp transfers.
ftp needs to die.
But then I've mentioned my distaste for the protocol.
> But why we have FTPS, FTP over SSL (also loosely called FTPS) and more
> than 2 ways to tell how and what to encrypt is really beyond me.
Schadenfreude is about the nicest reason I can come up with.
> SSH and SFTP implement an application protocol on top of TCP/IP. That
> has at least three disadvantages:
> To prevent setup of SSH tunnels a company needs expensive protocol
> sniffing firewalls :-).
Peeking in the encrypted traffic generally means a deliberately weak
implementation, a certificate compromise (as has happened), or a
bastion host.
> The SFTP (or really the SSH) RFC's are extensive and open to (wrong)
> interpretation, as abundantly demonstrated by dozens of servers and
> clients, and file transfer performance is sometimes not even half of an
> HTTPS (to avoid the dreaded F word) download or upload, which can be
> comparably secure. That also is the disadvantage of HTTPS: it can be
> made much more insecure.
(Having been in attendance at various standards meetings over the
years, and having implemented applications based on RFCs on various
occasions...) I'd be surprised if any particular set of non-trivial
RFCs actually did closely approximate reality. That's why some
implementations of the RFCs are variously considered (for better or
worse) reference implementations, and why there are "connectathon"
meetings.
> I don't think I will see something easy, secure and generally accepted
> in my lifetime.
We'll hopefully be done with the classic files-n-directories sooner or
later for all but the developers. Probably later. Ah, well.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list