I am certainly not going to try and claim that FTP is secure. I'm not
going to claim to like it. What I am saying is that FTP has it's place.
There are sites that run completely open FTP sites where cleartext
usernames and passwords are not a problem. Anonymous access is essential
to the way most public sites operate. FTP can easily be replaced in many
areas. I don't believe in running FTP (or telnet, or rsh, etc.) on
servers that need to be secure, or where shell access is granted. But, I
certainly don't believe in doing away with it. Also, who is to say that
parts of the RFC are useless? Just because we don't use them does not
mean that other people don't.
For example, I would find it useless to have a 10 year old line printer
connected via the network to a mainframe that is half way across the
country. I find 4Mbit token ring to be out-dated and useless. I find
8086's using PCDOS with 16-port serial cards running optical counters to
be old and crufty. However, all of the above mentioned old and out-dated
technologies have their place in a very large shipping company that I
used to work for. Oh, and there main method of communication is SYSM,
not e-mail.
Kenny
Tod Hagan wrote:
>
> On Tue, Feb 27, 2001 at 06:40:48PM -0500, Derek Martin wrote:
> > We should replace [ftp] because it is inherently insecure in that
> > all authentication is passed in the clear, as is all of your data;
> > and because no one seems to be able to implement it without leaving
> > gaping holes in it aside from those already sufficiently damning
> > problems I just named.
>
> Two words: cleartext passwords.
>
> Thanks, Derek, for bringing this up. You beat me to it.
>
> On Tue, Feb 27, 2001 Kenneth E. Lussier wrote:
> > What does age have to do with the usefulness of a protocol?
> > Actually, what does age have to do with *ANYTHING* in the computer
> > industry?
>
> It depends on the circumstances. Old isn't always bad, but in this
> case the protocol dates from a time when the networking environment
> was quite different. ARPAnet in the 70s was essentially secure, with
> physical access to the network controlled, so sending passwords in the
> clear wasn't a big deal.
>
> Also, in this case, the age of the protocol means that there's
> obsolete cruft which has nothing to do with transferring files today
> -- there's stuff about advancing the printer carriage in there! (see
> RFC 959 section 3.1.1.5.2 carriage control).
>
> FTP defenders: Do you ftp over a non-SSL connection to machines where
> you've got shell access? I haven't done this in a couple of years for
> fear of my password being sniffed.
>
> How easy is it to sniff ftp passwords? 37 lines of perl does it:
>
> User: hi
> Pass: there
> User: very
> Pass: secure
>
> Arg! This is too funny -- I leave the ftp sniffer I just wrote running
> for a few minutes and capture some script kiddie in the Netherlands
> tring to get in:
>
> User: anonymous
> Pass: [EMAIL PROTECTED]
>
> (The server has never been publicized, has 1 authorized user, and was
> down for 4 months.)
>
> --
> Tod Hagan
> Campton, NH
> [EMAIL PROTECTED]
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
