On Sep 7, 2004, at 6:58 PM, Alejandro Tejada wrote:
Hi Andre!
You really have the talent to boldly code what no programmer has published before. (from the "Star Trek" motto ;-)
Andre, I have some questions about FTP, now that you are on it:
Hi Alejandro,
thanks for the cumpliments! I am a fan of Star Trek also :D I'll answer your questions below!
How reliable and safe is FTP protocol? Could it support resume on partial uploads or downloads.
The protocol is pretty dumb. It can support resume and partial uploads, it's pretty easy, I coded a FTP server in transcript and it does support resuming a transfer.
The protocol is not safe, let me explain why. First the client opens a connection to the server, this connection is called the control connection, thru this connection client will ensure it's commands and receive responses, all communication will go thru this connections except listing files and transfering files. When you want to list files or transfer files, you'll need a data connection, meaning, depending on your use of active FTP or passive FTP, the client or the server will open another socket and wait for a connection, when this new connection is established, it will send the file list, or the file. Danger, if you're using passive connections, and you ask for a file and other client connects to that data control port before you do, he will receive your file. Using active FTP the reverse situation can happen, another client can connect to your data control port before you and upload a file saying it's your upload. The only thing that prevent this from happening everyday is that data ports are dynamic, they are not fixed, for example my own FTPd server will start it's data port in the 8059 for the first client and goes incrementing this for the next ones, so anyone trying to find a open control port to connect will need to sniff all my ports to find a open one. The point is, when you ask for a data port, yserver answers what is the port and you connect immediatly so the time window for someone to connect is pretty small, but if it happens, theres nothing you can do to prevent the file theft or the upload hijack.
See, the security is there only because the client is faster to connect than the "hacker" is fast to scan all your ports... I would not trust national security files to FTP, I would encrypt them so that user must decrypt after download.
Could anyone (intentionaly) sniff the password used to connect to a ftp server?
I don't think so. Unless someone launch a bogus server and force a user to log in.
What additional features does RunRev requires to implement the Secure FTP protocol?
I don't know about SFTP but I think if they expose the SSL functions for encription then we can build the protocol, and that should be safe for data flowing from server to client will be encrypted, anyone hijacking the data port will not be able to decipher it.
Could i select an encripted file to get the users name and password from it and connect to a ftp server to upload files?
yes, you control the connection from the Rev side, you're free to send your own login/pass info and to send the commands.
Cheers Andre
(In this way the user do not have to write their user name and password on the machine. Sometimes I had wished that all login screen provided an option to get the user id and password directly from a file in cd rom or floppy)
Thanks a lot Andre, Keep up your good work!
al
===== Visit my site: http://www.geocities.com/capellan2000/
__________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail _______________________________________________ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
-- Andre Alves Garzia 2004 BRAZIL http://studio.soapdog.org
_______________________________________________ use-revolution mailing list [EMAIL PROTECTED] http://lists.runrev.com/mailman/listinfo/use-revolution
