Secure file transfer

Secure file transfer
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Secure file transfer evans 12-16-2007
Posted by Sebastian G. on December 17, 2007, 1:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Gerald Vogt wrote:


> Is this a Core FTP specific thing?


No, and SFTP specific thing.

> That standard sftp client which
> comes with ssh packages like openssh transfers everything (command and
> data) through a SSH link. AFAIK it does not even use the FTP protocol.

Well, then it's SCP, a whole different standard. And more secure than SFTP,
for exactly the mentioned detail.

Posted by Flash Gordon on December 17, 2007, 3:43 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Sebastian G. wrote, On 17/12/07 18:35:
> Gerald Vogt wrote:
>
>> Is this a Core FTP specific thing?
>
> No, and SFTP specific thing.
>
>> That standard sftp client which
>> comes with ssh packages like openssh transfers everything (command and
>> data) through a SSH link. AFAIK it does not even use the FTP protocol.
>
> Well, then it's SCP, a whole different standard. And more secure than
> SFTP, for exactly the mentioned detail.

No, sftp users a different protocol to scp but it normally runs entirely
over ssh (it can be run over other protocols, but I'm not aware of this
being done). Certainly winscp (which I use) and the sftp provided with
openssh tunnel the sftp protocol over ssh. See
http://winscp.net/eng/docs/protocols#protocol_comparison
or http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&sektion=1 and
http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&sektion=8

Note from the last of these that it is sshd that actually launches the
sftp-server.

So sftp and scp are exactly as secure as each other.

Also note that ftps is a completely different matter.
--
Flash Gordon

Posted by Gerald Vogt on December 17, 2007, 5:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Flash Gordon wrote:
> Sebastian G. wrote, On 17/12/07 18:35:
>> Gerald Vogt wrote:
>>
>>> Is this a Core FTP specific thing?
>>
>> No, and SFTP specific thing.
>>
>>> That standard sftp client which
>>> comes with ssh packages like openssh transfers everything (command and
>>> data) through a SSH link. AFAIK it does not even use the FTP protocol.
>>
>> Well, then it's SCP, a whole different standard. And more secure than
>> SFTP, for exactly the mentioned detail.
>
>...
> Note from the last of these that it is sshd that actually launches the
> sftp-server.
>
> So sftp and scp are exactly as secure as each other.
>
> Also note that ftps is a completely different matter.

So we have to find out what Core FTP does when it connects via "SSH/
SFTP" as mentioned in the OP. For me this "SSH/SFTP" sounds like it
does the normal transfers like the SSH sftp client would do...

Gerald

Posted by on December 16, 2007, 10:49 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> ev...@silenceisdefeat.org wrote:
> >> ev...@silenceisdefeat.org wrote:
> >>> In Core FTP, is it better to use AUTH SSL or SSH/SFTP?
> >> SSL. SSH/SFTP only protects the data transfer channel, not the command
channel.
>
> > I don't know enough about it to understand how that addresses which is
> > better to use.
>
> SSL encrypts and authenticates both command and data channel, SSH/SFTP only
> the latter. The consequence is that authentication credentials on SFTP
> session are transfered in clear text and can be easily sniffed. And since no
> authentication takes places, and attacker can insert arbitrary commands or
> replys.
>
> >> Well, are you doing implicit or explitic SSL authentication?
>
> > Not being familiar with these terms, and failing to find definitions
> > that I could understand, I don't know.
>
> Well, it's trivial: Implicit means that you connect to port 990 and start an
> SSL/TSL session right away, assuming that the server understands it.
> Explitic SSL means that you first connect to port 21, send some clear text
> commands telling the server to start an SSL session, and then doing further
> communication on this new session.
>
> As you can see, in the first case any commands send to the server asking for
> SSL sessions are utterly useless, and since they would mean you're
> requesting for the explicit SSL mode, are typically rejected with the 500 -
> Not Implemented error (since the server only wants to support implicit SSL).

Ok, thanks. Now, just to make sure I understand this...

Core FTP has three options: AUTH TLS (which does not work in the
host's system), SSL Direct-FTPS (which also does not work) and AUTH
SSL, which does work in terms of allowing a connection, but with the
response to AUTH SSL:

500 This security scheme is not implemented. (Then it proceeds with my
login.)

But it IS implemented, at least in terms of encrypting my login and
any data I transfer?

Thanks.

Posted by Unruh on December 17, 2007, 10:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options

>evans@silenceisdefeat.org wrote:


>> In Core FTP, is it better to use AUTH SSL or SSH/SFTP?


>SSL. SSH/SFTP only protects the data transfer channel, not the command channel.

No idea what you are talking about. ssh encrypts everything passing between
the two computers.


>> This may (or not) have a bearing on it. When I connected using AUTH
>> SSL, the connection script said:
>>
>> ...
>> AUTH SSL
>> 500 This security scheme is not implemented
>> ...
>>
>> It then went on with the connection. I contacted the people who are
>> hosting my account and the first guy said that :
>>
>> "That error message is misleading, it means that the ssl cannot be
>> authenticated but it will still use the encryption layer."


>Well, are you doing implicit or explitic SSL authentication?

>> In Winscp, which only uses SSH (and I have that enabled in my
>> account), One of the fields in the login screen is "Private Key File".
>> Core FTP did not have such a field. In any case, what happens if I
>> leave that field blank?


>Nothing.

>> Is my password and data going out unencrypted if I have not set up a
>> private key?


>No. It just means that the server cannot authenticate you, that is, the
>server doesn't know who he's talking to. A malicious user might insert
>commands on the command channel on your behalf without being detected.

??

Similar ThreadsPosted
Viewing/opening file sent by secure method February 27, 2007, 2:31 pm
Safe zip/unzip and file split on secure Windows machine? January 10, 2005, 2:04 pm
Transfer of data via handshake July 20, 2006, 3:54 am
Organizations lose Confidential&Intellectual property through unauthorized data transfer May 10, 2007, 4:47 pm
'Hijack This' log file May 7, 2004, 12:12 pm
Does MD5 include the file name? September 12, 2006, 5:54 pm
Obscure file - siae3123.exe May 22, 2004, 1:27 pm
snort file logging name December 18, 2004, 5:31 am
the favourities file of Firefox December 21, 2004, 4:39 pm
tcpdump file recovery August 30, 2005, 9:11 am

The site map in XML format XML site map

Contact Us | Privacy Policy