>>>> "Pete" == Pete Turnbull
<pete(a)dunnington.u-net.com> writes:
Pete> I recently had a discussion with our security advisor at work,
Pete> about FTP being replaced by HTTP and SCP. Some people would
Pete> like to replace "insecure" FTP with "modern" services like
SCP
Pete> and HTTP (something along the lines of "we don't do anonymous
Pete> FTP, stick the file on a web page instead"), and argue that
Pete> they're safer and there's no loss of functionality. I'm not so
Pete> sure. For example, FTP understands the difference between a
Pete> unix-style "stream of bytes" file, and a structured one such as
Pete> might be found under VMS (or any of several other OSs) -- and
Pete> can deal with the difference.
http has Mime types, and for things that are sufficiently strange,
wrapping them in a tarball or zip archive is probably a good idea
anyway. Certainly people routinely distribute .tar.gz files with fine
integrity.
I think the security argument (that is, "http is more secure than
ftp") is bogus. Both are anonymous, unless you choose to make them
require authentication. WIth FTP that's easy, with HTTP it can also
be done but may not be as widely understood.
There are probably more http server exploits than ftp server exploits,
partly because http servers can live on Windows while this is harder
(thought not entirely impossible) for FTP.
One security argument that may make sense: you presumably have a web
server anyway, so doing everything via that server and NOT require an
additional server (ftpd) means one fewer application to worry about.
That's quite reasonable.
Pete> I don't have an easy way to test this, so I don't know if web
Pete> browsers or programs like wget can do the right thing, or
Pete> indeed if servers such as Apache can, or what happens with SCP
Pete> -- but it occurs to me that it might matter in the context of
Pete> classic computing.
In general I like http for file access. In many cases it seems to be
faster, though I know of no good reason why that should be so. The
protocol is far more sane -- if you have NAT or firewalls, it's far
less tricky to get things right than with FTP. FTP passive mode helps
some but it is still an amazing mess at the packet level.
If you want security, SCP is an excellent answer. If you want
anonymous file access, I don't know any reason to use that.
wget handles both ftp and http quite nicely.
paul