28 May
2004
28 May
'04
9:35 a.m.
On Thursday 27 May 2004 18:36, Pete Turnbull wrote:
I recently had a discussion with our security advisor
at work, about
FTP being replaced by HTTP and SCP. Some people would like to
replace "insecure" FTP with "modern" services like SCP and HTTP
(something along the lines of "we don't do anonymous FTP, stick the
file on a web page instead"), and argue that they're safer and
there's no loss of functionality. I'm not so sure. For example, FTP
understands the difference between a unix-style "stream of bytes"
file, and a structured one such as might be found under VMS (or any
of several other OSs) -- and can deal with the difference.
Can't you cover that problem with something like an archiver? VMS
BACKUP format, or something else that's designed to store enough info
so that you can send record-mode files over a "generic bitstream"
connection. Not necessarily ideal, but it should be able to work,
assuming you can get an http client (wget) for your platform, or build
a simple one, which shouldn't be all that hard (assuming you have
enough to build an ftp client).
IMHO, just switching to a web server doesn't necessarily make things
more "secure," well, unless you're using wu-ftp. :) But, for thing
that require a password set over a connection that I don't physically
own all the machines on, I really don't like sending that password
unencrypted; that's something that https and ssh/sftp/scp can do and
ftp can't (easily) do, without tunneling over an encrypted VPN
connection or something.
Pat
--
Purdue University ITAP/RCS --- http://www.itap.purdue.edu/rcs/
The Computer Refuge --- http://computer-refuge.org