On Oct 24, 3:24*pm, RayLopez99 <raylope...@gmail.com> wrote:
> From the below it seems FTP transmits id/password in plaintext. *I use
> FTP when "publishing" my Visual Studio apps to my website. *The
> initial handshake of the FTP program has my ID and password in it.
> What I'd like to discuss are two topics: *worse case and best case for
> somebody intercepting my user id and password when I FTP from inside
> of Visual Studio (which has an FTP client built into it).
> I don't know anything about this subject, but here is a guess, along
> the lines of what I'd like to hear from you experts. *My guess is not
> based on knowledge of how 'packet sniffing' is done, just a
> conjecture.
> Worse case: *"Your FTP password and ID can easily be intercepted, not
> just in real time by a packet sniffer such as {INSERT NAME HERE} but
> also because messages are stored on most servers from about 30 minutes
> to up to 24 hours. *A sysop can easily read any plain text stored on
> these servers. *Further, it's well known that many FTP servers are
> buggy and have viruses on them that redirect any text message packets
> received."
> Best case: "While it's true that your FTP password and ID can be
> intercepted in theory, in most cases, between 95% to 99% of the time,
> this is not easy to do, because most FTP servers have firewalls on
> them that will hide all open ports, making it difficult for a packet
> sniffer to attach to a port and intercept any incoming data. *Further,
> since FTP is typically a 'point-to-point' connection, between your
> machine and the server, there are no 'hops' between the two machines,
> which means that there's little opportunity for a 'man-in-the-middle'
> proxy attack. Hence, unless there's a packet sniffer attached to one
> of the open ports, which again is unlikely due to the FTP server
> firewall, in most cases, 95-99% of the time, your ID and password will
> not be read".
> Again, I'm making up this best case/ worse case stuff just to get the
> ball rolling. *I have no idea of what I'm talking about, that's why
> I'm asking you.
> Any comments?
> RL
> http://www.raditha.com/php/ftp/security.php
> Security issues in FTP
> Send your password in clear text
> The biggest problem with FTP is that the server can only handle
> usernames and passwords in plain text. This is one of the reasons why
> the root account cannot be used for FTP access on most servers. The
> same applies for telnet.
> FTP is not the only protocol that sends everything in the clear, POP,
> IMAP, Jabber are some other equally guilty protocols. The difference
> however is that FTP is very commonly used to upload contents to
> various kinds of servers including webservers. Someone who sniffs your
> mail server might read your private mail, but someone who sniffs your
> FTP password can deface your website. Matters have not been helped by
> the fact that some FTP servers are notoriusly buggy.
> For these reasons there are various alternatives including Secure FTP
> (SFTP), which despite the name is quite different from FTP. SFTP
> applies encryption on all messages between the client and the server.
> There is also another alternative FTPS. Losely speaking we can think
> of FTPS being to FTP what HTTPS is to HTTP.
> Usernames and passwords are not the only things that are sent over
> clear text. The files themselves are uploaded or downloaded without
> any encryption at all. That online store you buy your T-shirts from
> might give you an HTTPS page to enter your credit card, and their
> accountants maybe downloading the card details over FTP!
> Having said all that this article is not intended to be an indepth
> study of cryptography, rather it's intended to give you a small amount
> of background information as we work towards building a FTP client
> using PHP.