At 11:21 AM 11/28/2006 -0500, Malcolm Greene wrote: ... > > FTP insecure because it was so old > >FTP *IS* insecure - both passwords and data are transfered unencrypted. ...
Just a quick note. You're falling for the hype. FTP is not 'insecure' - it's all in how you set up the FTP. 1) never have both read/write access to the same FTP folder 2) allow only anonymous connections to FTP 3) all FTP connections are controlled by a specific 'account' on the server (one with very, very few rights) 4) if data transferred needs to be protected, make sure it's encrypted before transfer 5) do not trust any file received - scan it/verify it, etc These (specifically 4 & 5) would (or should) apply to anything you also receive via HTTP. You do not know where it came from. You could potentially use client-side certificates for the SSL to try and verify things, but even then you can't be sure. What if that disgruntled users? What if someone got on that computer while the user was in the bathroom or their logon was compromised? Or what if the cert info got hijacked (aka MS Passport stuff getting compromised... <g>). The client-side cert files are stored locally, right - available for copy? And just to give you a warm and fuzzy, some studies have shown lately that various SSL encryptions are getting easier to crack. So my advice is even if you're sending over SSL, you should encrypt your data (assuming it's important to protect it). -Charlie _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
