On Wed, 20 Jun 2001, Roman Drahtmueller wrote:
I've just read that article. The conclusions he makes are not quite right, if not plain wrong (it's a client problem, not a protocol design bug: What
Well, some of the problems can be alleviated for by proper validation and a big portion of paranoia. FTP as it is will never be secure. It would require STARTTLS and in-band transportation of data (in-band == in the same channel that has completed the authentication). FTP is usually wrongly implemented on client and server side; numerous if not all FTP clients mess up LIST and NLST, the first is to be presented raw, the second can be dealt with automatically (for mirroring); so FTP effectively is not suited for mirroring, timestamps being the least of the problems. (The MPLF extension will fix this soon.) Servers still over active mode although the problems cannot possible be overcome.