On 20-Jun-01 Roman Drahtmueller wrote:
True, but then again, FTP is not the best choice for sensible data after all, see f. i. http://cr.yp.to/ftp/security.html
I've just read that article. The conclusions he makes are not quite right, if not plain wrong (it's a client problem, not a protocol design bug: What would make a client send a RETR or STOR command if the data connection, be it PASV or PORT, has not been established yet succesfully?).
True. The whole article is a little blunt, only covering parts of the ftp problem. What the author correctly has figured out is that implementing ftp should be avoided where possible, but the widespread use of this protocol makes this suggestion quite hard to follow in some circumstances. IMHO the worst problems with ftp grow from a combination of the protocol's clear-text transmission of passwords and weakly/lazily configured authorization schemes (one pw for everything, etc.), together with buggy/misconfigured ftp demons.
I'll write an own article about it. Will be on http://portal.suse.de/ .
Delighted to hear that. Perhaps an addition to the SuSE security FAQ would also be a good idea. [...]
Thanks, Roman. -- - - | Roman Drahtm�ller
// "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | N�rnberg, Germany +49-911-740530 // (Batman Costume warning label) |
---
Boris Lorenz