Macupdate and I took some of the discussion on this topic offline but I think that some of it may be of interest to some of the readers here. I am including in this post some our offline discussion. By mutual agreement I have edited out certain sensitive information.
[begin offline discussion 1]
Joel Mueller wrote:
>
> Thanks for your posting on MacNN's boards about FTP security with OSX. I
> was wondering why all of the major hosting providers user FTP access for
> their clients to maintain their sites if FTP is so insecure?
Good question! Mainly it is because that is all most client software can
handle. When people use FrontPage, Adobe GoLive, or NS Composer (to name
a few) they are not given the choice to use a more secure channel for
uploading their data to the server. I can only imagine that this is
because most major hosting sites have not caught up with the times.
Using scp is only slightly more difficult than using ftp yet it is a
little different. Customers (users/clients) HATE changes and ANY
difference in what they are used to. Web hosting service providers would
have a very large increase in support costs... due to the changes they
would have to make.
I imagine the simplest thing would be to allow users to upload their
data using SSL. I don't know if any of the popular web page editors
include, or can make use of, this functionality.
If a client uploads their webpage data in an insecure way then their
whole website is insecure... even if they use SSL on their website. All
it takes is an interested cracker to sniff teh userid and password as it
drifts over the internet in cleartext.
[deletia]
There are many things that an admin can do to make a site more secure
for the users. The bare minimum is to totally disable ftp and telnet. In
short, disable anything that allows a user to access the site with a
cleartext userid and password. I think that most web hosting services
really don't care about security all that much... they may pay lip
service to it but they do very little about it. They rely on buzzwords
(firewall, SSL, etc) but none of this will help assure the integrity of
a customers data if they are allowed to use any service that allows
cleartext userid and passwords. I suppose it can get them "off the hook"
in some situations because if they do use all secure channels and then
if they are compromised they may have some explaining to do.
I think we should discuss this on the forum, don't you? With your
permission I will post your email and my reply.
-DU-...etc...
[end offline discussion 1]
[begin offline discussion 2]
[some stuff edited]
David Utidjian wrote:
All of this is a hassle and/or costs something in time/money BUT when
compared to the cost of repairing a compromised system it is trivial. I
work in an academic environment where some of my users have their lifes
work on my servers, some just have a semesters work, some have a weeks
work, some a days... I have to take the integrity of that data
seriously. I have to take it seriously as the admin of the system or
nobody else will... the users certainly don't... until their data goes
missing or is altered. I have, I believe, a very good backup strategy...
the network security helps me avoid having to restore hundreds of
gigabytes of data from backups... which will take some time.
Unfortunately I had to learn the hard way by being cracked a few times.
Those were a very expensive lessons.
I think, for the most part, that Macs are not all that interesting to
crackers except for the occasional student who has nothing better to do.
Not that many major sites are run on it and the data on most Macs is not
all that interesting. Linux on the desktop is the same way. However,
there is a tremendous amount being served from Linux servers, more every
day, for some of the major websites on the internet. The average Linux
box (desktop or server) also makes an excellent platform to launch other
attacks at any kind of system.
[ end of offline discussion 2]
[ 06-04-2001: Message edited by: utidjian ]