Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Community > MacNN Lounge > An old discussion revisited: why do people still use FTP?

An old discussion revisited: why do people still use FTP?
Thread Tools
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 04:45 PM
 
Why are people still using FTP? Turn on your news and you'll hear about bot net attacks. There was just one recently on the Pentagon, I believe. These sorts of scripted attacks most likely work by seeking out clear text password transmissions, this is much lower dangling fruit than trying to hack away at something encrypted.

How is it that in today's day and age that straight FTP is acceptable? We have trained people using web browsers to "look for the lock", we flash SSL banners and all of that sort of jazz, but how come people seem perfectly content to use FTP? I know the answer to that, ignorance, but why do service providers support this, putting their own systems at risk? The value of the content you have retained in your FTP account/home directory is completely irrelevant, it's what somebody can do with their tracks covered up under somebody else's name. A murderer never uses their own weapon.

I'm sure many of you will try to blow off the risks and call me paranoid, and in some cases there is some degree of debate to the extent in which we should be paranoid, but to me all of this is a waste of discussion when in most cases all the ISP has to do is allow you to reconfigure your FTP client to access via SFTP instead, as most seem equipped to do by now.

I know there was some sort of crypto export legal dispute a while back, maybe this has something to do with some of this, and I know that the encryption requires a little more overhead, but why don't the benefits of far more security outweigh this?

Are we ever going to reach a day when we can finally can FTP like we have telnet? The FTP goose has been long cooked.
( Last edited by besson3c; Jul 24, 2009 at 05:17 PM. )
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 04:48 PM
 
To be clear, FTP does have some uses just as I suppose POP does. It provides a far simpler way to connect to stuff with less overhead. However, it should only be used in very private and tightly controlled environments. What I'm referring to is connecting to things like web hosts and other stuff over the WAN using FTP.
     
angelmb
Addicted to MacNN
Join Date: Oct 2001
Location: Automatic
Status: Offline
Reply With Quote
Jul 24, 2009, 05:04 PM
 
-------------------------------------------------------------
WARNING: This is a restricted access system. If you do not have explicit
permission to access this system, please disconnect immediately!
-------------------------------------------------------------

That's all I see when using FTP to get access to a well-known computer security app updates, no SFTP there.
So, why are people still using FTP?, as you well said, it is simpler and faster. The fact it (the one I use) follows some sort of Honor System is nice too.
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jul 24, 2009, 05:10 PM
 
Easy, quick, supported by lots and lots of free and inexpensive clients sound like biggies for me. Plus not every host supports more secure methods of uploading content.

Considering that most of my uploads are stuff I'm putting on my site to be publicly viewed, it is no big deal whether it's secure or not, so I use CyberDuck. Plus, my hosting package doesn't support SSH access so I'm pretty much stuck with FTP.

This SFTP idea has merit. I'm going to ask my hosting service about it.

Glenn -----OTR/L, MOT, Tx
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Jul 24, 2009, 05:15 PM
 
FTP is simple and everyone knows it. It's too bad it hasn't been replaced by SFTP, though, because I always have some concern when FTPing into my web server that someone's possibly sniffing my password.

besson, is it trivial to change over from FTP to SFTP?

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 05:19 PM
 
Originally Posted by ghporter View Post
Considering that most of my uploads are stuff I'm putting on my site to be publicly viewed, it is no big deal whether it's secure or not, so I use CyberDuck. Plus, my hosting package doesn't support SSH access so I'm pretty much stuck with FTP.
Yeah, but like I said, no disrespect intended, the value of your content is irrelevant. What is valuable to others is having access to an account they do not own.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 05:20 PM
 
Originally Posted by angelmb View Post
-------------------------------------------------------------
WARNING: This is a restricted access system. If you do not have explicit
permission to access this system, please disconnect immediately!
-------------------------------------------------------------

That's all I see when using FTP to get access to a well-known computer security app updates, no SFTP there.
So, why are people still using FTP?, as you well said, it is simpler and faster. The fact it (the one I use) follows some sort of Honor System is nice too.

How is the honor system nice? Scripted bots are not honorable
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 05:21 PM
 
Originally Posted by Big Mac View Post
FTP is simple and everyone knows it. It's too bad it hasn't been replaced by SFTP, though, because I always have some concern when FTPing into my web server that someone's possibly sniffing my password.

besson, is it trivial to change over from FTP to SFTP?
On the server end you get SFTP for free when you enable SSH. On the client end this is simply a matter of changing your connection protocol - couldn't be easier.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 05:25 PM
 
As far as the "lots of clients support FTP" argument, when is that no longer going to be a good argument? At some point transitions need to occur if you are interested in technological progress. There are lots of PowerPC Mac users out there, and there are probably lots of people that are fine with analog TV.
( Last edited by besson3c; Jul 24, 2009 at 05:33 PM. )
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jul 24, 2009, 05:29 PM
 
Originally Posted by besson3c View Post
Yeah, but like I said, no disrespect intended, the value of your content is irrelevant. What is valuable to others is having access to an account they do not own.
I had not considered the exposure of the password as well. I've got some thinking to do on this with my own hosting service. In the meantime, I'm implementing a fairly regular password change schedule for my site...
Originally Posted by besson3c View Post
As far as the "lots of clients support FTP" argument, when is that no longer going to be a good argument? At some point transitions need to occur. There are lots of PowerPC Mac users out there, and there are probably lots of people that are fine with analog TV.
The point is that FTP is something that it's trivial to find tools to use, which is not really the case with other file transfer methods. Since FTP IS a standard, all you need to know is whether or not the host uses the standard port and the rest of the operation goes as expected. With other methods, you need to know if the host supports them AND whether or not the host supports the version and implementation your tools support. That's not trivial. It should be, but it isn't.

Glenn -----OTR/L, MOT, Tx
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 05:59 PM
 
I would argue that SSH/SFTP is an even bigger standard, Glenn... Perhaps not for shuttling files back and forth, but for connectivity in general it sure is.

However, you bring up a good point, but I would question when this migration away from it should occur? You could make that same argument between now and the end of time in terms of moving from one standard to another. Standards do evolve, they aren't static things. I'm just questioning when it will, cause I'm really tired of FTP.

In terms of the version and implementation of SSH supported, like I said, we've been using the same version and implementation for a hell of a long time now. It's already a standard, it's just more commonly used in other ways by the lay person for the very reasons I'm trying to get a handle on here.
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jul 24, 2009, 06:43 PM
 
What I have found is that some ISPs are paranoid about enabling SSH, which is necessary for SFTP, and if you do get SSH you often have to show them a scan of your driver's license or something, because they're scared about giving people shell access - they might try to break out of the jail shell, run malicious code on the server, try to guess the sudo password, or something.

A nice alternative is WebDAV with SSL - this is also secure, and can be mounted right on the Desktop in OS X 10.5.7.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
G Barnett
Grizzled Veteran
Join Date: Feb 2001
Location: Minnesota
Status: Offline
Reply With Quote
Jul 24, 2009, 06:45 PM
 
I use FTP to transfer stuff between my winpc and my mac laptop. it's actually easier than trying to wrangle the built-in networking.
Life is like a clay pigeon -- sooner or later, someone is going to shoot you down and even if they miss you'll still wind up shattered and broken in the end.
     
wallinbl
Professional Poster
Join Date: Dec 2001
Location: somewhere
Status: Offline
Reply With Quote
Jul 24, 2009, 07:06 PM
 
It would be nice if it were a bit more consistent. Between different vendors, we deal with both FTP over SSH and FTP w/ SSL. There's also a difference between implicit and explicit when dealing with SFTP. Seems everyone is just a little different about implementation.
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Jul 24, 2009, 07:11 PM
 
Originally Posted by CharlesS View Post
What I have found is that some ISPs are paranoid about enabling SSH, which is necessary for SFTP, and if you do get SSH you often have to show them a scan of your driver's license or something, because they're scared about giving people shell access - they might try to break out of the jail shell, run malicious code on the server, try to guess the sudo password, or something.

A nice alternative is WebDAV with SSL - this is also secure, and can be mounted right on the Desktop in OS X 10.5.7.
Good points. ISPs are paranoid about SSH. But what would trying to guess the sudo password do if the would-be hacker's account wasn't in the wheel group? Edit: I just learned that Linux, unlike BSD, doesn't use wheel restrictions by default. That's dumb, but I would think any self-respecting administrator would set wheel up. Also, I seldom hear of hosts providing WebDAV access, and even if one did my experience with iDisk in the Finder doesn't make me very comfortable with relying on it to transfer large files.
( Last edited by Big Mac; Jul 24, 2009 at 07:24 PM. )

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jul 24, 2009, 07:14 PM
 
WebDAV is becoming more common these days than it was previously. I know that I used to have trouble too when transferring large files under 10.5.6 and below, but 10.5.7 seems to have fixed it, or at least for me it's working great these days.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jul 24, 2009, 07:21 PM
 
Originally Posted by CharlesS View Post
What I have found is that some ISPs are paranoid about enabling SSH, which is necessary for SFTP, and if you do get SSH you often have to show them a scan of your driver's license or something, because they're scared about giving people shell access - they might try to break out of the jail shell, run malicious code on the server, try to guess the sudo password, or something.
Whatever, I don't understand why those ISPs are still in business.

I mean, WTF, who would pay for a hoster w/o shell access and SSH ?

-t
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 07:28 PM
 
Originally Posted by CharlesS View Post
What I have found is that some ISPs are paranoid about enabling SSH, which is necessary for SFTP, and if you do get SSH you often have to show them a scan of your driver's license or something, because they're scared about giving people shell access - they might try to break out of the jail shell, run malicious code on the server, try to guess the sudo password, or something.

A nice alternative is WebDAV with SSL - this is also secure, and can be mounted right on the Desktop in OS X 10.5.7.

Then they should not give the user shell access, pretty simple... Just set their shell to /sbin/nologin (or wherever that lives). There are already a number of accounts installed on a Unix system accordingly. The problem with WebDAV with SSL is that some companies want to connect using their own domain name, and a separate SSL cert not only costs money, but also requires a dedicated IP address.
( Last edited by besson3c; Jul 24, 2009 at 07:38 PM. )
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jul 24, 2009, 07:30 PM
 
Originally Posted by turtle777 View Post
Whatever, I don't understand why those ISPs are still in business.

I mean, WTF, who would pay for a hoster w/o shell access and SSH ?
Not me, that's for sure, but Joe Blow who just wants to put up some really basic website probably doesn't even know what SSH is.

Originally Posted by besson3c View Post
Then they should not give the user shell access, pretty simple... Just set their shell to /sbin/nologin (or wherever that lives). The problem with WebDAV with SSL is that some companies want to connect using their own domain name, and a separate SSL cert not only costs money, but also requires a dedicated IP address.
You don't need a separate SSL cert, or a dedicated IP address, and you can connect with your own domain name. All you have to do is check the box to always trust this server when the "domain name doesn't match name on certificate" warning comes up.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 07:31 PM
 
Originally Posted by wallinbl View Post
It would be nice if it were a bit more consistent. Between different vendors, we deal with both FTP over SSH and FTP w/ SSL. There's also a difference between implicit and explicit when dealing with SFTP. Seems everyone is just a little different about implementation.
Speaking of uncommon standards, I'm surprised you've come across somebody that offered FTP + SSL, this, AFAIK, is quite uncommon. It definitely is confusing differentiating between FTP + SSL and SFTP though.

As far as everybody being a little different, I would be surprised if more than 5% of vendors that offered either FTP + SSL or SSH offered FTP +SSL.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 07:32 PM
 
Originally Posted by CharlesS View Post
You don't need a separate SSL cert, or a dedicated IP address, and you can connect with your own domain name. All you have to do is check the box to always trust this server when the "domain name doesn't match name on certificate" warning comes up.
Even self-signed certs require their own IP address.
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jul 24, 2009, 07:34 PM
 
I'm using it on shared hosting with just the ISP's certificate (which isn't self-signed, but I didn't have to pay for it). It works fine.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jul 24, 2009, 08:00 PM
 
As it turns out, my hosting service does offer SSH-for business package customers. That would double my now trivial hosting cost. While moving to a business package would give me more features, I don't use all the features I have with a "home" account as it is. I'm not terribly happy with this situation.

Glenn -----OTR/L, MOT, Tx
     
mduell
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status: Offline
Reply With Quote
Jul 24, 2009, 08:10 PM
 
Why incur the overhead of SFTP when you're allowing anonymous downloads?
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 09:57 PM
 
Originally Posted by CharlesS View Post
I'm using it on shared hosting with just the ISP's certificate (which isn't self-signed, but I didn't have to pay for it). It works fine.
Indeed it does, but again, some companies demand they connect with their own domain name for some reason. I've had two companies that have gotten me to install their own mail server SSL cert for them, and this is just so that their mail client configuration uses mail.them.com rather than mail.me.com.

I'm not saying that this is completely rational, and I fully acknowledge that WebDAV + SSL makes for a great combo, I'm just adding this as an additional comment.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 10:00 PM
 
Originally Posted by mduell View Post
Why incur the overhead of SFTP when you're allowing anonymous downloads?
Because, like I said, a killer never uses their own weapon. The value or sensitivity of the data you have in your account you own is irrelevant. If you are totally comfortable with your account being compromised, I guess this is fine, but just out of principle alone I would like to assume that most people would be dead set against this. Maybe I give people too much credit.

If nothing more it is a great inconvenience to have to deal with the damage done to an account, having to learn a new password, troubleshooting noticeable problems, etc.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 10:06 PM
 
Originally Posted by ghporter View Post
As it turns out, my hosting service does offer SSH-for business package customers. That would double my now trivial hosting cost. While moving to a business package would give me more features, I don't use all the features I have with a "home" account as it is. I'm not terribly happy with this situation.
To me, this is just flat out odd. Why would a company want to jeopardize their customer satisfaction this way by limiting their customers to a less secure protocol this way, not to mention potentially create much more work for themselves?

If you were to use a car analogy, this wouldn't even be like selling a deluxe key entry sort of anti-theft system vs. not, this would be like selling a car with a sign on it that says "please do not break into my car". I'm not trying to spread FUD or make you think that your account being broken into is imminent, but I can guarantee you that the little bot nets would much rather zero in on clear text passwords than not. Most people don't break into cars, but some do if there is something to be gained and it doesn't require too much effort. I don't think this is too dissimilar.

I'm off on a tangent, I know. If this is a retarded analogy, just say so and leave it be, I don't want to fuss over this too much
     
mduell
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status: Offline
Reply With Quote
Jul 24, 2009, 10:09 PM
 
Originally Posted by besson3c View Post
Because, like I said, a killer never uses their own weapon. The value or sensitivity of the data you have in your account you own is irrelevant. If you are totally comfortable with your account being compromised, I guess this is fine, but just out of principle alone I would like to assume that most people would be dead set against this. Maybe I give people too much credit.

If nothing more it is a great inconvenience to have to deal with the damage done to an account, having to learn a new password, troubleshooting noticeable problems, etc.
You're ignoring the issue. Why should Apple/Mozilla/Google incur the overhead of ssh (computation, bandwidth, etc) to use SFTP when they're offering free downloads?

SFTP has not replaced FTP for the same reason HTTPS has not replaced HTTP.
     
shifuimam
Addicted to MacNN
Join Date: Aug 2006
Location: The deep backwoods of the PNW
Status: Offline
Reply With Quote
Jul 24, 2009, 10:20 PM
 
My previous employer only allowed FTP traffic through the proxy to the Internet, because it's insecure - that way, they could monitor the traffic to ensure people weren't uploading confidential or sensitive data to third parties.
Sell or send me your vintage Mac things if you don't want them.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 10:23 PM
 
Originally Posted by mduell View Post
You're ignoring the issue. Why should Apple/Mozilla/Google incur the overhead of ssh (computation, bandwidth, etc) to use SFTP when they're offering free downloads?

SFTP has not replaced FTP for the same reason HTTPS has not replaced HTTP.
Oh, I see what you mean. I thought you were referring to the hosting of your website or something, which in a sense offers anonymous downloads of the public part of your site.

Like I said before, FTP still definitely has its uses, including this. I was trying to limit the discussion to hosting of websites and private download areas and such where a password entry is required, and where write access to a share is at stake. Anonymous downloads are read only. If you are able to write to a directory on a website you could do so using either http or https.
( Last edited by besson3c; Jul 24, 2009 at 10:34 PM. )
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 10:28 PM
 
Originally Posted by shifuimam View Post
My previous employer only allowed FTP traffic through the proxy to the Internet, because it's insecure - that way, they could monitor the traffic to ensure people weren't uploading confidential or sensitive data to third parties.
Yeah, well, Turtle's employee makes him use Lotus Notes!

Turtle, on your last day are you going to tell them to shove their Lotus Notes up their ass?
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jul 24, 2009, 10:29 PM
 
Originally Posted by shifuimam View Post
My previous employer only allowed FTP traffic through the proxy to the Internet, because it's insecure - that way, they could monitor the traffic to ensure people weren't uploading confidential or sensitive data to third parties.
Because it's so hard to encrypt data BEFORE sending it via FTP ?

You, must work for the government...

-t
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 24, 2009, 11:23 PM
 
The question is Turtle, which do you hate more, the government or Lotus Notes?
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jul 24, 2009, 11:50 PM
 
Originally Posted by besson3c View Post
The question is Turtle, which do you hate more, the government or Lotus Notes?
Oh, I have enough hate for both of them

-t
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jul 25, 2009, 02:39 AM
 
Originally Posted by besson3c View Post
Indeed it does, but again, some companies demand they connect with their own domain name for some reason.
Like I said, I can connect with my own domain name just fine. All one has to do is, when you get the warning message telling you the domain name you entered and the domain name on the certificate don't match, click the "Always trust www.webhost.com when connecting to www.mydomain.com" check box, and then it works just the same.

Originally Posted by mduell View Post
Why incur the overhead of SFTP when you're allowing anonymous downloads?
Um, unless you're also doing anonymous uploads, you're going to want to be using SFTP or something else that's encrypted.

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
wallinbl
Professional Poster
Join Date: Dec 2001
Location: somewhere
Status: Offline
Reply With Quote
Jul 25, 2009, 07:31 AM
 
Originally Posted by besson3c View Post
Speaking of uncommon standards, I'm surprised you've come across somebody that offered FTP + SSL, this, AFAIK, is quite uncommon. It definitely is confusing differentiating between FTP + SSL and SFTP though.

As far as everybody being a little different, I would be surprised if more than 5% of vendors that offered either FTP + SSL or SSH offered FTP +SSL.
They're not hosting providers, they're simply vendors of ours that we connect to in order to exchange data. One of them is an obscenely large player in health information.
     
shifuimam
Addicted to MacNN
Join Date: Aug 2006
Location: The deep backwoods of the PNW
Status: Offline
Reply With Quote
Jul 25, 2009, 07:49 AM
 
Originally Posted by besson3c View Post
Yeah, well, Turtle's employee makes him use Lotus Notes!
So did my aforementioned previous employer.

Lotus Notes needs to be taken out back and shot.

Originally Posted by turtle777 View Post
Because it's so hard to encrypt data BEFORE sending it via FTP ?

You, must work for the government...

-t
Private corp but did government contracts.
Sell or send me your vintage Mac things if you don't want them.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 25, 2009, 02:04 PM
 
Originally Posted by CharlesS View Post
Like I said, I can connect with my own domain name just fine. All one has to do is, when you get the warning message telling you the domain name you entered and the domain name on the certificate don't match, click the "Always trust www.webhost.com when connecting to www.mydomain.com" check box, and then it works just the same.

Yes, but like I said, Apache cannot offer multiple certificates without each certificate (whether self signed or not) having its own dedicated IP address.
     
CharlesS
Posting Junkie
Join Date: Dec 2000
Status: Offline
Reply With Quote
Jul 25, 2009, 05:04 PM
 
So what? Your data is encrypted by the ISP's certificate - the same certificate that's used when you access your web site's control panel via HTTPS in your browser. What's the problem with that?

Ticking sound coming from a .pkg package? Don't let the .bom go off! Inspect it first with Pacifist. Macworld - five mice!
     
turtle777
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status: Offline
Reply With Quote
Jul 25, 2009, 05:06 PM
 
Originally Posted by shifuimam View Post
So did my aforementioned previous employer.

Lotus Notes needs to be taken out back and shot.
Amen to that.

-t
     
OreoCookie
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Jul 25, 2009, 05:14 PM
 
… because support is built into Windows Explorer?
I don't suffer from insanity, I enjoy every minute of it.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 25, 2009, 05:33 PM
 
Charles: I see what you are saying. Tell the OS to connect as your domain, receive the ISP's SSL cert, accept it. Sorry, my brain was misinterpeting this somehow.
     
ghporter
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Jul 25, 2009, 06:15 PM
 
Originally Posted by besson3c View Post
Originally Posted by ghporter View Post
As it turns out, my hosting service does offer SSH-for business package customers. That would double my now trivial hosting cost. While moving to a business package would give me more features, I don't use all the features I have with a "home" account as it is. I'm not terribly happy with this situation.
To me, this is just flat out odd. Why would a company want to jeopardize their customer satisfaction this way by limiting their customers to a less secure protocol this way, not to mention potentially create much more work for themselves?
I have to wonder if there is simply no demand for better security on such small-time accounts. And while it's obviously completely insecure to send one's password in the clear, is there ANY evidence that FTP is being targeted by anyone to take over people's accounts? I haven't heard of this happening.

This is not to say that I'm not interested in better security for my account, but just that maybe you're thinking ahead of broad acknowledgment of the existence of a real threat.

Glenn -----OTR/L, MOT, Tx
     
Mac Write
Mac Elite
Join Date: Aug 2000
Location: Vancouver B.C.
Status: Offline
Reply With Quote
Jul 25, 2009, 09:03 PM
 
A web hosting provider is not an ISP (Internet Service Provider). They do not provide you with Internet access to your home or office. The only way my friend does it and I 100% agree is to run FTP on a dedicated box when using it for anonymous file download. I run my own VPS and still use FTP, but so want to kill it off, but only allowing root login on XX port while SFTP on a different port hasn't been successful yet, I also use a bought certificate for IMAP SSL, POP SSL, Webmail SSL, and web site control panel access. Only FTP and normal webpage viewing is none secure on my server at present.
Get busy living or get busy dying
--Stephen King
     
shifuimam
Addicted to MacNN
Join Date: Aug 2006
Location: The deep backwoods of the PNW
Status: Offline
Reply With Quote
Jul 25, 2009, 09:55 PM
 
What I don't get is why shared hosting providers charge extra for SSH/SFTP support (besides the obvious "because they can" reason). It doesn't cost anything extra on their end, at least if they're running Linux servers.
Sell or send me your vintage Mac things if you don't want them.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 25, 2009, 10:44 PM
 
Originally Posted by ghporter View Post
I have to wonder if there is simply no demand for better security on such small-time accounts. And while it's obviously completely insecure to send one's password in the clear, is there ANY evidence that FTP is being targeted by anyone to take over people's accounts? I haven't heard of this happening.

This is not to say that I'm not interested in better security for my account, but just that maybe you're thinking ahead of broad acknowledgment of the existence of a real threat.
Small time accounts would be in greater demand than big time accounts, as they would be able to devote less resources to security. However, most scripts just attack whatever they can find. They don't care how big you are, why should they?

Google FTP stolen password, there is all sorts of stuff. Here is one:

http://www.abuse.ch/?p=737

100,000 stolen FTP accounts

Also Google FTP botnet and you'll find more stuff such as this:

http://www.pc1news.com/news/0777/cou...et-zombie.html



These are just quick Google searches, I only skim read these articles. Like I said, security is about providing deterrents. FTP provides the bare minimal.
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 25, 2009, 10:49 PM
 
Originally Posted by Mac Write View Post
A web hosting provider is not an ISP (Internet Service Provider). They do not provide you with Internet access to your home or office. The only way my friend does it and I 100% agree is to run FTP on a dedicated box when using it for anonymous file download. I run my own VPS and still use FTP, but so want to kill it off, but only allowing root login on XX port while SFTP on a different port hasn't been successful yet, I also use a bought certificate for IMAP SSL, POP SSL, Webmail SSL, and web site control panel access. Only FTP and normal webpage viewing is none secure on my server at present.

You should disable root login. If you need to login as root, configure SSH forced commands to restrict what can be done that way, and setup SSH keys. If you want to restrict who has access to a Unix shell, simply set the default shell to be nologin, and set yours to be whatever you want.

My two cents....
     
besson3c  (op)
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Jul 25, 2009, 10:56 PM
 
Originally Posted by shifuimam View Post
What I don't get is why shared hosting providers charge extra for SSH/SFTP support (besides the obvious "because they can" reason). It doesn't cost anything extra on their end, at least if they're running Linux servers.
It does, actually. Encryption requires some CPU overhead. What I don't get though is why SSH stinginess still persists after all these years? The cost of encryption is constant, CPU improvements allow admins to design their infrastructure to serve much greater scales. Maybe the average user base is increasing at roughly the same speed of CPU improvements and a company's product life cycle, but most companies are moving towards spreading out their load across more CPU cores on more physical nodes/hardware. Surely the tools we have now ought to warrant being a little less conservative here?

Even Dreamhost provides SSH, and they oversell their crap like nobody else.
     
Stogieman
Addicted to MacNN
Join Date: May 2000
Location: Santa Rosa, CA
Status: Offline
Reply With Quote
Jul 25, 2009, 11:23 PM
 
Originally Posted by besson3c View Post
Yeah, well, Turtle's employee makes him use Lotus Notes!

Turtle, on your last day are you going to tell them to shove their Lotus Notes up their ass?
Don't feel bad Turtle, you're not the only one. I'm forced to use Lotus Notes at work too.

Slick shoes?! Are you crazy?!
     
Gavin
Mac Elite
Join Date: Oct 2000
Location: Seattle
Status: Offline
Reply With Quote
Jul 27, 2009, 05:42 AM
 
Properly chrooting sftp is tricky, error-prone and a hassle. Without it users can crawl all over the filesystem.

Many hosts use virtual accounts that are completely separate from system users. These allow access to a particular folder but have no system user privileges at all, no shell access, etc. Relatively easy to do with an FTP server and a database, and the same user record can be used for web based account management, email, billing, etc. There are lots of FTP server packages that will do this out of the box or at least have instructions to set it up, but you're on your own if you want to do this with ssh.

Also it is only recently that you can get an sftp client - at least a decent free one.

It will happen on it's own when it's easy for everybody.
You can take the dude out of So Cal, but you can't take the dude outta the dude, dude!
     
 
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 07:35 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,