Firewall Wizards mailing list archives

Re: Our friend FTP, again

From: Chad Schieken <chad.schieken () lexicon ins com>
Date: Thu, 15 Apr 1999 12:38:06 -0400




let's give Marcus the benefit of the doubt and assume he meant https 

But -- he'd like to comment directly...Maybe he didn't. 

\\At 12:52 PM 4/15/99 +0400, ark () eltex ru wrote:

-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

"Marcus J. Ranum" <mjr () nfr net> said :

Is there any way of seeing the following happen?
1) enhanced servers and clients that multiplex [...]
2) a cryptographic cookie value passed [...]
3) have a passive mode connection always [...]


How about the following:
     1) Deprecate FTP as an Internet protocol; declare it obsolete.


I think we can not. It is too widespread. Too many legacy applications.

     2) Use HTTP for all file downloads


HTTP is no good. A new control connection for every file you download
is authentication nightmare. HTTP lacks reliable OTP implementation,
both client and server sides. HTTP causes problems when uploading files.

     3a) Use ssh for all file transfers and build in an anonymous
             "put" capability in the copy utility


I definitely like the idea but..

     -or-
     3b) Use some kind of upload capability built into browsers
             and server POST methods. This one scares me because
             web servers are as insecure/messy as FTP but at least
             the protocol isn't as ugly. By a narrow margin.


It isn't "as ugly", it is just a different kind of uglyness..


There's all kinds of things that can be done to improve FTP
but the single best would be to shoot it and shovel dirt
over it. :(


Maybe..   
I don't think it is SO bad ;) The problem mentioned in original message
does not seem to be too dangerous ;)
(just checked ftp-gw source to see if it really does compare client IP
addresses for data and control connections ;)

P.S. there are other protocols that behave ftp'ish way, say, CVS and CVSup
(if i remember details correctly), BSD r* commands too..

P.P.S. and there are much uglier thingies like H.323 or just brain-dead
like ICQ..
                                    _     _  _  _  _      _  _
{::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
(##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
[||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNxWov6H/mIJW9LeBAQEmEQP/fs9Y1BtOEVc747DBRUQwso2hhI+uAxAD
kvyaoCs799ot3HZsO7gvNDS9IIvxG/E+jvXnSvKsukvzkR+LKFL+tfNIZL9C5Zx/
FgVEa0l/EaOr4dTqCdAd1Sf3jDiafGCnTUe3OpUrpk1r5/iJHwxPniXRhPJ8qmB1
Ik1bK0hycr8=
=9nnx
-----END PGP SIGNATURE-----



INS Philadelphia
610-313-4100

Current thread:

Our friend FTP, again Matthew Patton (Apr 14)
- Re: Our friend FTP, again Marcus J. Ranum (Apr 14)
  - Re: Our friend FTP, again Woody Weaver (Apr 15)
- <Possible follow-ups>
- Re: Our friend FTP, again ark (Apr 15)
  - Re: Our friend FTP, again Chad Schieken (Apr 15)
    - Rant (Was Re: Our friend FTP, again) Marcus J. Ranum (Apr 15)
    - Re: Rant (Was Re: Our friend FTP, again) Leonard Miyata (Apr 17)
- Re: Our friend FTP, again Ryan Russell (Apr 15)
  - Re: Our friend FTP, again Matthew Patton (Apr 17)
- Re: Our friend FTP, again Ryan Russell (Apr 15)