On Thursday 27 May 2004 18:36, Pete Turnbull wrote:
> I recently had a discussion with our security advisor at work, about
> FTP being replaced by HTTP and SCP. Some people would like to
> replace "insecure" FTP with "modern" services like SCP and HTTP
> (something along the lines of "we don't do anonymous FTP, stick the
> file on a web page instead"), and argue that they're safer and
> there's no loss of functionality. I'm not so sure. For example, FTP
> understands the difference between a unix-style "stream of bytes"
> file, and a structured one such as might be found under VMS (or any
> of several other OSs) -- and can deal with the difference.
Can't you cover that problem with something like an archiver? VMS
BACKUP format, or something else that's designed to store enough info
so that you can send record-mode files over a "generic bitstream"
connection. Not necessarily ideal, but it should be able to work,
assuming you can get an http client (wget) for your platform, or build
a simple one, which shouldn't be all that hard (assuming you have
enough to build an ftp client).
IMHO, just switching to a web server doesn't necessarily make things
more "secure," well, unless you're using wu-ftp. :) But, for thing
that require a password set over a connection that I don't physically
own all the machines on, I really don't like sending that password
unencrypted; that's something that https and ssh/sftp/scp can do and
ftp can't (easily) do, without tunneling over an encrypted VPN
connection or something.
Pat
--
Purdue University ITAP/RCS --- http://www.itap.purdue.edu/rcs/
The Computer Refuge --- http://computer-refuge.org
Received on Fri May 28 2004 - 08:35:25 BST