ftp vs http vs scp

From: der Mouse <mouse_at_Rodents.Montreal.QC.CA>
Date: Fri May 28 15:33:17 2004

Afte reading over the last bunch of messages in the thread, I think
it's probably fair to say that

- Both HTTP and FTP have a lot more capabilities than are routinely
  used; each provides the potential to do what the other can, with
  varying degrees of kludgitude. Both, for example, support anonymous
  access, passworded access, more complex authentication/authorization
  mechanisms, and SSL protection.

- Both are fairly heavyweight and bloated; the major difference is
  where the bloat lurks (FTP's wire protocol is significantly more
  complex, but once the wire protocol is dealt with, FTP is basically
  done whereas HTTP's issues are just beginning).

- The commonest clients emphasize different things and thus support
  differently-directed subsets of the protocols (for example, a greater
  proportion of clients support SSL for HTTP than for FTP; but a
  greater proportion of clients support file renaming for FTP than for
  HTTP).

Two individual points (drawn from different messages)

> scp? Never used it. How portable is it to different platforms?

It's reasonably widely implemented across platforms that have a
mostly-Unix view of files (the "file is just a big array of octets"
paradigm). It's a bad match to the sort of more complex file that FTP
record or page structures are designed for.

Its dependence on crypto is not really that bad. If you're willing to
support only a few crypto algorithms, you don't need much code (and I
speak from experience here; I've done an ssh implementation that's not
quite completely ready yet, but is most of the way there, and the
crypto is actually a fairly small fraction of it).

> There are probably more http server exploits than ftp server
> exploits, [...]

I suspect there are more webserver exploits than ftp server exploits
for three reasons:

(1) There are a lot more webservers than FTP servers running out there,
    thus, more cracker attention is paid to them.

(2) $EVERYBODY and $DOG wants a website, but not an FTP site, so a
    greater proportion of websites than ftp sites are run by admins who
    are, ahem, less than tremedously competent.

(3) Culturally, webservers are required to be all-singing-all-dancing,
    whereas FTP servers are not: it's the rare FTP server that computes
    content with perl scripts on demand, but it's the rare webserver
    that doesn't.

None of these have much to do with which protocol is better suited to
any particular task, or which is more secure when locked down to a
given level of functionality.

/~\ The ASCII der Mouse
\ / Ribbon Campaign
 X Against HTML mouse_at_rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Received on Fri May 28 2004 - 15:33:17 BST

This archive was generated by hypermail 2.3.0 : Fri Oct 10 2014 - 23:37:13 BST