[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: website & ftp downloads update
From: |
Ivan Vučica |
Subject: |
Re: website & ftp downloads update |
Date: |
Fri, 5 Jan 2024 19:08:20 +0000 |
+1, FTP is insecure (no validation whatsoever that your connection did not get
intercepted), needlessly forces the requester to distinguish between the text
and binary files before initiating a request, and defaults to pushing a file
back by opening a new connection to the requester (which is not useful in time
when NAT is prevalent, nor is it a security measure given the concern is that
inflight connections can also get intercepted and manipulated).
FTP is tolerable if users validate hashes and signatures of hashes of received
files, but otherwise isn’t fit for purpose anymore. I’m ok running a readonly
server for those who really want to fetch files over FTP (or need to, for
various reasons), but they need to secure their downloads themselves at that
point.
(This is off topic for discussion on whether ftp url schema should be
supported, but I’ll also state that I am unwilling to run a readwrite FTP
server, as that encourages login attempts where the passphrase is unencrypted
in flight.)
> On 22 Oct 2023, at 15:38, Daniel Boyd <danieljboyd@icloud.com> wrote:
>
> I’m very much in favor of protesting the unnecessary obsolescence of
> perfectly good technologies, but FTP is a pretty terrible protocol. Securing
> an FTP server properly is a bit of a minefield, particularly if you need to
> accommodate active mode. Of course, many tools and methods exist to do that,
> but it’s kind of silly to think how much collective effort the open source
> community has put into working around the flaws and limitations of FTP :)
>
> Sent from my iPhone
>
>> On Oct 22, 2023, at 09:33, Richard Frith-Macdonald
>> <richard@frithmacdonald.me.uk> wrote:
>>
>>
>>
>>>>> On 22 Oct 2023, at 15:16, Riccardo Mottola <riccardo.mottola@libero.it>
>>>>> wrote:
>>>>>
>>>>> Hi Marco,
>>>>>
>>>>> Marco Cawthorne wrote:
>>>>> I was wondering about the download links on the page. They still use
>>>>> the ftp:// protocol which has regrettably been phased out by every
>>>>> major browser.
>>>
>>> well, ftp support is intentional, since it is traditional. Every major
>>> browser... you mean every chrome-clone, since Chrome dropped support for
>>> it? If Google is too ignorant to distinguish between a hyper-text (transfer
>>> protocol) and a file... I don't know...
>>> But I guess it is evil that spreads like URL part and protocol hiding,
>>> https enforcement for pages that don't need it at all, etc, etc.
>>
>> I think ftp is (like telnet) being dropped in most places because of it's
>> lack of security, and in general I'm in favour of the trend to always use
>> encrypted communications.
>>
>> What seems regrettable is that browsers have dropped ftp:// without
>> implementing sftp:// as a replacement, though to be fair, support for large
>> file download over https:// is normally fine nowadays.
>> So I guess there's no compelling need for sftp://
>
- Re: website & ftp downloads update,
Ivan Vučica <=