Re: OFFLIST Re: TECH: info on ftp
From: | Mark J. Reed <markjreed@...> |
Date: | Wednesday, August 27, 2008, 9:58 |
1. That wasn't offlist. :)
2. No. The password isn't stored anywhere people can access it on the
site - it's not quite that bad. :)
But whenever you send information over the Internet between two
computers, software running on a third computer that is topologically
"between" the first two can look at that information, too. The fact
that such software (called a "sniffer") has to be running somewhere
between the two computers in question is not a very stringent
requirement if the two computers are far enough apart, especially if
the sniffer is installed on a lot of unsuspecting folks' computers via
a virus.
Sniffers can only capture your password in real time, while you're in
the process of logging in via FTP, but software is patient.
This is why there's ssh and scp and https:// URL's - those extra S's
stand for "secure". Which is perhaps an overstatement, but it's
definitely *more* secure. :) The data "on the wire" in such cases is
encrypted, and someone in between the two computers, even with access
to the complete session, has no way of decrypting the data.
Well, at least not as long as the cryptographic algorithm isn't
broken, quantum computing doesn't get practical, and the sniffer isn't
being run by a government or large corporation with a particular
reason to throw a lot of expensive resources at finding out David J.
Peterson's website password. But in the latter case they could
probably just pay/sue/harrass your hosting provider to get what they
need anyway. :)
On Wed, Aug 27, 2008 at 4:20 AM, David J. Peterson <dedalvs@...> wrote:
> Hey Sai,
>
> <<
> One thing to mind is that FTP, unless you're doing something advanced, sends
> passwords and content in the clear over the internet. This means that anyone
> between the two computers involved can read any of that data, including the
> username/password. So don't use it for anything sensitive, and never ever
> use the same password for FTP as you use for anything else... 'cause the
> first thing someone malicious would try would be to reuse that same
> user/pass on other sites (e.g. web mail services).
>>>
>
> So, I read this, and immediately thought: WHAT?! So, take
> my personal website:
>
>
http://dedalvs.free.fr/
>
> I use an FTP program to update (upload stuff, etc.). (The program
> is called Transmit, by the way. It's for Mac and wonderful, but
> it costs money to register [but if you don't register it, you can
> still use it for 10 minutes at a time].) But, what exactly does this
> mean? Does this mean, essentially, that anyone that navigates
> to my site or downloads something off it can access my password
> and username? Or is this a different type of FTP transfer that
> you're talking about?
>
> -David
> *******************************************************************
> "A male love inevivi i'ala'i oku i ue pokulu'ume o heki a."
> "No eternal reward will forgive us now for wasting the dawn."
>
> -Jim Morrison
>
>
http://dedalvs.free.fr/
>
--
Mark J. Reed <markjreed@...>
Replies