Secure FTP
I’ve been hosting a few other sites on my server, for some friends, for quite a while. Up until now the sites have just contained weblogs so I haven’t had to worry about securing file transfers and such. For my own site development I created a nice little applescript applet that uses rsync over ssh to synchronize a local directory on my powerbook with my public html directory on the server. The applet has a text box to view the rsync output and two buttons, “synchronize” and “quit”. It’s worked well so when one of my friends called me and indicated they wanted to add some things to their site I contemplated just modifying the applet for them to use (he’s on OS X also). Then I started thinking about the larger picture; what if one of my other friends who doesn’t use OS X wants to have access to their public html folder? My first thought was to just enable FTP. Despite its utter lack of security it still seems to be widely used by web hosting services. However I just can’t get over the security issue. The idea of clear text usernames and passwords flowing across the internet to my server makes is just too much.
I wondered if any WYSIWYG clients supported more secure methods of file transfer, so I checked out Macromedia’s Dreamweaver site. I was pleased to see that yes, Dreamweaver MX 2004 now supports secure FTP. That’s good but restricting all my users to using a particular client didn’t seem like a good solution either. That’s when it hit me, if Dreamweaver has a secure FTP client built into it, surely there are some freely available, plain, secure FTP clients around. I checked into this a year or two ago but at the time I couldn’t find a client I liked, one that’s simple and easy for anyone to use. I was hoping things have changed since then and sure enough, I went to Apple’s OS X downloads site and immediately came across “Transmit“, a nice secure FTP client for OS X, that anyone can use. I haven’t bothered to check for windows clients, but I’m sure they’re out there. So, not only will I be able to keep server access relatively secure, I don’t have to change a thing on the server (since ssh is all secure FTP needs). I love it when things work out like this.
September 25th, 2003 at 9:04 am
Transmit, my favorite FTP client, has a cool synch feature and it’s scriptable. This means that you can create hands-off, automated synchs with little effort. When tied to a folder action, no user interaction is required.
Disclaimer: Not affiliated bla bla happy user bla bla.
September 30th, 2003 at 5:57 am
Jeff,
As a Web developer, just wondering how important (relatively) secure FTP is. Or better, how unsecure is regular old http://FTP. I’d be interested in your thoughts on the advantages.
September 30th, 2003 at 7:33 pm
Your comment reminded me of a question one of my Professors asked in class last year, “how much security does your organization need?” the answer: “as much security as your organization needs.” In other words, it all depends. Basically, what SFTP provides over FTP is encryption. Encryption is only valuable if there’s a possibility of someone intercepting the communication. For instance, if your server is hosted at a remote data center and you’re connecting from your local ISP there are a lot of in between points where someone could be “sniffing” the network traffic between the machines. If you logged in using FTP someone could easily “sniff” your username and password, giving them access to your machine. However, if you’re using SFTP the traffic is all encrypted so it looks like garbage to anyone who intercepts it.
It all comes down to how easy is it to “sniff” the data. These days it’s pretty easy. A few years ago when broadband internet first came out the city I lived in was one of the first to implement a high speed network across the city. At the same time I came across a network sniffer called “ethereal.” Just out of curiosity I turned it on to see what kind of network traffic I could intercept. Within an hour I had usernames and passwords for quite a few neighbors that lived within a radius of about 5 blocks. I got the usernames and passwords by monitoring their email traffic. Whenever their email client logged into the server to check their mail it sent the username and password in “clear text”. The username and password was the same for the FTP accounts so I could have easily logged on to each persons account and modified their web pages, email, etc (fortunately I was only curious and not malicious).
In certain cases it’s still possible to use FTP without risking much security. At my last job we used plain FTP quite often because the FTP connection was firewalled to prevent anyone from accessing it from outside the building/network. In addition the building was equipped with network switches that prevented “sniffing” across different lines. So if I plugged my computer into the network I’d only be able to see the traffic directed to and from my computer. In an environment like that using FTP isn’t much of a risk.
Basically it comes down to, is it a risk you find acceptable? Is it likely that someone will gain control of a switch or router between your computer and your server and intercept your traffic? Probably not, but it’s possible. The more I can reduce that possibility, the better.
October 1st, 2003 at 6:32 am
Thanks for the incredibly informative response. If you don’t mind I’ll keep it for reference!
October 13th, 2003 at 8:57 pm
WinSCP –> http://winscp.sourceforge.net/eng/ does both file transfer via ssh (scp) and secure FTP (SFTP). As the name indicates, it runs on Windows.
Sam
October 14th, 2003 at 9:57 am
This reminded me of a utility I used in school called Gftp. I was writing ColdFusion and pushing the code to the Windows FTP server to test it. It was a major pain in the keester until I found Gftp which was a great utility.
BTW, I work for a linux based company, LinuxNetworx. What company do you work at? We’re a unique breed I think.