On Wed, 12 Feb 2003, Jason Wong wrote:
> On Wednesday 12 February 2003 14:02, Chris Wesley wrote:
>
> > Why? What's a better argument? It's certainly just a piece of a much
> > larger argument, but avoiding a full-fledged lecture outside the immediate
> > context of the original question (and trying to keep it related to PHP
> > somehow) makes it brief.
> >
> > On Wed, 12 Feb 2003, Jason Wong wrote:
> > > So they allow incoming FTP (presumably that's what people use to upload
> > > their site) but disallow outgoing FTP because someone might sniff the
> > > username/password? Does it make sense?
>
> OK, in keeping with the original question, again, why would they allow
> incoming FTP but disallow outgoing FTP? What is the incremental risk?
The original question dealt with making an FTP connection to an outside
FTP site from a web host. The FTP server and the web server aren't run by
the same people/company. The web hosting provider objected to allowing
outgoing FTP connections. Nowhere in this thread is the opinion of the
owner of the FTP site about incoming or outgoing FTP connections. Also,
nowhere in this thread is mentioned how files are uploaded to the web
host. That's left to our imaginations, I guess.
If you assume the users use FTP for uploads, then you have to assume the
hosting company is a band of hypocrites.
If you assume the users use SFTP or SCP for uploads, then you have to
assume the hosting company's objection to outgoing FTP is actually
addressing a security concern. I erred to this side so as not not unduely
ridicule anyone, and to share some pertinent insight from my experiences
with running a secure shared host. Also, the manager-speak in the
original message included verbiage from the hosting company stating that
the company had already been burned by a similar circumstance. They
apparently learned from it and are being somewhat smart about what they
enable and disable. I gave them the benefit of the doubt on whether they
were really addressing a security concern ... and I agree that there is a
security concern to address.
~Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
