David Rothman wrote:
>
> first, thanks very much for the detailed response.
You're welcome.
> > During an FTP session, the password and all data is
> transferred
> > in the clear, meaning that anyone with a network sniffer
> can
> > get your password or your data easily. Also, there are a
> > number of root exploits against various FTP servers (I
> don't
> > know the details, just that they exist).
>
> i've seen this mentioned before, but if u look around at the
> various FTP programs, each boasts of its enhanced security.
> isn't it possible some of the ftp's around have some
> reasonable degree of security?
The FTP protocol itself does not involve any kind of security
other than a simple password authentication. If an FTP suite
is marketed as having "enhanced security" then it probably
means merely that it's had a security audit done on the code
to close off possible intrusion exploits (I'm getting out of
my depth here on security issues, though; be warned).
> is my following summary reasonable:
>
> (1) if on an occasional basis u need to xfer a sensitive
> document and if ftp is in fact insecure in all it's flavors,
> u merely use some form of encryption (pgp or otherwise) and
> send it using ftp (because of its simplicity). alternatively
> one could go the SSH route, but it's a step up in
> complexity.
I would never transfer a "sensitive" document (eg, one that
if it were intercepted could involve loss of my job,
or loss of income to my employer) via plain FTP.
Encryption with PGP or similar is a reasonable
alternative, but remember that as soon as you tell the FTP
server your password you may be opening up all the
files accessible using that password to anyone who happens
to be looking. FTP is fine if you don't care who can
see the stuff you're copying around.
The SSH suite has an FTP-like program called scp, which
can be used to move files securely between hosts that
support SSH. It's easier to use than FTP, IMO:
C:> scp .\top_secret.txt mojo-jojo.com:/my_secret_files/top-secret.txt
would copy local file "topsecret.txt" to the /my_secret_files
directory on machine mojo-jojo.com.
> (2) in situations where a regular connection is needed, one
> would consider building a VPN.
Right.
> and if ok, is the win 2000 VPN stuff a reasonable place to
> start playing? how hard is it to work with?
I don't know anything about the w2k VPN software, sorry.
-- Joe Knapka
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
