Neil Turner's Blog

Blogging about technology and randomness since 2002

Secure file transfers

Since an increasing number of my peers now distrust FTP for file transfers for almost anything but downloads I decided to find secure alternatives for the FTP servers I use most often.


Interestingly there are 4 methods of transfering files securely. The first two are variations of FTP, but using SSL – one uses it implicitly, the other explicitly. Then there’s SFTP, which as far as I can gather is a separate protocol, and SCP, which uses the scp (secure copy) command in a SSH session.
There are 4 servers that I frequent. The first is the FTP server for this site, which only supports FTP over SSL Explicit. For this I use SmartFTP which supports standard unsecure FTP as well as both varieties of FTP over SSL.
The second is the FTP server for Scrapie, for which I use SCP since we have shell access. The open source WinSCP is my weapon of choice here – despite the fact it uses SSH it actually works just like any other FTP client.
The other two are my University of Bradford user space and my School of Informatics web space at lamp.inf.brad.ac.uk . This is where it gets annoying, because despite there being 4 technologies at my disposal, none of them are supported. The web space has no secure file transfer capability at all. My user space does support SCP but WinSCP doesn’t like it – it throws an error message when it tries to view the contents of a folder. I’m guessing this is because it doesn’t understand the output of the ls command that the server produces – the server runs on (I think) Solaris and uses the C-shell instead of bash which is what WinSCP may be expecting.
Either way, the very fact that one of those servers has no secure method of logging in is slightly annoying, and a bit of a security risk. Looks like I need to talk to the head of tech support in Informatics to see what they can set up.

10 Comments

  1. what about it do they not like or distrust? I know you are subject to man in the middle attacks, but just how likely is this to happen? i guess working from a university you are more likely to be vulnerable…
    I must admit i’ve yet to see any form of secure ftp access at isp’s or uploading facilities

  2. The Informatics department have an ssh server don’t they? They may not support it, but you could probably use ftp through an ssh tunnel. It’d mean the traffic between the ssh server and the ftp server is unencrypted – but given you’ll be using standard samba shares whilst in the university anyway it’s no major loss.
    ssh -L 21:ftp.brad.ac.uk:21 linux.inf.brad.ac.uk
    then ftp localhost
    (sorry, don’t know the address of the ssh server)
    or
    ssh -D 8080 linux.inf.brad.ac.uk
    then use 127.0.0.1 port 8080 as your socks server.
    I’ve never tried tunneling ftp in either of these ways, but in theory it’ll work. HTTP and RDP certainly do. You might need passive mode though.

  3. Andy – we don’t like the fact that we are sending passwords over plain text connections. Anybody sniffing the network would get the username, password and any data we are sending. When uploading to ftp servers we may well send files with passwords in – eg. the username/password for the mysql server on this site. By uploading that file, not only the file server, but the database password may be seen by undesirables. Finally, ssh and ssl can both authenticate the server, avoiding dns hijacks.
    When transferring my files to/from university I’ll do it from the university. I make sure I run Unison over an ssh connection into our home server after doing any work to ensure both places are synchronised.

  4. What Richard said. It’s the same reason why you use SSH instead of Telnet or rlogin.
    Of the two Informatics servers that should allow SSH, one has port 22 filtered and the other closed. I seem to remember using SSH when in halls so maybe it’s blocking connections from outside the 143.53.* IP range.

  5. You should check out [FileZilla][1] it does what both those programs do I think. And you could use [OpenSSH for Windows][2] or [Cygwin][3] to setup a SSH server.
    [1]: http://filezilla.sf.net
    [2]: http://sshwindows.sf.net
    [3]: http://www.cygwin.com

  6. I’m guessing Bradford don’t offer VPN access to the network from Off-Campus? Thats certainly what I need to use to communicate with the Students server at Stirling Uni.

  7. I’ve used FileZilla in the past. I’m afraid I really don’t like it – I found the interface clunky and awkward. SmartFTP may have that annoying ‘register me!’ message every time you start it but after that it’s fine to use.
    Also FileZilla doesn’t support SCP, as far as I know.

  8. Another secure file transfer protocol that you haven’t mentioned is WebDAV over HTTPS. Given the widespread client support, I’m surprised I don’t see more servers using it.

  9. I get the same problem with using SCP with muser, it just complains. But you can always SSH into muser and use SCP from that end. If you have sshd running, that is.
    I was discussing the absolute lack of security here with somebody the other day. With it being the Informatics department they really should know better.

  10. Tom: I quite agree. It’s especially true when Informatics runs a Masters course in Computer Systems security…