Archived Forum Post

Index of archived forum posts

Question:

FTP: secure connection

Sep 26 '12 at 08:09

After heavy testing i am at a point where i have to ask a question regarding security. We want to use your lib to develope a C++ based application which allows our customer to upload files to our ftp-server.

But we have to make sure, that nobody can extract or sniff the logindata while connecting to the ftp-server. As far as i can see implementing SFTP is not a good idea (too many rights, and our NAS does only allow 'admin' to connect via SFTP).

But which is the best and most secure way to give FTPS access?

Not sure how deep encryption goes here? Do both encrypt Logindata, so the user can't sniff it while connecting to the server?


Answer

In both cases, the login happens over an SSL/TLS connection.


Answer

Thank you. Think i got the point and both is OK to use, but should stick to Implicit SSL:

FTPS Implicit SSL

In implicit SSL mode a required SSL session is established between client and server before any data is exchanged. In other words, the use of SSL is implied because any attempt made by a non-SSL client would automatically be refused by the server. Typically FTPS implicit SSL services run on port 990.

FTPS Explicit SSL

In explicit SSL mode the client can optionally switch from unencrypted mode to SSL. This is useful in that the server can support both unencrypted FTP and encrypted FTPS sessions on a single port, typically port 21. In an explicit SSL session the client first establishes an unencrypted connection to FTP service. Prior to sending user credentials, the client then requests that the server switch the command channel to an SSL encrypted channel using the client AUTH TLS or AUTH SSL commands. Upon successful setup of the SSL channel the client then sends user credentials to the FTP server. These credentials along with any other commands sent to server during the FTP session are automatically encrypted by the SSL channel.