Re: FTP-SSL from Client Side

Hi Doug,

When I connect to my host I login and get a popup from FileZilla asking
if I will accept a DC. I respond yes and I'm in. Why am I sending out
the DC to the remote client?

You aren't sending the local CA cert to the client for YOUR protection. You're sending it to the client for THE CLIENT'S protection.

The idea is that they can use this CA cert to verify that the server is really you. If you didn't do that, it could be someone impersonating you (a man in the middle attack, or phishing, or something like that).

Remember, SSL was originally designed to let retailers sell stuff using a credit card over the web. The goal is to let the consumer know that they're really sending the credit card number to the right place. If I set up a web site named 'WalmartOutlet.com' and told everyone that I was Wal-Mart, then they might trust me and send me their credit card numbers. That would be gr8t, cuz I could buy l0tz of n33t stuff.

One problem: My SSL certificate wouldn't match the CA certificate installed in the client's web browser. That would tell the client that I'm not to be trusted. Oh well, I guess I'll have to work for a living...

That's the point of the CA certificate: To verify that the server REALLY IS who the server claims to be. That's the reason you want to install your local CA into your client's system -- so the client can be confident that they're FTPing the files to YOU, and not someone else.

If you'd like to ALSO verify who the client is, then you need to implement client certificates. This is not implemented by default in SSL (because, again, SSL was created for retailers... Wal-Mart will sell to anyone. They don't want/need to have to distribute client certificates to every potential customer!). However, SSL does have this option, it just has to be set up, and additional certificates need to be generated and distributed.