× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2016

RE: Plain FTP - Using Encrypted Authentication.

From Wikipedia:

FTPS

Main article: FTPS

Explicit FTPS is an extension to the FTP standard that allows clients to request FTP sessions to be encrypted. This is done by sending the "AUTH TLS" command. The server has the option of allowing or denying connections that do not request TLS. This protocol extension is defined in RFC 4217. Implicit FTPS is an outdated standard for FTP that required the use of a SSL or TLS connection. It was specified to use different ports than plain FTP.

With Explicit you connect to port 21 in the clear and then issue the command AUTH TLS to negotiate a secure connection. Once the connection is secured, your command sent over port 21 are encrypted which includes the user logon. The secondary data channel may be encrypted or not depending on the server configuration.

IE does not support logging in to a FTP site but you can open with Explorer to log in. I do not know if that will allow you to run the AUTH TLS command.


Chris Bipes
Director of Information Services
CrossCheck, Inc.

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Rob Berendt
Sent: Thursday, March 31, 2016 8:41 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Plain FTP - Using Encrypted Authentication.

Apparently there are the following:
FTPS (not in use here and no plans)
SFTP
FTP (plain)
FTP (with encrypted authentication)

We're getting a security ding because we still have a few people using
plain ftp without even the encrypted authentication.
Apparently the big concern is that, even if you feel the data being
transferred does not really need to be secured (perhaps you only download
company brochures for example) you should encrypt the user id and password
used to log into the ftp site. And, yes, our site has users other than
anonymous and data other than company brochures.
It's a simple change of the parameter in Go Anywhere to "Force Encrypted
Authentication".
My concern is that will change the behavior of many clients and stop them.
Our biggest exchange is another lpar using plain scripted ftp from IBM i.
Would I have to change that to use SECCNN(*IMPLICIT) on the FTP command?
Do I have to set up something else on the client, like store a certificate
or something or is that just done automatically?
IDK what clients our other partners are using. If, for example, they are
using the PC DOS command line's ftp client, I don't see a parameter on
that ftp command to match SECCNN(*IMPLICIT). If they use a browser for
their ftp client will that handle this?

Some clients may be ok. I think the default on FileZilla is "Use explicit
FTP over TLS if available".

I probably could get us excepted from this ding, but if it can be done
without any disruption I'd like to appear as working with them.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.