Best FTP client to get

[Res]

On Sat, 24 Oct 2009, Karl Auer wrote:

> On Fri, 2009-10-23 at 22:58 +1000, Res wrote:
>> well said... the OP asked about uploading his website, which infers the
>> information is to be public anyway
>
> Here are a few things a bad guy can do with that FTP password:

Hacking because a customer uses ftp in a shared hosting is the LEAST of 
their problems, the bigest risk comes from people running all sorts of php 
crap they know NOTHING about, in all the years I've done hosting not a 
single account has ever been hacked or defaced because a user used plain 
text passwords.

> - he can remove the public information that the OP wants to present

see above

> - he can put up additional information that the OP does NOT want on his
> website - think nasty pictures

see above

>
> - he can deface the public information on the site
see above

>
> - he can subvert the public information on the site
see above

>
> - he can use the site as a secret file server - there is no sign that
> the site has been hacked, except that data and transfer quotas blow out.

see above

>
> - if the site is used as a secret file server, better hope it's not
> serving something illegal, because then you could be in serious trouble

see above

>
> - he can add things to your web pages that are not visible, but do
> damage - malware. Google "gumblar" for just one example

see above

>
>> some people need to put their paranoid brains into gear before their
>> fingers
>
> Some people need to realise that sometimes, a little paranoia is
> healthy.

if that was the case then he would not be using a normal hosting system, 
he'd use his own server colocated

> There is really no good reason to still be using ftp to upload websites.
> There are great tools around that do everything ftp does, but do it
> securely.
>
>> , and i dont know of any shared hosting
>> providor who allows users secure shell (of any kind) access.
>
> Google "web host ssh shell" or similar and start counting...

and they are fantastically secure now from otehr forms arnt they :)
besides 99% of people using hosting companies wouldnt even know what 
scp/sftp was and I'd be farked if im giving some kid ssh access
any part of our network, the only wau you can with any relative safety 
is use, say, rssh to restrict access, but rssh can be defeated easily by 
anyone knowing what they are doing, in fact IIRC, even the rssh devs warn 
you its easily got around. Using those methods might be fine for webdevs 
who do this thing, but news flash, the vast vast vast majority of people 
design (if you can call some of them that) their own sites and upload it 
themselves, and these are also mostly windows types people who wouldnt 
even know that there are real ftp programs out there, they think IE is
the only internet tool in existence.

> We have used about five different hosting providers for our various
> customers, and when we are choosing a provider "no secure access" means
> "no sale". Secure access doesn't necessarily mean shell access, by the
> way.

well, thats fine by me, tens of thousands of others clearly disagree  :)

> None of this applies to your own data. If it's your own personal
> website, or your own company's website, you can do what you like! But if
> you have responsibility for someone else's data, then you have an
> obligation to take sensible precautions, and that does not include
> sending cleartext passwords over the Internet.


I disagree, for reasons above, i've been doing hosting for well over a 
decade and there is far greater risks by idiots using junk like phpnuke, 
those pesky gallery things, and by using other php/perl code that they 
have absolutely NFI about... I've seen, over the years, thousands of 
sites hacked because of it, but not a single one was ever violated because 
we offer only plain text ftp.


-- 
Res

"What does Windows have that Linux doesn't?" - One hell of a lot of bugs!