We help IT Professionals succeed at work.

Is FTP password sent clear text?

BACKGROUND

The company I work for regularly exchanges sensitive files (personal info) with clients in a production environment (i.e. files are sent and received via scheduled batch jobs). To prevent Internet eavesdroppers from intercepting our data, we use dial-up, but it is cumbersome. FTP would be far more convenient, but FTP data is clear text.

My suggestion is to PGP encrypt the data, then use FTP, but the IT department is concerned that although the data would be safe, the FTP IDs and passwords themselves pass unencrypted through the Internet, which they do not find acceptable. I believe that this can be a minimal issue as long as the ID has access to only a single folder, containing only encrypted files.

QUESTION

Is it true that FTP sends the logon ID and password as clear text? If so, are there any alternate, non-proprietary solutions? Our IT group wants to rely on proprietary end-to-end encryption. (As I remember, the term is "tunneling," or something like a VPN). I feel proprietary solutions are undesirable because they require special software installed on all client sites.


Thanks in advance,
parkerea
Comment
Watch Question

Commented:
FTP does send the security info in plain text.  I am not aware of any work arounds that do not use encryption/VPN.
CERTIFIED EXPERT

Commented:
> Is it true that FTP sends the logon ID and password as clear text?
YES

> If so, are there any alternate, non-proprietary solutions?
Use ssh and scp.
It's standard and secure, in data and password.

Commented:

A possible solution (if You need FTP) could be using
some kind of "tunnelling" software to create an encrypted
channel between the two points of the connection, one of
these programs which I like is ZeBeDee, it has some limits
anyway but its overall flexibility is really good.

Take a look at it on

http://www.winton.org.uk/zebedee/

Bye
CERTIFIED EXPERT

Commented:
.. ssh has it all ..
I'd agree that ssh is a reasonable way to do this, but not all people are going to be willing to support ssh out of their firewalls.

FTP with PGP can be made to work by limiting the id to specific direcories and don't allow file overwrites.  E-mail with PGP is better if the files are small enough.

Another possibility is HTTPS uploads.
> "Is FTP password sent clear text?"

Yes, even for some encrypted works. Be sure to check out.
(skimmed all above w/o reading, sorry no time now)
CERTIFIED EXPERT

Commented:
.. and ssh comes with sftp too (AFAIK sftp is no longer supported 'cause it's obsolete if you use scp)
Sort of.  scp predates sftp, but originally only worked if the server was a *nix system.  Tatau and the SSH Communications folks came up with sftp as an alternative when they were working on their port of SSH2 to NT.  But sftp never caught on  as others had fixed scp to work with NT.  OpenSSH eventually did an sftp version, but it doesn't interoperate with the one from SSH Communications, so that didn't help the cause either.  The upshot is that sftp is pretty much dead as far as I can tell.
CERTIFIED EXPERT

Commented:
chris_calabrese, thanks for clarification. Something I had already in mind, somehow, but didn't know in detail.
Tim HolmanCEO and Founder

Commented:
Can't you create a firewall rule that only allows incoming ftp requests from a specific client ?
The username and password will be clear text, yes, but if you can only use ftp from a particular IP address then the username and password wouldn't be much good to anyone.
Also check anti-spoofing measures have been applied.
FTP is hardly state of the art file transfer.
There are better things around - you could use PC Anywhere's file transfer, which you can setup for strong point to point encryption, for example.

Anyway...  if your company and another have the regular need to exchange sensitive data over the Internet, you should seriously be considering a VPN, or sticking with dial-up until you can afford VPN.


Even restricting things to a single IP isn't really that great.  Anyone capable of sniffing the data is also capable of injecting packets with false addresses.

But I'd definitely agree that PC Anywhere, VPN connections, and dialup all all valid solutions.  Along with SSH, HTTPS-uploads, and PGP-izing the files.

What's not a valid solution is plain old FTP.

Author

Commented:
Thank you all for your input. In the end, I think the option which is the easiest to implement, requires the least impact on the client, and is still plenty secure is to FTP PGP encrypted files to a "drop box" write only folder which does not allow file overwrites. In reality, there would be no need for a password at all on the client ID.

The ssh option would be good, but our production environment for scheduled batch jobs is an IBM mainframe, and the client runs their batches on a Win98 PC (I suppose that would have been useful for me to mention up front).


Thanks again,
parkerea
You can run ssh to a Linux lpar on your mainframe ;-)
Tim HolmanCEO and Founder

Commented:
You still only have one line of defence, that being your PGP key.
They're not particularly difficult to crack, so you really need to use another layer of defence somewhere, such as authentication or restriction by IP address.
The best solution is still VPN.  You can set this up to automatically generate and exchange new keys so that potential hackers don't have enough time to crack the keys before the next change takes place....

Author

Commented:
tim_holman:

I have to follow up on this one -- "PGP...not particularly difficult to crack." Can you back this up? I have heard rumors that PGP was flawed, but never more than rumors. I have done Internet searches on this in the past, and the most concrete thing I found was a very well written piece refuting the various types of assaults (Sorry, but I don't remember the URL). Not being a cryptographer, all I can say is it sounded correct. Additionally, it was a couple of years old, so things may have changed, but I doubt it. Personally, I don't believe PGP can be cracked using today's technology. If it could be, there would be far more than rumors floating around; there would be crackers.

The strongest "evidence" that PGP is flawed I can think of is that the US Govt backed off its campaign against PGP surprisingly early. Of course, that could be simply because they had no legal grounds, but that has rarely stopped governmental agencies in the past. Regardless, I still know of absolutely

You don't have faith in PGP, but you feel IP addresses are believable, and you recommend "authentication" for security. From what I understand, IP addresses can be spoofed (although I have no idea how). "Authentication is a fairly broad term. Even garden variety FTP uses authentication, it just does a really poor job of it.


Yours in curiosity,
parkerea
CERTIFIED EXPERT

Commented:
Any security can be cracked. Dot.
The question just is how long does it take and how many resources are necessary to do it in that time. Nothing more, nothing less.
This applies to PGP as well as to any kind of VPN (IPSEC in particular).
It doesn't make sence to discuss about it.
It's true that PGP have been cracked, but it was when the "general key" was implemented (see http://www.securityfocus.com/advisories/2548). Somebody surprised about that ? ;-)
AFAIK, Phil Zimmermann gave the best description about cracking public keys himself, refer to his book about PGP.

Anyway, I suggest using "some kind of VPN", and there ssh is the simplest solution. This is 'cause VPN switches enkryption keys very often within the session, which causes an attacker to compute them again and again (while a PGP public might remain the same within *and* for several sessions).
Tim HolmanCEO and Founder

Commented:
The best way to crack PGP is to brute force the passphrase.  Far easier than cracking the encryption directly !
You have to take a very open mind with security issues like this - never rely on a single line of defence.
As for anti-spoofing, most routers / firewalls allow you to set this up -
http://www.pcwebopedia.com/TERM/I/IP_spoofing.html

The comp.security FAQ on PGP-
http://www.uk.pgp.net/pgpnet/pgp-faq/faq-03.html




Author

Commented:
We have drifted off the original subject, and moved from the practical to the theoretical, but what the heck.

ahoffman:

Yes, I understand that any encryption method is crackable (with the exception of a one time pad), which is why I included the "using today's technology" disclaimer. Your reference is regarding a bug in certain releases of PGP, not an inherent PGP flaw. While it is disappointing that NAI would allow such a thing to creep in, you can bet the farm that nearly EVERY encryption product of any kind has such bugs; the question is whether or not they have been discovered and made public yet.

tim_holman:

Brute force against the passprhase? Good luck. Anyone who is serious about security and still chooses a weak passphrase if a fool, and deserves what they get (or loose). My password on my systems at work is a concatenation of two meaningless acronyms and a number. And I am not a spook or anything, I just work in payroll! (On the other hand, many people at my work still use dictionary words, so their info is ripe for the picking.)

BTW, your PGP security FAQ does include an item about two successful PGP cracks. I was unaware it had been done. Not that it matters for my application (if anyone is really that desperate to find out the address, wages, and sick time of someone at my work, they are welcome to it), but out of curiosity I will look into this a bit more.


- parkerea

Explore More ContentExplore courses, solutions, and other research materials related to this topic.