Location: Asia Pacific, Cyberspace, in the Dark Dystopia
Thanks Given: 2,351
Thanked 3,358 Times in 1,877 Posts
The SANs report for SSH vulnerabilities is for older releases and in particular and more broadly open SSH releases. My advise would be to not quickly berate SSH just because of that. SSH (older versions) had problems, but with the exception for a trogan at the OpenSSH and mirror sites, the commercial distributions (like SSH) are much more secure than FTP, etc.
A single release problem ior two in an application does not merit the negative SSH blurbs. Recent releases are fine...... so far Let's tone down the SSH negative comments. Might be better to say:
"with SSH, make sure you are using the most recent version..."
because the recent version is OK, according to SANS ......
I understand that, I definitely use ssh when connecting via the internet. I don't think it's right to dump on FTP or telnet, though, especially when similar problems occur with other protocols/applications.
The problem with so-called "secure" software, like ssh, is that it's taken for granted. Most users jump and say what the poster above said. Security is about mitigating the ineviatable. There is no security catch-all. Let's not delude ourselves.
So are you more likely to get your passwords sniffed by some man-in-the-middle, or are you more likely to get hit by the next ssh-exploiting worm that floats by? It's hard to say...
And don't forget, the versions with holes in them were at one time "the most recent version"...
My point was that ssh is not foolproof. It takes as much work to secure a box with only ssh remote access as it does to secure one using telnet or ftp or whatever. I by no means think everyone should stop using ssh, but I also don't believe that telnet should not be used either.
I don't want to interrupt your ssh debate, but I would like to point out another option. The company that I work for uses ftp to distribute data to our clients. I don't like ftp very much. But we have to use a protocol that is widely available to our clients. This simply shuts the door on sftp.
But just about every web browser can handle HTTPS. It has its flaws too. But it's firewall friendly. It is truly very secure. If you really trust that "third party" who issues the certificates, you can argue that it is more secure than ssh because the "initial contact" problem goes away.
And HTTPS runs on a service called SSL which really could be used for any TCP based service. Yeah, that's a big "could be". But HTTPS is very secure and very available today.
I haven't had much luck promoting HTTPS around here. Still, I thought it might be worth a mention in this thread...
My two primary distros are Gentoo and Debian and I'm a fan of the older more traditional init system but as we all know Debian is moving to systemd. Not sure how impartial the crowd is here but I'd like to hear people's opinions. (4 Replies)
I am trying to connect to ftp server and get the files. Also i need to rename the file in other ftp dir.
rename method is not allowing me to rename the file in other dir. When i tried copy command by using net::FTP:FILE then perl says it is not installed.
Can some body help me to... (2 Replies)
We have some clients who will place huge files in to one of the remote server.
And the shell script written in our local server to retrieve client files (using FTP) placed on one of the remote server of ours by clients.
My question Is there any FTP command/script to check from my local... (1 Reply)
Hey guys, i use my mac laptop and i love it, but i have decided its time to break the mold and use linux, and since linux on macs suck, i need to know what kind of pc to build... I want to know what kind of motherboard, wireless cards, hard drives, laptops, video cards, and etc. people have had... (3 Replies)