undefined

points

[-]

They mention that the "FTP" service includes SFTP, which is file transfer over SSH (not actually related to classic FTP), which is perfectly secure and supported by most FTP clients like Filezilla.

The premium "SSH connection" you mentioned seems to refer to shell access via SSH, which is a separate thing.

by cricalix2 days ago|

parent|

[-]

They also support FTP without the SSH transport, and it's not FTPS either. Various IP cameras still support FTP as a way to write files out periodically; I use this to provide a "stream" from a camera (8 seconds per frame because reasons) to the world. Actual streaming via RTSP is also available, but I could never get a stable stream to a video host (like YT or Twitch) from the camera (partially because of a poor quality network connection that can't be upgraded easily). So, FTP + credentials -> walled off directory that's not under the web root -> PHP script in web root -> web browser.

by carlosjobim2 days ago|

prev|

[-]

FTP still works great and encryption is a non-priority for 100% of users.

by SXX2 days ago|

parent|

[-]

It should be priority for hosting companies though since leaked credentials and websites hosting malware is a problem.

by Nextgrid1 days ago|

parent|

[-]

Shared hosting companies are still exposing cPanel/WHMCS to the outside world. You don't need FTP passwords to pwn this kind of crap.

by 2 days ago|

parent|

prev|

[-]

deleted

by creatonez2 days ago|

parent|

prev|

[-]

Transport encryption should be a huge priority for everyone. It's completely unacceptable to continue using unencrypted protocols over the public internet.

Especially for the use case of transferring files to and from the backend of a web host. Not using it in that scenario is freely handing over control over your backend to everything in between you and the host, putting everyone at risk in the process.

by carlosjobim2 days ago|

parent|

[-]

I've used FTP for static sites for decades by this point. Credentials have never been leaked, transfers have never been interfered with.

by ndsipa_pomu1 days ago|

parent|

[-]

How would you know if the transfers were interfered with? Do you take checksums of the files you upload and then check that the files apparently uploaded are the same?

Also, how do you know that there isn't someone performing a MITM (man in the middle) attack? FTP has no mechanism that I know of to verify that you're connecting to the server that you think you are.

It may well be that you're not a sizeable target and that no-one is interested in hacking your site, but that's just luck and not an endorsement of unencrypted FTP.

by carlosjobim1 days ago|

parent|

[-]

How would you know that your neighbours aren't secretly spying together on you and interfering with your life in ways you don't notice?

We have to put a limit to paranoia. If things work correctly for decades and there are no signs of foul play after endless real world usage, it's safe to say nobody is hacking our FTP.

It's different if you're a bank or the KGB or the CIA.

> It may well be that you're not a sizeable target and that no-one is interested in hacking your site, but that's just luck and not an endorsement of unencrypted FTP.

Do you drive an armored car?

by DANmode16 hours ago|

parent|

[-]

Do you drive a doorless car?

A frame-less one?

by carlosjobim1 hours ago|

parent|

[-]

Yes, and it only has two wheels.

by ndsipa_pomu1 days ago|

parent|

prev|

[-]

Needing an armored car or protection from neighbours is specifically to guard against proximity based exploits and those are very unlikely threats to most people. FTP interception can be easily performed from anywhere in the world with a little bit of DNS poisoning and then perform a MITM attack (or even just alter the data in transit from a malicious wifi hotspot).

It costs approximately zero to use encryption and protect against the FTP exploits, so why continue to use FTP? There's literally no advantage and several possible disadvantages. Just relying on not being hacked before seems a foolish stance to me.

by carlosjobim1 days ago|

parent|

[-]

If it's so easily done, then most FTP websites would be hacked every week. But hundreds of millions of people have FTP websites and never get hacked in decades.

I challenge you to select any FTP website of your choosing and make a tiny change to prove that you've hacked it and let me know here.

by otabdeveloper42 days ago|

parent|

prev|

[-]

Not true. Your hosting provider already has physical access to the computer you're connecting to.

Whether or not the connection you're using is encrypted doesn't really matter because the ISP and hosting provider are legally obligated to prevent unauthorized access.

(It's different if you're the NSA or some other state-level actor, but you're not.)

by creatonez17 hours ago|

parent|

[-]

ISPs very frequently do not give a shit about the law. There are so many instances of major ISPs intercepting and modifying traffic, injecting ads, redirecting people to gambling websites, etc. It's not some freak incident involving the NSA targeting you, it happens all the time. All it takes is one bribe.

And what happens if your ISP is compromised without their knowledge? What happens when it's a consumer device such as a router? Don't forget that nearly every TP-Link router has an active malware infection.

It's not just one ISP that you have to trust, it's every single intermediate piece of equipment.

Intercepting traffic is a trivial & common form of compromise, and the problem multiplies by how many different parties you are handing your data to. It is wildly irresponsible to not attempt to protect against this.

by bigstrat20032 days ago|

parent|

prev|

[-]

> It's completely unacceptable to continue using unencrypted protocols over the public internet.

That is nonsense. The reality is that most data simply is not sensitive, and there is no valid reason to encrypt it. I wouldn't use insecure FTP because credentials, but there's no good reason to encrypt your blog or something.

by immibis2 days ago|

parent|

[-]

Didn't we already go through this 10 years ago and then Firesheep got created and thoroughly debunked it?

by homarp2 days ago|

parent|

[-]

firesheep was built to demonstrate how Easy HTTP session hijacking was (was a Firefox extension)

on HN https://news.ycombinator.com/item?id=1827928

by creatonez17 hours ago|

parent|

prev|

[-]

This is the usual horseshit people say about this topic when they don't understand it. It's not just about encryption, but authentication (tamper-resistance). Your blog might not contain sensitive information, but if the entire website is intercepted and becomes malware, you're in trouble.

The bad news with FTP in particular is that only one request has to be intercepted and recorded to have persistent compromise, because the credentials are just a username and password transmitted in clear.

by lavela2 days ago|

parent|

prev|

[-]

I'd argue that most people like knowing that what they receive is what the original server sent(and vice versa) but maybe you enjoy ads enough to prefer having your ISP put more of it on the websites you use?

Jokes aside https is as much about privacy as is is about reducing the chance you receive data that has been tampered. You shouldn't only not use FTP because credentials but also because embedded malware you didn't put there yourself.

by rixed2 days ago|

parent|

[-]

I, for one, would like to see an ISP dedicated enough and tecnically able to inject ads in my FTP stream. :)

by SoftTalker2 days ago|

parent|

prev|

[-]

Agree but also wonder if ISPs bother with this anymore, now that almost all websites are https.

by ndsipa_pomu1 days ago|

parent|

prev|

[-]

You're missing the opposite issue - people might not care about your data, but you might well care if their data (e.g. porn sites) was uploaded to your blog.

It's not so much about the data, but protecting your credentials for the server.