Go Back   FlashFXP Forums > > > >

ioFTPD General New releases, comments, questions regarding the latest version of ioFTPD.

Reply
 
Thread Tools Rate Thread Display Modes
Old 11-22-2004, 09:18 AM   #1
Tillmann
Junior Member
 
Join Date: Nov 2004
Posts: 7
Default Cpsv

Hi,

I checked the ChangeLog, and already under "Beta 4.1.0", it is mentioned that CPSV support was added. Great - I thought.

However, in the current version, CPSV doesn't seem to work (encrypted FXP works, but only if the io is in active mode, and the other site is running glftpd/OpenFTPd/TitanFTPd - it doesn't work between two io's).

Was CPSV support removed again? Why? Will it be back? It's a very useful feature.

bye,
Tillmann
Tillmann is offline   Reply With Quote
Old 11-22-2004, 03:23 PM   #2
Zer0Racer
Senior Member
ioFTPD Scripter
 
Join Date: Oct 2002
Posts: 703
Default

The current ssl site-to-site standard that is available is not really fully encrypted. ioFTPD can receive ssl site-to-site transfers but not initiate them itself. darkone chose to do it this way. So ssl fxp FROM ie. glftpd with CPSV works TO ioFTPD.. but not the other way around.

Keep your eyes open and wait for next generation of ioFTPD.
Zer0Racer is offline   Reply With Quote
Old 11-23-2004, 08:24 AM   #3
Tillmann
Junior Member
 
Join Date: Nov 2004
Posts: 7
Default

Hi,

OK, that's what I suspected. The only thing that had confused me is that the ChangeLog already mentions CPSV support. Was it removed later on? Why?

Considering the "target audience" of ioftpd, I think encrypted FXP is very important. BTW, talking about "target audience" - browsing the forums I found a thread about a user getting his license revoked for leaking ioftpd - that made me laugh real hard, especially considering the type of support scripts for ioftpd that are available, and the type of stuff darkone has written in the past, like project-zs. Come one guys... practice what you preach :-)))). Anyways, getting offtopic, sorry :-)

bye,
Tillmann
Tillmann is offline   Reply With Quote
Old 11-23-2004, 04:59 PM   #4
neoxed
Too much time...
FlashFXP Beta Tester
ioFTPD Scripter
 
Join Date: May 2003
Posts: 1,326
Default

CPSV support was originally removed in Beta-5.0 if I remember correctly, since darkone didn't have the time to finish the SSL site-to-site connection stuff for the initial Beta-5.0 release. Once he took some time to look at it later, he realized there was a serious flaw in the current design that didn't verify the SSL certificate's fingerprint. This in turn made the site-to-site transfer (FXP) vulnerable to MTM (man in the middle) attacks. Darkone wrote a few posts on the required changes needed to secure the current design, which unfortunately will not make it into ioFTPD until Beta-6 or so.

http://www.ioftpd.com/~darkone/tmp/secure.txt
http://www.ioftpd.com/board/showthre...&threadid=1967

Edit: Found the article/post links.
neoxed is offline   Reply With Quote
Old 11-23-2004, 05:16 PM   #5
Tillmann
Junior Member
 
Join Date: Nov 2004
Posts: 7
Default

Hi,

great, that answers my question.

I agree that it's better not to have it at all, than a flawed version that gives a false sense of security.

bye,
Tillmann
Tillmann is offline   Reply With Quote
Old 11-24-2004, 05:44 AM   #6
esmandil
Senior Member
FlashFXP Registered User
ioFTPD Foundation User
 
Join Date: Oct 2004
Posts: 107
Default

Well, I don't exactly agree with this reasoning.

Man-in-the-middle attack is pretty specific... *and*, in this particular case, impossible to hide, as the attacker cannot send the data to target server. So, if data shows up on the other server, nobody is listening to it (unless the attacker knows your password on the target server... but then he doesn't need to eavesdrop, does he ).

In other words, CPSV is still better than non-encrypted FXP.

As to false sense of security... anybody who doesn't understand what they are doing deserve their fate ;-)

Or do I get this all wrong?
esmandil is offline   Reply With Quote
Reply

Tags
cpsv, fxp, ios, support, work


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
fxpiing in though a server with limitations zoranb General Discussion 3 05-18-2005 04:22 PM


All times are GMT -5. The time now is 10:14 AM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)