Re: Information Security?

Mike Linksvayer (ml@justintime.com)
Mon, 16 Nov 1998 12:27:22 -0800

Michael Lorrey wrote:
> I figured out the other day how WS_FTP encrypts its passwords in its INI
> file, which is rather weak and a major weakness for anyone using this FTP
> client to transfer files. Essentially, the encryption works like this: each
> letter of the password is converted to its hexadecimal value. Then one hex
> digit is added to the letters hex value based on its position in the
> password, starting with 0 for the letter in the first position.
>
> So, while you may only FTP encrypted files to an FTP site, by using a weak
> password encryption like this a hacker could easily sniff out your password
> and then use the FTP site with impunity in YOUR name.

ftp passwords are sent as cleartext between the client and server, so ws_ftp's .ini settings obfuscation does nothing to help or hinder someone who wants your password, unless that someone has access to your ws_ftp .ini file.

There is an rfc out concerning secure ftp, but it isn't widely implemented yet. See <http://www.mit.edu/people/marc/ftpsec/ftpsec.html>.

--
See From: and Organization: above.  Call +1 415 553 6408 for assistance.