Recently, I was reading through a security forum and stumbled across the question, “Do I really need to use SFTP or HTTPS? What is wrong with FTP?” Though I thought this topic was settled a long time ago, sometimes when problems are solved the original reason for solving them is forgotten. In this post, I want to revisit the reason why clear text protocols have no place in the modern network.
A Brief History of Protocols
File Transfer Protocol (FTP) was defined in 1972 as RFC 354 and updated in 1985 as RFC 959. HyperText Transfer Protocol (HTTP) was developed by Tim Berners-Lee in 1989 which became RFC 2068 in 1997. You might be thinking, “Why are we taking this trip down memory lane?” Well, I want to illustrate just how old these protocols are. These protocols were created during a more innocent time; a time before Google even existed. This was a time when websites were hosted on AngelFire and had scrolling messages at the bottom of the screen which displayed in multiple colors. I was going to embed a picture of a silly AngelFire website here, but I don’t want to make fun of anyone. My 1997 website was certainly not better…
The problem with using these protocols is that the data, including all authentication, is passed in clear text. This may not sound like a big deal, but all it takes is one compromised client, server or network to gain access to data. Let’s take a look at a simple example.
Viewing Data
If you were to spin up tcpdump or wireshark to create a packet capture (PCAP) while using one of those protocols, you would likely be very surprised by your findings. So, readers, fire up your favorite packet capture tool, create a PCAP, and follow along. In this example, I am using FTP to connect to a server.
To look at the PCAP, I used the unix command “strings”. The first thing I see is the authentication with my credentials in clear text:
|
220 (vsFTPd 3.0.2)
6USER joe CT'X 331 Please specify the password. CTXY PASS superSecretPassword 230 Login successful. |
Next, I can see the output of my directory listing command:
|
PASV
227 Entering Passive Mode (192,168,1,2,238,178).
LIST
150 Here comes the directory listing.
MNt@
drwxr-xr-x 2 1000 1000 4096 Aug 28 20:27 Desktop
drwxr-xr-x 2 1000 1000 4096 Aug 28 20:27 Documents
drwxr-xr-x 2 1000 1000 4096 Aug 28 20:27 Downloads
drwxr-xr-x 2 1000 1000 4096 Aug 28 20:27 Music
-rw-rw-r-- 1 1000 1000 58677 Jun 12 2010 pic1.jpg
|
Continuing further, I can actually see the content of a transferred file:
|
200 Switching to Binary mode.
PASV
227 Entering Passive Mode (192,168,1,2,64,224).
RETR pic1.jpg
150 Opening BINARY mode data connection for pic1.jpg (58677 bytes).
JFIF
http://ns.adobe.com/xap/1.0/
<?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/"
x:xmptk="XMP Core 4.1.1"> <rdf:RDF
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
<rdf:Description rdf:about=""
|
Conclusion
You can see in this example how easy it is to find data in clear text just by using tcpdump and strings. The bottom line is, everyone needs to use HTTPS and SFTP for security purposes. As always feel free to let me know if you have any questions support@automox.com.
About Automox
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
