ftp down

[Björn Persson]

Jacob Bachmeyer via Gnupg-users wrote:
> Unlike HTTP, FTP is /not/ subject to simple Man-on-the-Side attacks 
> (which motivated the rush to HTTPS) because there is no in-protocol 
> redirect.

So FTP isn't vulnerable to that particular attack, and attackers have
to resort to TCP hijacking or DNS poisoning or BGP hijacking or
whatever. Without cryptography there is no security. Anyone who wants
to argue in favor of FTP from a security point of view should at least
argue for FTP over TLS.

And if you want, you can use Wget with --max-redirect=0 to download
tarballs, or Curl which doesn't even follow redirections unless you
give it the --location option.

> you should 
> assume that rogue states and transnational criminal organizations can 
> obtain phony certificates from legitimate CAs by coercion or fraud.

Anyone who can do that probably also has the resources to attack FTP
through one or more of TCP hijacking, DNS poisoning and BGP hijacking.

> For GPG, integrity is assured by signing the distribution 
> tarballs directly, and the transport is untrusted anyway.

Those who already have GPG and the release-signing keys can verify the
next version of GPG that way. To anyone who doesn't already have GPG,
HTTPS is the best integrity protection they will get.

> I would encourage resuming FTP distribution, since I see no plausible 
> security benefit to omitting it.

For the download usecase, I see no plausible benefit to providing FTP
service in addition to HTTPS. A web server plus an FTP server will
always be a larger attack surface than only the web server. I recommend
leaving the FTP server off.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signatur
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240822/e42d8719/attachment.sig>