AVSIG: https, but just so far... wwswsigarch.jpg (7236 bytes)

✈ . . . . . . ✈ . . . . . ✈ . . . . ✈ . . . ✈ . . ✈ . ✈ . . ✈ . . . ✈ . . . . ✈ . . . . . ✈ . . . . . . Touch-and-Go to our Live Forum (This is a Read-only Archive of the 2004-2017 AVSIG Forum)


AVSIG Discussion Sections >> Hardware/Software

Pages: 1 | 2 | >> (show all)
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
https, but just so far...
      #412674 - 07/29/15 12:45 AM

I'll try to be brief, but this needs background, and for those that know me, brief isn't part of the profile ;-)

My ISP (Optimum) has been offering a nice deal on hosting: bump your speed to 50/25 and get site hosting too, $4.95/mo, billed monthly. OK, sounds good, my 15/5 speed has always been fine for me (and Optimum has always overachieved, if you believe speedtest.net), but I've been wanting a place to post a few things.

I get the basics together using their https web based SiteControl, which I took an immediate dislike to when I launched the FTP client. Java. Well, OK, allow once in Firefox, but I decided to run Wireshark, just to see where I was actually going.

All secure right until it's time to do username/password, plain text <game show fail buzzer sound here>. Give support a call, "Any secure FTP?". A pleasant "No, sorry." ...

But wait, it's Apache running on Linux, SSH is included in the package. I tried that from the SiteControl https page, cmd window opened, keys generated, seemed OK on Wireshark, exited the cmd window at that point. Reset my password (that was secure from the SiteControl page). Tried SSH from Terminal (OS X), site available. Now, how about SFTP? Yup, tried from Terminal, works a treat. I used cuteFTP for a long time on Mac and Win, so downloaded the current 30 day full feature trial (I like a GUI mo betta than cmd line). Set it up, SFTP, monitor with Wireshark, all good.

Moral of the story: running an app from a secure page (in this case the SiteControl FTP client) don't mean jack. I know, not news, but it doesn't come up much in this sort of case. The "Look for https in the address." advice is always good, for most situations (and actually click the lock icon or whatever your browser has to check the cert), but be alert to stuff like this.

jb


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: https, but just so far... [Re: Jim Bell]
      #412676 - 07/29/15 01:18 AM

Quote:

I used cuteFTP for a long time on Mac and Win, so downloaded the current 30 day full feature trial (I like a GUI mo betta than cmd line).




Have you tried FileZilla?


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: https, but just so far... [Re: Russell Holton]
      #412677 - 07/29/15 01:41 AM

Quote:

Quote:

I used cuteFTP for a long time on Mac and Win, so downloaded the current 30 day full feature trial (I like a GUI mo betta than cmd line).




Have you tried FileZilla?




No, any good/better, other than being free? I found myself remembering some cmd line basics when I was doing this, and when it comes down to it, ain't many commands I need for the basics, but like I said, GUI be good <g>

jb


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: https, but just so far... [Re: Russell Holton]
      #412679 - 07/29/15 03:46 AM

Russell, fun time in SFTP city ;-) So, I'm uploading new, modified index files, and .jpg pics with cuteFTP. In the last couple of days just getting things organized I noticed some .jpg files didn't appear online. Light goes on, permissions, sure 'nuff. Same deal a little while ago, change the permissions via cuteFTP on the remote file, boom: everything appears to be gone, Directory does not exist...all of 'em (though visible).

Call support (it's 24/7), get the real deal guy. The critical web folder had its permissions changed, no execute, changed on his end, all's well. Excellent support guy, may try FileZilla or just use Terminal, 'cause I think it was cuteFTP that did it, and no, the late hour doesn't always indicate pilot error or intoxication ;-)

Btw, mentioned the SFTP deal that the other guy had said didn't exist, not quite a snicker, but this guy knew. And agreed completely about the evils of Java. I knew it wasn't just me, and it's about to say goodbye on this box...

jb


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: https, but just so far... [Re: Jim Bell]
      #412680 - 07/29/15 03:57 AM

To be thorough here, to remove Java 7.x & 8.x from OS X, here's the link to Oracle:

https://www.java.com/en/download/help/mac_uninstall_java.xml

Follow the directions... Terminal ain't that scary, and copying/pasting the commands (one at a time, hit Return/enter after each) works fine. Btw, you won't see your password when you type it, just type it when requested after pasting the first command, and hit Return/enter.

jb

Edited by Jim Bell (07/29/15 04:06 AM)


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: https, but just so far... [Re: Jim Bell]
      #412682 - 07/29/15 04:27 AM

Quote:

Quote:

Have you tried FileZilla?




No, any good/better, other than being free?



GUI, it works, and you see the command line stuff go by as it works. Yes, it supports SFTP as well. You can set it up to auto-login and automatically go to the desired directory on each side of the explorer-like interface.

I don't have much to compare it with. I don't remember what we used before - it worked, but we had to keep buying a subscription to keep using it. It beats the heck out of using Windows Explorer - low bar, I know. <g>


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: https, but just so far... [Re: Russell Holton]
      #412683 - 07/29/15 04:40 AM

Quote:

It beats the heck out of using Windows Explorer - low bar, I know. <g>




What doesn't? <g> I think it'll be cmd line from Terminal, no bells 'n whistles, but feels secure, on both sides. Btw, Java be gone on the Mac now, Windows (real box and VM here on the Mac) tomorrow, er, later today ;-)

jb


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: https, but just so far... [Re: Russell Holton]
      #412815 - 07/31/15 12:46 AM

Russell,

Decided to take a look at FileZilla. Avast Mac didn't care for it at all, looked for the reason. From Avast:

"Malformed FileZilla FTP client with login stealer

Beware of malformed FileZilla FTP client versions 3.7.3 and 3.5.3. We have noticed an increased presence of these malware versions of famous open source FTP clients."

Full info at Avast.

I followed the links on SourceForge to the FileZilla download page (and also tried direct to https://filezilla-project.org/), it's a later rev, but still bad mojo, according to Avast on my Mac. Back to Terminal, or maybe I spring for cuteFTP Mac <g>

jb


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: https, but just so far... [Re: Jim Bell]
      #412828 - 07/31/15 04:29 AM

Well, that's the risk of Open Source. Someone can take the source, add their own malware, compile it and offer it up on legitimate looking site. Bottom line, you have to download programs from trusted sources. I suspect your security software isn't even trying to distinguish the good from the bad.

I've been running the PC version for years. No problems. No alerts.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: https, but just so far... [Re: Russell Holton]
      #412859 - 07/31/15 01:22 PM

As it turns out I tried the FileZilla site again and tried a different download link, after clicking the Quick Download button. I checked that linked page and down a bit there are other links. No warning this time. Hard to understand why they'd provide any link that throws errors <shrug>

As to Avast, apparently it does distinguish something, one it likes, one not ;-)

Btw, the link I posted previously for FileZilla is correct, https://filezilla-project.org/ but I somehow included a close parenthesis at the end :-(

jb


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: https, but just so far... [Re: Jim Bell]
      #412860 - 07/31/15 01:28 PM

Quote:

As it turns out I tried the FileZilla site again and tried a different download link, after clicking the Quick Download button.




Oh, any chance you fell for ad that claimed to be the download link? Those are horrid. Unless you know the site, it's easy to click the wrong thing. Why they folks running the page haven't figured it out and made some kind of adjustment, I don't know. It's been going on for years, so I don't think they can claim ignorance.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: https, but just so far... [Re: Russell Holton]
      #412861 - 07/31/15 01:52 PM Attachment (163 downloads)

Quote:

Oh, any chance you fell for ad that claimed to be the download link? Those are horrid. Unless you know the site, it's easy to click the wrong thing. Why they folks running the page haven't figured it out and made some kind of adjustment, I don't know. It's been going on for years, so I don't think they can claim ignorance.




Not this time, or maybe I did <g> That first button on the FileZilla page is OK, the next page has the problem link, that being the green button. Note that this is still on the FileZilla site. The "Show additional download options" is where the good link is. Lame.



While we're on this, the app works great, cuteFTP is just about identical in look and usage. Question: In cuteFTP I see all of the talk between client and server. FileZilla seems to leave out the details as one connects (but it does all the same stuff, viewing the login with Wireshark). Any way to make it more verbose?

jb

Edited by Jim Bell (07/31/15 01:57 PM)


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: https, but just so far... [Re: Jim Bell]
      #412878 - 07/31/15 03:59 PM

Quote:

Question: In cuteFTP I see all of the talk between client and server. FileZilla seems to leave out the details as one connects (but it does all the same stuff, viewing the login with Wireshark). Any way to make it more verbose?





I hardly look at that window. The only time I look is if I have trouble connecting. It seems to be adequate for telling me what's wrong.

You might try the debug options.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: https, but just so far... [Re: Russell Holton]
      #412884 - 07/31/15 04:12 PM

Quote:

Quote:

Question: In cuteFTP I see all of the talk between client and server. FileZilla seems to leave out the details as one connects (but it does all the same stuff, viewing the login with Wireshark). Any way to make it more verbose?





I hardly look at that window. The only time I look is if I have trouble connecting. It seems to be adequate for telling me what's wrong.

You might try the debug options.




It's nothing I care about, was just curious. About that green button link on FileZilla, shoulda read the "bundled offers" bit ;-) Rolling over it does show it's linked to sourceforge.net so I figgered it was OK <shrug> They oughta get rid of it.

jb


Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1 | 2 | >> (show all)



Extra information
0 registered and 10 anonymous users are browsing this forum.

Moderator:  Mike Overly 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Rating:
Topic views: 3628

Rate this topic

Jump to

Contact Us AVSIG

Powered by UBB.threads™ 6.5.5

Logout   Main Index    AVSIG Aviation Forum