Last post Aug 18, 2007 08:12 AM by 56p
Aug 13, 2007 02:04 PM|56p|LINK
A few days ago I signed up for hosting from Network Solutions. They use FTP to transfer files to their servers, and when I found out that FTP is unencrypted and that my username and password are sent over the network as cleartext, I started thinking that
it was a serious security vulnerability.
I envisage the following scenario: Someone uses a packet sniffer to intercept my username and password, then gets my database username and password from connection strings in my ASP files, and then steals my customers' credit card numbers, or just outright
drops my database.
Is this possible? If it is, how easy would it be for someone carry it out? What factors would make it difficult or unlikely?
Has anyone ever heard of somebody being hit by this kind of attack?
Is this a sufficiently large security risk that I should switch to a hosting company that provides SFTP, FTPS, or SCP?
Aug 13, 2007 05:11 PM|michielvoo|LINK
You can encrypt the connectionstring in your web.config. But if your site is actually storing credit card numbers, then I would sya you absolutely need to switch to a secured channel.
Also, ask yourself the question if you need to actually store the creditcard number after a transaction or otherwise. The damage could ruin your business if the data should be compromised. Perhaps you should also encrypt the creditcardnumbers in the
Aug 14, 2007 02:32 PM|56p|LINK
I can't encrypt the connection string. I can't simply open up a command prompt for the Network Solutions server and run aspnet_regiis.
My ASP files have to be able to decrypt whatever data I encrypt. Encryption does no good if the means of decryption is in exactly the same place as that which is encrypted.
The bottom line seems to be that it doesn't matter how strong my passwords are, or how many layers of encryption I wrap my data in, if my FTP login information is being sent over the network in cleartext for the whole world to see.
Aug 16, 2007 02:51 PM|michielvoo|LINK
Well, like I said, if you have creditcard data then you need to make sure everything is secure, including FTP. You could go for dedicated hosting on your own server and install the software on site, no FTP needed.
You can encrypt web.config settings from code by the way, but a chain is only as strong as its weakest link.
Aug 18, 2007 08:12 AM|56p|LINK
Windows hosts need to upgrade to IIS 7 with FTPS as soon as possible and save their customers the worry.