is that a good offer for a server installation?

A person I know needs to receive large files (about 500 Mb) from his
customers to be downloaded and then worked.
Each customer should have his own protected area.
He has contacted a computer company (moreover distant more than 100 km from
his office) that has proposed this solution:
1. buying a server to mantain in his office
2. SO linux based upon kernel 2.6xx
3. web server&php. apache
4. firewall
5. installation of cwfm (a software that manages files, at first I believed
that should be created by them, but then I found out to be free on the net
http://cwfm.sourceforge.net) upload and download are managed via http

The economic offer was:
- installation SO linux: configuration linux, apache, php, dns, iptables and
cwfm --->3000 euro (about 3600 dollars)
- mantainance ---> first year free, from the second on 1000 euro (about 1200
dollars)
purchasing of the server is apart

I'm very doubfull about this, but the person who should buy everything is
even enthustiastic about the onesty and knoledge of these people.

They insisted above all on the issue of security, as if hackers ordinary
waste their time to manage to keep wedding albums sent via the internt, and
they told him that ftp is not secure for this and their program is based
upon http. "It could be seriously risky for his customer privacy" !!!

questions:
1) do you relly think that http is more secure than ftp?
2) do you think http is the right solution for uploading so large files?
3) what do you think about the economic offer? Consider that I' writing from
Italy and here everything is cheaper compared to, for example USA or
northern europe. So you have to consider higher the sum he has to pay.

Has somebody some link to correlated topics? As it seems that I have no
authority with this person, wich insted should have a site with articles
written by knoledged people. I've made a search on the internt but I was non
able to find anything usefull.


bye and thank you to those who will express an opinion



Giuseppe

Giuseppe

Giuseppe wrote:

> A person I know needs to receive large files (about 500 Mb) from his
> customers to be downloaded and then worked.
> Each customer should have his own protected area.
> He has contacted a computer company (moreover distant more than 100 km
> from his office) that has proposed this solution:
> 1. buying a server to mantain in his office
> 2. SO linux based upon kernel 2.6xx
> 3. web server&php. apache
> 4. firewall
> 5. installation of cwfm (a software that manages files, at first I
> believed that should be created by them, but then I found out to be free
> on the net http://cwfm.sourceforge.net) upload and download are managed
> via http
>
> The economic offer was:
> - installation SO linux: configuration linux, apache, php, dns, iptables
> and
> cwfm --->3000 euro (about 3600 dollars)
> - mantainance ---> first year free, from the second on 1000 euro (about
> 1200 dollars)
> purchasing of the server is apart
>
> I'm very doubfull about this, but the person who should buy everything is
> even enthustiastic about the onesty and knoledge of these people.
>
> They insisted above all on the issue of security, as if hackers ordinary
> waste their time to manage to keep wedding albums sent via the internt,
> and they told him that ftp is not secure for this and their program is
> based upon http. "It could be seriously risky for his customer privacy"
> !!!
>
> questions:
> 1) do you relly think that http is more secure than ftp?

HTTPS, yes. Remember ftp sends in clear text!

> 2) do you think http is the right solution for uploading so large files?

I do it. I use a program called Horde that has a file system interface
(written in php). and it works quite well.

> 3) what do you think about the economic offer? Consider that I' writing
> from Italy and here everything is cheaper compared to, for example USA or
> northern europe. So you have to consider higher the sum he has to pay.

I do think it is a little expensive...

> Has somebody some link to correlated topics? As it seems that I have no
> authority with this person, wich insted should have a site with articles
> written by knoledged people. I've made a search on the internt but I was
> non able to find anything usefull.

I do not have any problems with the applications. Just the price seems a
little high. You get a year of maintenance? What does it include?

Michael

>
> bye and thank you to those who will express an opinion
>
>
>
> Giuseppe

Michael J. Pelletier

"Michael J. Pelletier" ha scritto nel messaggio
> > questions:
> > 1) do you relly think that http is more secure than ftp?
>
> HTTPS, yes. Remember ftp sends in clear text!

does the software they are going to install work under https?

> > 2) do you think http is the right solution for uploading so large files?
>
> I do it. I use a program called Horde that has a file system interface
> (written in php). and it works quite well.

I thought that ftp was a better solution for uploading so large files


> I do not have any problems with the applications. Just the price seems a
> little high. You get a year of maintenance? What does it include?
>
> Michael

thank you for your opinion

Giuseppe

here is a link:

http://cwfm.sourceforge.net/index.php

Giuseppe

Giuseppe wrote:

> "Michael J. Pelletier" ha scritto nel messaggio
>> > questions:
>> > 1) do you relly think that http is more secure than ftp?
>>
>> HTTPS, yes. Remember ftp sends in clear text!
>
> does the software they are going to install work under https?

Well technically you can always "wrap" the web application in a directory
that forces the web server to use https. So, yes, it should work.

>> > 2) do you think http is the right solution for uploading so large
>> > files?
>>
>> I do it. I use a program called Horde that has a file system interface
>> (written in php). and it works quite well.
>
> I thought that ftp was a better solution for uploading so large files

Actually the solution I like the best for this is sftp (really ssh). There
are many windows applications that will allow you use this to speak to a
linux/BSD box running it. Linux/BSD can do it "out of the box".

>> I do not have any problems with the applications. Just the price seems a
>> little high. You get a year of maintenance? What does it include?
>>
>> Michael
>
> thank you for your opinion

Michael J. Pelletier

In article <4ESwe.29182$>,
says...
> A person I know needs to receive large files (about 500 Mb) from his
> customers to be downloaded and then worked.
> Each customer should have his own protected area.
> He has contacted a computer company (moreover distant more than 100 km from
> his office) that has proposed this solution:
> 1. buying a server to mantain in his office
> 2. SO linux based upon kernel 2.6xx
> 3. web server&php. apache
> 4. firewall
> 5. installation of cwfm (a software that manages files, at first I believed
> that should be created by them, but then I found out to be free on the net
> http://cwfm.sourceforge.net) upload and download are managed via http
>
> The economic offer was:
> - installation SO linux: configuration linux, apache, php, dns, iptables and
> cwfm --->3000 euro (about 3600 dollars)
> - mantainance ---> first year free, from the second on 1000 euro (about 1200
> dollars)
> purchasing of the server is apart
>
> I'm very doubfull about this, but the person who should buy everything is
> even enthustiastic about the onesty and knoledge of these people.
>
> They insisted above all on the issue of security, as if hackers ordinary
> waste their time to manage to keep wedding albums sent via the internt, and
> they told him that ftp is not secure for this and their program is based
> upon http. "It could be seriously risky for his customer privacy" !!!
>
> questions:
> 1) do you relly think that http is more secure than ftp?
> 2) do you think http is the right solution for uploading so large files?
> 3) what do you think about the economic offer? Consider that I' writing from
> Italy and here everything is cheaper compared to, for example USA or
> northern europe. So you have to consider higher the sum he has to pay.
>
> Has somebody some link to correlated topics? As it seems that I have no
> authority with this person, wich insted should have a site with articles
> written by knoledged people. I've made a search on the internt but I was non
> able to find anything usefull.
>
>
> bye and thank you to those who will express an opinion

While FTP is clear, it's also a very good standard and fully supported.
Many FTP programs allow the computer admin to setup User/Password/Folder
without it being part of the OS Security, so you can also restrict via
the application without giving an OS level account. FileZilla Server is
a great FTP Server and runs on many platforms.



--
--

(Remove 999 to reply to me)

Leythos

In the Usenet newsgroup alt.computer.security, in article
<4ESwe.29182$>, Giuseppe wrote:

>He has contacted a computer company (moreover distant more than 100 km
>from his office) that has proposed this solution:

OK - hopefully that also includes a UPS (Uninterruptable Power System) to
allow time to safely shut down the system in the even of a power failure.

>The economic offer was:
>- installation SO linux: configuration linux, apache, php, dns, iptables
>and cwfm --->3000 euro (about 3600 dollars)
>- mantainance ---> first year free, from the second on 1000 euro (about
>1200 dollars)
>purchasing of the server is apart

As the software cost is minimal (under 100 euro for a boxed set), the main
costs will be "labor".

>I'm very doubfull about this, but the person who should buy everything is
>even enthustiastic about the onesty and knoledge of these people.

http://tldp.org/guides.html

The "Linux Consultants Guide" lists 102 vendors in Italy.

>They insisted above all on the issue of security, as if hackers ordinary
>waste their time to manage to keep wedding albums sent via the internt

Script kiddiez and wankers may not be interested in the wedding albums,
but they ARE interested in having access to the server - especially if
it's large and on a fast network connection.

>and they told him that ftp is not secure for this and their program is
>based upon http. "It could be seriously risky for his customer privacy" !!!

FTP is not a secure protocol (everything is sent un-encoded), but neither
is 'http' unless you say 'https' - notice the 's' for secure on the end.

>1) do you relly think that http is more secure than ftp?

No - but the secure version is.

>2) do you think http is the right solution for uploading so large files?

500 Megs? Wouldn't be the way I'd do it, but you also have to think of the
other end of the connection - those customers. Do they know how to use
anything other than Microsoft Outlook Express? If the customers are the
common click and drool idiots, https is the correct solution. If they are
skilled, AND they have the right computer program, then there are other
alternatives - scp and sftp being only a few of many.

>3) what do you think about the economic offer? Consider that I' writing
>from Italy and here everything is cheaper compared to, for example USA or
>northern europe. So you have to consider higher the sum he has to pay.

3000 euro for install/setup? How much does a computer smart person make
per hour? 10 euro (don't forget, this has to include taxes, and the cost
of doing business)? That 3000 euros (less the cost of software, and
shipping and travel costs) might buy a month of one person, and it
includes the first year of mantainance.

1000 euro for mantainance for a year? Is that "on-site" or telephone and
over the net? Again, look at the cost of travel if that is involved, and
the cost of the person you will get to service the box. Is the service
'24/7', or just "normal business hours"?

>Has somebody some link to correlated topics?

Look at the 'Linux Consultants Guide' and see that you have multiple bids
(we require three), and make the choice from those.

Old guy

Moe Trin

Moe Trin <> wrote:
> In the Usenet newsgroup alt.computer.security, in article
> <4ESwe.29182$>, Giuseppe wrote:

>>and they told him that ftp is not secure for this and their program is
>>based upon http. "It could be seriously risky for his customer privacy" !!!
>
> FTP is not a secure protocol (everything is sent un-encoded), but neither
> is 'http' unless you say 'https' - notice the 's' for secure on the end.
>
>>1) do you relly think that http is more secure than ftp?
>
> No - but the secure version is.
>
>>2) do you think http is the right solution for uploading so large files?
>
> 500 Megs? Wouldn't be the way I'd do it, but you also have to think of the
> other end of the connection - those customers. Do they know how to use
> anything other than Microsoft Outlook Express? If the customers are the
> common click and drool idiots, https is the correct solution. If they are
> skilled, AND they have the right computer program, then there are other
> alternatives - scp and sftp being only a few of many.

There are a lot of 'secured FTP' (very different from SFTP, confusingly;
we're talking FTP with SSL/TLS support here) implementations out there.
Finding something compatible may be non-trivial, though. (Hint:
vsftpd-with-ssl can be accessed by at least CoreFTP and lftp, for
Windows and *nix clients; the first offers a free 'light' version, and
the second is open source.)

The proposed security does not sound impressive - MD5 isn't that secure,
especially if you have customers who are likely to choose the most
bloody obvious passwords - and the actual contents are sent in the
clear (!). Any decent secured-FTP daemon will SSL/TLS-encrypt the
command stream, and a good one will encrypt the data stream as well.
[Though you may wish to consider efficiency vs. security for the data
stream.]
In both cases, 'unsecured' HTTP or FTP is a nightmare, but 'secured'
(i.e., over SSL/TLS) HTTP or FTP is good.

If we are talking this size of file, you'll want to have support for
resuming uploads. FTP has this; I've never seen it work over HTTP,
mostly because it requires quite a bit of client-side logic. HTTP would
require all sorts of weird, non-portable ActiveX or Javascript mess; any
decent FTP client has this built-in.

Additionally, Apache is less secure than one would like. It's not
insecure by any stretch, but a good FTP daemon like vsftpd is very
difficult to crack.

OTOH, vsftpd does not have all the options you might wish for, many
other major FTP daemons are comparable to Apache in security, and
FTP-over-SSL is a headache (i.e., impossible) to properly firewall.

So, there are valid reasons for not using FTP - but there are valid
reasons to use one as well.

But if we are talking the common 'click and drool idiots', I agree that
being easy may be more important than actually working well. In this
case, go with some ugly web app. Be sure to triple-audit it first.

I've never rendered or received commercial installation services, but
the price seems quite high to me. Shopping around is a good idea.

Joachim

Joachim Schipper

On 02 Jul 2005 13:37:21 GMT, Joachim Schipper
<> wrote:

>There are a lot of 'secured FTP' (very different from SFTP, confusingly;
>we're talking FTP with SSL/TLS support here) implementations out there.
>Finding something compatible may be non-trivial, though. (Hint:
>vsftpd-with-ssl can be accessed by at least CoreFTP and lftp, for
>Windows and *nix clients; the first offers a free 'light' version, and
>the second is open source.)
>
>The proposed security does not sound impressive - MD5 isn't that secure,
>especially if you have customers who are likely to choose the most
>bloody obvious passwords - and the actual contents are sent in the
>clear (!). Any decent secured-FTP daemon will SSL/TLS-encrypt the
>command stream, and a good one will encrypt the data stream as well.
>[Though you may wish to consider efficiency vs. security for the data
>stream.]
>In both cases, 'unsecured' HTTP or FTP is a nightmare, but 'secured'
>(i.e., over SSL/TLS) HTTP or FTP is good.
>
>If we are talking this size of file, you'll want to have support for
>resuming uploads. FTP has this; I've never seen it work over HTTP,
>mostly because it requires quite a bit of client-side logic. HTTP would
>require all sorts of weird, non-portable ActiveX or Javascript mess; any
>decent FTP client has this built-in.
>
>Additionally, Apache is less secure than one would like. It's not
>insecure by any stretch, but a good FTP daemon like vsftpd is very
>difficult to crack.
>
>OTOH, vsftpd does not have all the options you might wish for, many
>other major FTP daemons are comparable to Apache in security, and
>FTP-over-SSL is a headache (i.e., impossible) to properly firewall.
>
>So, there are valid reasons for not using FTP - but there are valid
>reasons to use one as well.
>
>But if we are talking the common 'click and drool idiots', I agree that
>being easy may be more important than actually working well. In this
>case, go with some ugly web app. Be sure to triple-audit it first.
>
>I've never rendered or received commercial installation services, but
>the price seems quite high to me. Shopping around is a good idea.
>
> Joachim

Perfect! I couldn't agree more. Nice answer Joachim.

FTP was *made* to do what you want to do. And it can be done quite
securely.

Internet Explorer or Firefox make easy to use GUI but there are dozens
of FTP clients available out there. I'm sure you can find one which is
both idiot proof and compatible.

speeder

In article <> you wrote:
> FTP was *made* to do what you want to do. And it can be done quite
> securely.
>
> Internet Explorer or Firefox make easy to use GUI but there are dozens
> of FTP clients available out there. I'm sure you can find one which is
> both idiot proof and compatible.

<plug>
For Windows, I've found CoreFTP to be pretty effective. It supports
SSL/TLS for both command and data stream (though especially the latter
is not enabled by default), and offers all the goods one would expect
from an FTP client. It does require installation and doesn't look too
pretty, but it's very functional.
There's a free 'light' version, which offers pretty much all required
features (the Pro version should be nicer, but I've never tried it).
</plug>

(No, I'm not in any way affiliated with CoreFTP.)

LeechFTP and FileZilla do not encrypt the data stream. Windows' stock
FTP client is laughable.

As to *nix, people tend to be more capable. I've found lftp to be a very
good client; ncftp is lacking, as it does - like many other packages -
not support encrypting the data stream. The stock ftp command is
quite outdated. I have not investigated graphical clients for *nix, as I
have no interest in using them myself.

Browsers tend towards rather bad FTP implementations, especially where
authentication and encryption is concerned. Neither IE nor Firefox is a
pleasure to work with, and IIRC neither will properly encrypt command
and data streams.

Joachim

Joachim Schipper