Closed GoogleCodeExporter closed 8 years ago
I don't understand the objection to the current design.
How would an attacker "figure out the URL"? The URL that is shown on the main
SwiFTP
control screen is just a convenient way of representing "use the FTP protocol
with
username X to connect to domain name Y." The username is not shown to anyone.
Are you suggesting that the username be hidden on the SwiFTP main screen?
I'm probably misunderstanding your point, but I'd very much like to be
corrected.
Also, let's keep in mind that FTP is a completely insecure protocol, in that any
attacker who can monitor the TCP streams knows your password and has all the
data
that's been transmitted.
Cheers,
Dave
Original comment by Dave.Revell@gmail.com
on 13 Jan 2010 at 6:51
(reposting email reply here for completeness)
Perhaps I'm the one who is not understanding -- I assume that the URL listed on
the
control screen is the URL I would use to access the device from whereever on
the
net. Isn't it necessary for me to have that full URL to connect? Are you
saying
the URL syntax avoids a username prompt (as the user:pswd@host syntax does)?
I'll
admit I haven't actually tried using the proxy connection yet, so maybe I
missed
something....
OK, well now I have. I see that the first part of the URL is, in fact, used
for the
username, so it's no less secure than the standard syntax (and like the
standard can
include the password), and does not have to be part of the URL if I prefer to
be
prompted for it.
I'll withdraw the issue :-)
But I will take this opportunity to say that I miss the ability to log activity
--
that seems to have disappeared?
Raan
Original comment by raans....@gmail.com
on 13 Jan 2010 at 4:22
OK, glad we're on the same page.
I thought the server log was cluttering up the main screen. My purpose in
including
it was to allow better bug reports, but no one uses it for that purpose.
Therefore I
axed it. I'll consider putting it back in a future version.
Original comment by Dave.Revell@gmail.com
on 13 Jan 2010 at 9:31
Maybe you could have a button that brings up a separate page for those who want
the
log. I liked the option of seeing what was going on.
Raan
Original comment by raans....@gmail.com
on 14 Jan 2010 at 12:36
Original issue reported on code.google.com by
raans....@gmail.com
on 13 Jan 2010 at 6:41