This isn't entirely fair IMHO. Of course, FXP SSL transfers are vulnerable to "man in the middle attacks", for the reasons described by DarkOne in that thread. But the same goes for *every* normal SSL transfer too because you can never be sure that the certificate you get from the FTP server is indeed the certificate the server has sent to you. You should have a trusted third party to do the signing etc, but even then it's not 100% secure. Besides this, a "man in the middle attack" really is not easy, almost impossible even, and AFAIK never be seen "in the wild". Therefore i would say SSL FXP is much safer then no encryption at all, and definitely not a reason to say it's almost the same as no encryption at all. Just my 2 cents.
|