FlashFXP Forums - View Single Post

neoxed · 11-23-2004, 04:59 PM

CPSV support was originally removed in Beta-5.0 if I remember correctly, since darkone didn't have the time to finish the SSL site-to-site connection stuff for the initial Beta-5.0 release. Once he took some time to look at it later, he realized there was a serious flaw in the current design that didn't verify the SSL certificate's fingerprint. This in turn made the site-to-site transfer (FXP) vulnerable to MTM (man in the middle) attacks. Darkone wrote a few posts on the required changes needed to secure the current design, which unfortunately will not make it into ioFTPD until Beta-6 or so.

http://www.ioftpd.com/~darkone/tmp/secure.txt
http://www.ioftpd.com/board/showthre...&threadid=1967

Edit: Found the article/post links.

11-23-2004, 04:59 PM
neoxed Too much time... Join Date: May 2003 Posts: 1,326	CPSV support was originally removed in Beta-5.0 if I remember correctly, since darkone didn't have the time to finish the SSL site-to-site connection stuff for the initial Beta-5.0 release. Once he took some time to look at it later, he realized there was a serious flaw in the current design that didn't verify the SSL certificate's fingerprint. This in turn made the site-to-site transfer (FXP) vulnerable to MTM (man in the middle) attacks. Darkone wrote a few posts on the required changes needed to secure the current design, which unfortunately will not make it into ioFTPD until Beta-6 or so. http://www.ioftpd.com/~darkone/tmp/secure.txt http://www.ioftpd.com/board/showthre...&threadid=1967 Edit: Found the article/post links.