Re: New draft-draft of sftp...

[Jeffrey Altman <jaltman%columbia.edu@localhost>]

> Jeffrey Altman <jaltman%columbia.edu@localhost> wrote:
> 
> > I am going to have to think about this concern for a bit.  However, my
> > initial reaction is that if the host has been hacked so that daemon
> > services are replaced then I think you are in bigger trouble.  At that
> > point you can't count on the contents of any of the files you may
> > receive from that server.  Depending on what they are you will be hosed.
> 
> That's a fair point in many circumstances, of course; yes.
> 
> Not every circumstance, though; suppose I was intending to download
> a bunch of archive files and then check their GPG signatures? In
> that situation I'm already protected against a malicious server
> changing the content of the files, so being unprotected against the
> same malicious server doing other damage to me is a step downward.
> 
> Cheers,
> Simon
> -- 
> Simon Tatham         "A cynic is a person who smells flowers and
> <anakin%pobox.com@localhost>    immediately looks around for a coffin."
> 

That is assuming you have an out of band means of determining what the
files names should be.  If you don't have that then you are forced to
rely on the trust of the server to provide you the correct file
listings.


 Jeffrey Altman * Volunteer Developer      Kermit 95 2.1 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP
 http://www.kermit-project.org/            Secured with MIT Kerberos, SRP, and 
 kermit-support%columbia.edu@localhost               OpenSSL.