There are a lot of people who are interested specifically in Sikhism related posts on Digital Wealth. It is now possible for them to subscribe specifically to the Sikhism category. Continue reading “Sikhism has its own channel on DW”
Video tutorial showing how to optimise your SQL queries for maximum performance. Talks about indexes, statistics, hints and optimiser plans.
Shows that FTP+GPG combination cannot be used in place of SFTP – SFTP is still more secure. Also includes a howto document on setting up passwordless SFTP based automated file transfers.
Recently, we needed to setup secure file transfer with a third party that did not support SFTP. Hence we decided to use FTP+GPG – which includes transfer of GPG encrypted files with FTP. For more details on GPG, visit the homepage http://www.gnupg.org/. It can also operate in ‘portable’ mode – from a USB key.
We did not realise that this combination is still significantly less secure that SFTP based transfer. The threats it does not cater to, which SFTP can combat are:
- Someone can come to know about the username, password used in the connection since this is still being transferred un-encrypted
- Using this, someone can load their own files into the server which can be designed to either infect the system, or upload malicious information
Even if GPG signatures are used (as we did after coming to know about these shortcomings), there is still the risk of someone replaying the same files that we received. Even this can cause problems in certain situations. Hence, we had to resort to fixing the source IP to combat the problems. Due to using signatures and IP fixing, it all turned out to be more cumbersome, and still less secure.
The best way currently to establish automated file transfers is to do a password-less SFTP. It does not require any password transfer over the network at all, keeps everything encrypted, and: a disgruntled employee who happens to remember a password (in case of password based SFTP) cannot disrupt your services.