Hi,

How can I upload my files without revealing my password and user name to eavesdroppers? I have an ASP.NET account.

Regards,
Dewald

Using FTP? Is this for your use, or for others?

Hi,

Thanks for the reply

FTP sends the password and user name in clear text over the internet. This is for my use.

If someone gets hold of my FTP password and user name they may access my control panel, database etc. (Given I haven't changed the default assigned user name and password HMS has given me)

I have contacted HMS on the issue and they say SFTP is only available on Linux servers.

Maybe I'm just not paranoid (enough), but I dont really think this is an issue. If you transferring stuff on a level of importance that standard FTP isn't secure enough, shared hosting probably isn't the right venue, either. I can write server side code that does things that some people don't think is possible, or at least never consider the possibilities. And let's not even get into what you can do on a CF shared account lol

Well, I have to admit - I'm extremely paranoid when it comes to security

Ok, so what I will do is to change my FTP password after each transfer. (And obviously my HMS assigned user name and password) - and later go to a VPS and setup a SFTP when the project is ready for commercial phase.

Thanks for the replies

It's cool, and I hope I didn't come across "wrongly". Good security practices should be praised, not ridiculed, right?

Good luck with your concerns

If your code isn't Windows-dependent (i.e., ASP/.NET) then a Linux account would allow the use of SFTP I believe? At the very least you get SSH that way...

Jamie is right. sFTP is supported on our Linux servers, but not the Windows ones...this is because our Windows FTP software doesn't support secure connections, while that functionality is built into our Linux servers.

So if you do not need FrontPage, ASP or .NET, you can shoot an email to support@hostmysite.com to ask us to move you to a Linux server. Otherwise, you might want to consider a VPS account, where you have administrative access to the server and can install your own FTP server that supports sFTP

I honestly wouldn't be worried about FTP user/pass thing. Something I do with my websites ( at least the ones on VPS ) is I have them setup so the only IP that can login to it is mine. You can do the same thing with Remote Desktop if you really want to. I have been with HMS for over 6 years, and never had a single problem with security. SQL injections are more common than anything else.

I also wish for SFTP on windows servers. Does HMS plan to upgrade the ftp software anytime soon so that we can have this added security?

Unfortunately no time in the near future - it's simply not requested often enough to be high on our priority list, especially now that we've purchased Hosting.com and will be working to integrate systems with them.

I'm guessing most customers probably aren't aware that passwords are sent in plain text. I'm sure if you told them they would all request it. Sometimes features should be implemented even if the customer isn't asking for it.

I've been pushing for it as well as some of our customers. I think it's important that we educate our customers on security, and by not offering this facility we are doing our customers a dis-service, as well as teaching them bad habits.

We already have a wildcard for *.safesecureweb.com which our customers are free to use on our shared web servers. What limitations are holding us back in regards to configuring FTPs on the very same servers?

I'm guessing the number of hours it would take to retrofit the older servers may be significant, but going forward, I don't see why we couldn't set this up on new deployments.

I'll poke around and see if I can get an official stance on this from someone.

Thanks for checking. Maybe if they knew that one of your competitors, crystaltech, does offer SFTP on their shared plans then it might be easier to convince them... SFTP is not as good as FTPS would be because dreamweaver CS3 ftp client only supports ftps and not sftp. But at least it's an option for customers who are worried about security.

True, but honestly if you're worried about security on that level then you should probably not be on shared and instead be on a VPS or even better dedicated server with a firewall + VPN. Also, it's worth noting that the vast majority of compromises nowadays comes from FSO vulnerabilities or SQL injection attacks. We're working to subvert the latter with Applicure's dotDefender (www.applicure.com for more information) but I don't think that is 'live' on our shared servers just yet. We do offer it for all dedicated server accounts, however.