[ale] Still using plain FTP? Why?
David Millians
millia at panix.com
Tue Jan 20 10:01:51 EST 2015
On 1/19/2015 9:22 AM, JD wrote:
> For folks using plain FTP still, I'd like to know why?
> We all know it isn't secure and should have been removed from offers in the
> 1990s (along with telnet).
> So, if you are still using plain FTP, why?
I can't speak for them, but there's an interesting use that switched
from ftp recently.
SAT score delivery. ETS encrypts scores with GPG and then puts them on
an 'FTP' server. They mail you the link.
Since they changed, the 'FTP' link is of the form:
https://ets-scorelink.ets.org/edsasftp/SAT/SA######.###
So it's security through obscurity mixed with GPG. I don't honestly know
why they switched from real FTP to https. There must be something about
ftp traversal which is less secure than http traversal, because (on the
net, encrypted, with security through obscurity) of whatever modality is
all one and the same to my way of thinking.
They still refer to it as an FTP server in all their docs and mail:
"The FTP address is:"
All of their instructions for this data download and decryption process,
btw, refer to using Symantec PGP rather than GPG in order to do the
decryption. I suspect this is mainly to make it easier on their help
desk staff. GPG works a-ok.
Your other methods for schools to get SAT scores are paper copies and
CD-ROMS. ETS uses SSN as primary key, and sends stuff in fixed length
records (yuck) that changes every year. (double yuck)
And the CD-ROMS are a hodge-podge of data that invariably has to be
de-duplicated.
More information about the Ale
mailing list