Hacker News new | ask | show | jobs
by rsync 4623 days ago
SFTP is the correct answer.

WebDAV is terrible. Run, don't walk, away from it. Nobody at apache has any responsibility for it, the mod_dav author is totally MIA ... it's just a mess. Further, every single DAV implementation[1] is both broken and completely unique.

[1] Like DAV in Finder, or DAV in MS Word or in MS explorer, or in IE ... they are all completely different ... and also all of them are horribly broken.
2 comments
dragonwriter 4623 days ago
I was mostly saying WebDAV was less bad than FTP because many of its problems are (as you note) problems with the existing implementation, rather than inherent in the protocol design (though those problems do manifest a problem with the protocol design -- it tries to do too much for what most uses need and does so in a baroque manner.)
link
cyman 4623 days ago
I think all this makes it clear that it is a software issue and not a protocol issue. That is my point here. People hate FTP (or SFTP/FTP-SSL/WebDav) because the software is implemented poorly. (NOTE: I know SFTP and FTP-SSL are different protocols.)
link
dragonwriter 4623 days ago
FTP/FTPS has serious, protocol level issues (including things that are underspecified enough that its poor as a protocol for apps on top of, and things that are just bad decisions.)

WebDAV arguably has fewer essential protocol level issues (aside from being overly large and baroque) -- that is, it has fewer problems that are necessarily included in a correct implementation -- but lots of implementation issues (which, arguably, stem largely from the spec being overly large and baroque.)

OTOH, even to the extent that the problems (e.g., with WebDAV) are issues with the existing software and not the protocol, the main benefit of building a specialized app to a standard protocol is interoperability with other tools using the protocol -- if the existing implementations are incomplete and buggy in mutually incompatible ways, that negates the benefit of writing to the standard.

link
cyman 4623 days ago
The only reason FTP is insecure is because system admins still allow unencrypted FTP connections. POP3 and HTTP is also insecure- it's up to the system admin to block insecure connections.

With most FTP server software I know (such as ServU or FileZilla Server) once you force SSL connections, the server will disconnect users on the USER command (before sending the password) if they are connected insecurely. So only if your system administrator wants to allow insecure connections, will you be allowed to transmit the password insecurely.

Why do people still connect using the old insecure FTP standard? It's the software.

I personally think FileZilla should connect using SSL Explicit by default. IQBox defaults to SSL, and prompts the user for a fallback. So again I think it's a software issue, not a protocol issue.

link
mooism2 4623 days ago
What format does FTP say the output of a LIST command should have?
link
cyman 4623 days ago
@mooism2 Ideally MLSD should be used, not LIST. That solves the formatting issue.
link