英文:
Does goftp package provide for secure file transfers?
问题
我正在进行一个项目,目前正在使用goftp
来将一些文件上传到一个网站目录中,然后网站使用和查看这些文件。
我现在对这个设置的安全性产生了疑问,所以我已经研究了用于golang的ssh和sftp,但是我遇到了问题,这让我头疼,因为我对golang还不熟悉。
我的问题是,仅仅使用goftp
存在哪些安全威胁或问题,是否有更安全的替代方案?
提前感谢!
英文:
Im working on a project that is currently using goftp found in goftp
to upload some files into a website directory where it is used and viewed by the website.
I am know questioning the security of this setup, so I have looked into ssh and sftp for golang, but I'm running into problems and it's just a big headache, since I'm new with golang.
My question is, what are the security threats or problems of just using goftp
and are there more secure alternatives?
Thanks in advance!
答案1
得分: 3
所有普通的FTP服务器都存在安全隐患,因为它们使用明文在未加密的连接上进行身份验证。这意味着在同一网络上的任何人(尤其是WiFi网络)都可以嗅探网络流量并轻松提取用于身份验证的用户名和密码。
你已经提到了一些推荐的替代方案,如SSH和SFTP。SSH提供了使用SCP进行安全文件传输的手段。SFTP也使用了SSH提供的底层传输。还有FTPS,它使用SSL加密连接的标准FTP。
请查看这个链接以获取有关这些协议之间差异的更多信息。
在研究Go语言的FTP库时,我发现一个提及,即github.com/jlaffaye/goftp库在处理多行响应时会出错。
强烈建议使用比普通FTP更安全的协议,因此建议你查看SCP/SFTP/FTPS解决方案。这里有一个GitHub Gist,声称是使用Go语言进行SCP示例的代码。这可能是一个很好的起点。
英文:
All plain FTP servers are inherently insecure as they authenticate using plain text over an unencrypted link. This means that anyone on the same network (in particular WiFi networks) can sniff the network traffic and easily extract the username and password used to authenticate.
You've already mentioned some of the recommended alternatives, SSH and SFTP. SSH provides the means to use SCP to transfer files securely. SFTP also uses the underlying transport provided by SSH. There is also FTPS which uses standard FTP over an SSL encrypted connection.
Have a look at this link for more information on the differences between the protocols.
In researching Go libraries for FTP I came across a mention that the github.com/jlaffaye/goftp library breaks on multi-line responses.
It's highly recommended to use a more secure protocol than plain FTP so you would be better served by looking at SCP/SFTP/FTPS solutions. Here's a Github Gist claiming to be an example of using SCP in Go. That could be a good starting point.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论