Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
OneDrive
Message
From
31/03/2022 08:05:58
Thomas Ganss
Main Trend
Frankfurt, Germany
 
 
To
30/03/2022 15:32:14
Al Doman
M3 Enterprises Inc.
North Vancouver, British Columbia, Canada
General information
Forum:
Visual FoxPro
Category:
Coding, syntax & commands
Title:
Re: OneDrive
Miscellaneous
Thread ID:
01684024
Message ID:
01684035
Views:
75
>>HTTPS up/download also secure, but I guess gives more attack surface than dedicated SFTP server.
>>Al ? Care to voice opinion forged by biz reading and learning ?
>
>I don't know of any inherent vulnerabilities with SFTP. One discussion is at https://securityboulevard.com/2021/05/sftp-security-is-it-truly-secure/ .

Yupp, seems not far from my current take. They also mention dedicated SFTP server:
IMO having dedicated (at least logical, hardened VM) can be the key benefit.
You keep things there you have to expose for work, but keep internal to your company.

Different from the way I view WebDAV: mapping Collaboration documents,
sky won't fall if the few currently being worked on are exposed before they are done.

>I haven't worked with it much. One of my clients uses it to transfer files to/from government agencies. Those agencies lock down their servers hard, with IP whitelisting etc. They have to comply with some data handling regulations so I assume SFTP is "good enough" for those purposes.

Same here with some gov big iron machines and sensitive data - if they trust SFTP, why argue?.

>I don't know of any simple way to securely transfer files which is suitable for general end users. I'd be interested to hear if anyone else has found anything. For example, I've used:
>
>- 7Zip encrypted archives as e-mail attachments. This requires the recipient to install 7Zip

10 years ago clients used Winzip encryption, which was easy to crack.
Have not looked at 7zip in depth: as it uses AES256 should be trustworthy ?
There were Crackers for encrypted WinZip Containers - one seems to exist for 7zip.

>- Temporary/throwaway Dropbox accounts. Who knows how they retain files and can be compelled to provide them to other agencies.. Yes, the files you upload can be encrypted with something like 7Zip but if you're doing that you may as well use e-mail attachments (as long as they're not too large)

Embolded often overlooked IMO, good to spell it out.
At least host the machines and use free OS / Nextcloud or similar.

>- I haven't used PGP encrypted mail but my limited understanding is it's not trivial to implement. A significant PITA if you just want to transfer a couple of files
>- Anything which offers temporary or one-time download links can be intercepted

Mid-Nineties I HAD to implement PGP for all communication with email adresses belonging to banks.
Within a few months that switched to: "don't even think to encrypt with PGP" for all banks.
Gave me one of the few conspiracy shudders I kept:
thinking that NSA and similar wanted to dissuade / steer away from PGP practice.
Must have been early, as I still used Outlook to link PGP in.

thx & regards
thomas
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform