Why is session reuse useful in FTPS?
up vote
1
down vote
favorite
I noticed that not all FTPS clients support session reuse and I'm wondering whether it is a critical security option that should be left enabled on the server.
My guess is that it's possible for an attacker to hijack the data connection even if SSL/TLS is used for both control and data connection, if the session reuse option is not enabled. Could anyone help confirm/disprove this and give more detailed explanations?
I also found this: VU#2558
File Transfer Protocol allows data connection hijacking via PASV mode race condition, not knowing if it's relevant since it doesn't mention SSL/TLS at all.
security ftp ssl tls
add a comment |
up vote
1
down vote
favorite
I noticed that not all FTPS clients support session reuse and I'm wondering whether it is a critical security option that should be left enabled on the server.
My guess is that it's possible for an attacker to hijack the data connection even if SSL/TLS is used for both control and data connection, if the session reuse option is not enabled. Could anyone help confirm/disprove this and give more detailed explanations?
I also found this: VU#2558
File Transfer Protocol allows data connection hijacking via PASV mode race condition, not knowing if it's relevant since it doesn't mention SSL/TLS at all.
security ftp ssl tls
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I noticed that not all FTPS clients support session reuse and I'm wondering whether it is a critical security option that should be left enabled on the server.
My guess is that it's possible for an attacker to hijack the data connection even if SSL/TLS is used for both control and data connection, if the session reuse option is not enabled. Could anyone help confirm/disprove this and give more detailed explanations?
I also found this: VU#2558
File Transfer Protocol allows data connection hijacking via PASV mode race condition, not knowing if it's relevant since it doesn't mention SSL/TLS at all.
security ftp ssl tls
I noticed that not all FTPS clients support session reuse and I'm wondering whether it is a critical security option that should be left enabled on the server.
My guess is that it's possible for an attacker to hijack the data connection even if SSL/TLS is used for both control and data connection, if the session reuse option is not enabled. Could anyone help confirm/disprove this and give more detailed explanations?
I also found this: VU#2558
File Transfer Protocol allows data connection hijacking via PASV mode race condition, not knowing if it's relevant since it doesn't mention SSL/TLS at all.
security ftp ssl tls
security ftp ssl tls
edited Oct 20 '15 at 6:11
Martin Prikryl
10.6k43173
10.6k43173
asked Oct 20 '15 at 4:30
Cyker
18411
18411
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
3
down vote
accepted
Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.
When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.
If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.
Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.
The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.
add a comment |
up vote
2
down vote
Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.
When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.
If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.
Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.
The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.
add a comment |
up vote
3
down vote
accepted
Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.
When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.
If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.
Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.
The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.
add a comment |
up vote
3
down vote
accepted
up vote
3
down vote
accepted
Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.
When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.
If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.
Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.
The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.
Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.
When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.
If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.
Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.
The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.
edited 2 hours ago
answered Oct 20 '15 at 6:07
Martin Prikryl
10.6k43173
10.6k43173
add a comment |
add a comment |
up vote
2
down vote
Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.
add a comment |
up vote
2
down vote
Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.
add a comment |
up vote
2
down vote
up vote
2
down vote
Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.
Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.
answered Oct 20 '15 at 4:43
Steffen Ullrich
2,947614
2,947614
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f989048%2fwhy-is-session-reuse-useful-in-ftps%23new-answer', 'question_page');
}
);
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password