Why is session reuse useful in FTPS?











up vote
1
down vote

favorite
2












I noticed that not all FTPS clients support session reuse and I'm wondering whether it is a critical security option that should be left enabled on the server.



My guess is that it's possible for an attacker to hijack the data connection even if SSL/TLS is used for both control and data connection, if the session reuse option is not enabled. Could anyone help confirm/disprove this and give more detailed explanations?



I also found this: VU#2558
File Transfer Protocol allows data connection hijacking via PASV mode race condition, not knowing if it's relevant since it doesn't mention SSL/TLS at all.










share|improve this question




























    up vote
    1
    down vote

    favorite
    2












    I noticed that not all FTPS clients support session reuse and I'm wondering whether it is a critical security option that should be left enabled on the server.



    My guess is that it's possible for an attacker to hijack the data connection even if SSL/TLS is used for both control and data connection, if the session reuse option is not enabled. Could anyone help confirm/disprove this and give more detailed explanations?



    I also found this: VU#2558
    File Transfer Protocol allows data connection hijacking via PASV mode race condition, not knowing if it's relevant since it doesn't mention SSL/TLS at all.










    share|improve this question


























      up vote
      1
      down vote

      favorite
      2









      up vote
      1
      down vote

      favorite
      2






      2





      I noticed that not all FTPS clients support session reuse and I'm wondering whether it is a critical security option that should be left enabled on the server.



      My guess is that it's possible for an attacker to hijack the data connection even if SSL/TLS is used for both control and data connection, if the session reuse option is not enabled. Could anyone help confirm/disprove this and give more detailed explanations?



      I also found this: VU#2558
      File Transfer Protocol allows data connection hijacking via PASV mode race condition, not knowing if it's relevant since it doesn't mention SSL/TLS at all.










      share|improve this question















      I noticed that not all FTPS clients support session reuse and I'm wondering whether it is a critical security option that should be left enabled on the server.



      My guess is that it's possible for an attacker to hijack the data connection even if SSL/TLS is used for both control and data connection, if the session reuse option is not enabled. Could anyone help confirm/disprove this and give more detailed explanations?



      I also found this: VU#2558
      File Transfer Protocol allows data connection hijacking via PASV mode race condition, not knowing if it's relevant since it doesn't mention SSL/TLS at all.







      security ftp ssl tls






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Oct 20 '15 at 6:11









      Martin Prikryl

      10.6k43173




      10.6k43173










      asked Oct 20 '15 at 4:30









      Cyker

      18411




      18411






















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted










          Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.



          When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.



          If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.





          Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.





          The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.






          share|improve this answer






























            up vote
            2
            down vote













            Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.






            share|improve this answer





















              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














               

              draft saved


              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f989048%2fwhy-is-session-reuse-useful-in-ftps%23new-answer', 'question_page');
              }
              );

              Post as a guest
































              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              3
              down vote



              accepted










              Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.



              When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.



              If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.





              Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.





              The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.






              share|improve this answer



























                up vote
                3
                down vote



                accepted










                Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.



                When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.



                If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.





                Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.





                The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.






                share|improve this answer

























                  up vote
                  3
                  down vote



                  accepted







                  up vote
                  3
                  down vote



                  accepted






                  Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.



                  When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.



                  If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.





                  Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.





                  The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.






                  share|improve this answer














                  Your assumption is correct. Reusing TLS session protects you from a theoretical possibility that an attacker hijacks an FTP data connection.



                  When you initiate a data transfer, the server opens a data connection port on the server (in a passive mode). A possible attacker might guess the port and connect before your FTP client does, stealing your data.



                  If the server requires that the same TLS session is used for the data connection, the attacker will not be able to start its own TLS session, preventing him/her from decoding the data.





                  Another benefit of reusing TLS session is a performance as you do not need to do a new TLS handshake for each data connection/file transfer. What particularly matters if you transfer lot of small files.





                  The vulnerability you refer to is actually a superset of the problem the TLS session reuse tries to prevent.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 2 hours ago

























                  answered Oct 20 '15 at 6:07









                  Martin Prikryl

                  10.6k43173




                  10.6k43173
























                      up vote
                      2
                      down vote













                      Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.






                      share|improve this answer

























                        up vote
                        2
                        down vote













                        Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.






                        share|improve this answer























                          up vote
                          2
                          down vote










                          up vote
                          2
                          down vote









                          Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.






                          share|improve this answer












                          Some servers expect clients to use the same SSL session for control and data connections. Apart from that session reuse speeds up connections because it reduces the number of round-trips needed to establish a SSL connection. It might be that the client which don't use an explicit switch to enable session reuse simply use it implicitly, like browsers do.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Oct 20 '15 at 4:43









                          Steffen Ullrich

                          2,947614




                          2,947614






























                               

                              draft saved


                              draft discarded



















































                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f989048%2fwhy-is-session-reuse-useful-in-ftps%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest




















































































                              Popular posts from this blog

                              Plaza Victoria

                              Puebla de Zaragoza

                              Musa