On 03/01/11 6:38 PM, Barry Brimer wrote:
It is possible to instruct the FTPS client to keep the control channel in the clear so that firewalls that need to adjust to the ports being used can listen in on the conversation. The FTPS server has to agree to allow this to happen.
aren't username/passwords sent in the clear then too? if so, whats the point of using ftps ?
No, they are not. On the FTPS server you can require TLS encryption of everything, auth, data, control channel, nothing, or combinations of them. In this case you would require auth+data which would mean that your control channel is in the clear, but the username/password exchange and the data would be protected. You could also use an SSL client certificate as authentication and negate the need for the password to be sent altogether.