Hacker News new | past | comments | ask | show | jobs | submit login

Data crosses the public internet in plaintext. Auditors unhappy.



Except maybe I've gpg-encrypted the files for the recipient before sending them. Users unhappy.


Is that more common than HTTPS, simpler, and a standard feature of FTP? I daresay not. In other words, you're making up a convoluted scenario and pretending it's still plain FTP, even though your toolchain got far more esoteric.


I wish GPG wasn't so esoteric of a tool, considering our email protocol situation.


It's esoteric because proper key management is a fulltime job at best.

And every attempt at doing key management better is met with hostility from many in the community (rightfully or otherwise) as they tend to sacrifice "absolute security" in the name of greater "usable security" (often by centralizing the trust system in some way).


"Proper key management is a full-time job" is such a surprisingly accurate description of the situation! <3


Aye, it's a constant battle of security versus usability. I'm on the centralizing boat, hoping that Keybase will prevail.


That's how banks send records to each other, iirc. Instead of changing the protocol, they just wrapped the data.


At least in Canada the last bank integration I worked on was FTPS (FTP over SSL). Files were otherwise in plaintext with account numbers and everything.


There were a few blog posts posted here from a payroll company not too far back. They explicitly kept using the term “SFTP” so I have some hope that at least a good portion of banks aren’t completely broken.

EDIT: http://engineering.gusto.com/how-ach-works-a-developer-persp...

I was misremembering a bit. They said “secure FTP” and then just said FTP thereafter.


Secure ftp may mean ftps, ftp over tls/ssl.


Yep, down below I already made that observation.

"I know, hence my edit. In my mind I read secure FTP -> SFTP, damn brain. But after rereading, I'm thinking they meant FTPS. "


SFTP is file transfer over ssh. The name is a misnomer.


I know, hence my edit. In my mind I read secure FTP -> SFTP, damn brain. But after rereading, I'm thinking they meant FTPS.


The problem with that scenario is that the recipient doesn't know if those are the right files.


To be fair, most places taht say "FTP" the files are at least running SFTP. It's still a bad solution for an API, but it's not quite that bad.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: