Results 1 to 3 of 3
July 5th, 2007, 12:18 PM #1FTP datafeed security concern
I have one primary concern about using FTP to retrieve my datafeeds from SAS. It is that I don't want my SAS username/password compromised.
When retrieving your datafeeds a non-secure FTP connection, such as retrieving your datafeeds from SAS, your login credentials are sent unprotected over the wild internet. This scares me because someone could snoop in along the way and have full access to my SAS account.
I've seen other networks address this in two different ways:
1 - Issue a separate login/password for FTP access (thus rendering the login info useless for your regular account interface)
2 - Allow FTPS or SFTP (yes, they are different) connections, thus protecting the data flying back and forth.
It makes me sick to my stomach to think of the damage that could occur if someone got a hold of my SAS account login info.
Does SAS see this as a problem, or am I just being too paranoid?
I'd love to hear others' opinions on this matter.
July 5th, 2007, 02:44 PM #2
Putting on my Data Security hat, I definitely agree that having plaintext passwords flying around is quite dangerous and can lead to compromised accounts.
Practically speaking, there are a few considerations:
- if using ssl, additional cpu and bandwidth for encrypting and transferring large amounts of data in the feed files being downloaded.
- if using separate passwords or IP restrictions, the creation and maintenance of this extra data when it inevitably changes.
- Actually pulling off a "man-in-the-middle" attack is fairly difficult, because as the name implies, it involves actually get "in-between" the source and destination. Wily hackers may be able to hack into the right box in the right place to insert themselves at a proper location to do this (say, hacking an ISP). But even if they did, the chances that they would actually target affiliate accounts would probably be fairly small.
It would be great if sensitive information was actually handled... securely... online in general, but the cost of that security must be balanced with the risk and potential damage of any security breach.
My $0.02 recommendation would be to add a separate password for ftp access and leave it as plaintext. That way, even if the password is compromised, the worst the hacker can do is download some merchants' datafeeds.
DaleDale LaFountain, CIO, <a style="color:#c23015; font-weight:bold; text-decoration:underline;" href="http://www.tfaw.com/">Things From Another World</a> - More Comics. More Toys. More Stuff. More FUN!
14% base comm / up to 21.5% w/perf incent / 90 return days / parasite free / HUGE datafeed / <a style="color:#c23015; font-weight:bold; text-decoration:underline;" href="http://www.tfaw.com/Help/Affiliate-Information___168?qt=abw">[b]Join[/b]</a>
July 5th, 2007, 03:37 PM #3
I agree that a second set of credentials is probably the best way to go. End users don't even need to change that password. Just assign them one and that's it.
FTPS may be the easiest to quickly implement on SAS's end (depending on the FTP server, it might just require a config change.) But it will result in more CPU overhead depending on how many people use it.
Technically it wouldn't require a man-in-the-middle attack to compromise your login info. Logging in to FTP over an untrusted wireless connection (GASP!) could do it, such as those wireless networks readily available at conferences. Being the paranoid guy that I am, I don't even trust my ISP.
Really what it comes down to is accepting the fact the the internet is not a trusted network and precautions should be taken to protect your sensitive data.
On a related note, it bugs me that all of the links in the SAS account manager are not https. If you've ever checked in on your stats while connected to an untrusted network (like those wireless networks at conferences) chances are pretty good that someone else has seen your stats too.