RE: Security of script passwords

Back

Security of script passwords

Author	Message
lakeside	lakeside posted 8 Years Ago Topic Details Share Topic
Group: Forum Members Posts: 34, Visits: 121	I have noticed that passwords can be entered into web scripts for both FTP data writes and for the /encrypt attribute. However, it appears the script can be accessed and downloaded anonymously by anyone familiar with the script name and the URL pattern used by Millisecond. Is this correct? If so, what extra security does the use of passwords provide? Tags encryption FTP security web scripts
	Reply Like 116
Dave	Dave posted 8 Years Ago ANSWER Post Details Share Post
Group: Administrators Posts: 13K, Visits: 103K	When hosting scripts and data on millisecond.com, there would only be extra security if you also encrypt the script itself. A person would still be able to download the script anonymously as you describe, but would not be able to read its contents. Ultimately, though, the script has to be decrypted at some point and be available in plain text in order to run. I.e., a motivated attacker would be able to "participate" in the experiment and dump the decrypted contents on her/his system to obtain any (FTP etc.) passwords contained in the script. Encrypting data files can be useful if you want to transmit them somewhere else, but there's no transport-layer encryption available to you (FTP, plain HTTP).
	Reply Like 114
lakeside	lakeside posted 8 Years Ago ANSWER Post Details Share Post
Group: Forum Members Posts: 34, Visits: 121	Thanks. I am not a security expert but, for the record, it occurs to me the FTP account could be setup with write-only (i.e., no read or execute) permissions which should mitigate the risk of comprised user/password information.
	Reply Like 108