Previous Topic

Next Topic

Book Contents

Book Index

FTP - Glossary

FTP Protocol Terms

Active Transfer Mode - A method of establishing FTP data connections in which the server initiates a connection back to the client, typically from server TCP port 20 to a high numbered TCP port on the client. (The client chooses the high port on which it listens.)

Passive Transfer Mode - A method of establishing FTP data connections in which the client initiates a connection to the server, typically from a high numbered TCP port on the client to a high numbered TCP port on the server. (The server chooses the high port on which it listens.)

Data centers generally prefer the use of passive mode over active mode for two reasons:

  1. Client site firewalls (and security people) typically have fewer complaints about passive mode because its all outbound traffic to them.
  2. The risk of a server-resident "dial-out" Trojan horse or other malicious client program is largely mitigated if the server never has to establish connections to the outside world.

FTP Over SSL Terms

Explicit Connection Mode - A method of establishing a secure FTPS control connection in which an unsecured channel is built up to use SSL after the client and server exchange a few parameter commands in the clear. There are two flavors of explicit mode: TLS-C and TLS-P. Both are supported by all MOVEit products. Typically run on TCP port 21.

Implicit Connection Mode - A method of establishing a secure FTPS control connection in which an SSL session is established immediately upon connection. (Similar to HTTPS's relationship to HTTP.) Typically run on TCP port 990.

Data centers generally prefer the use of implicit mode over explicit mode for three reasons:

  1. Implicit mode connections will not be mangled by "FTP-aware" firewalls. (Explicit mode connections often fail with "handshake failed" messages when going through certain firewalls.)
  2. Implicit mode offers no options to the client. (There are fewer options to mess up.)
  3. Implicit mode connections begin life as secure connections, ensuring no username or passwords are ever accidentally "leaked" by shoddy clients or fumbling users before the channel can be secured.

Certificate Terms

CA - Abbreviation for Certificate Authority

Cert - Abbreviation for "Certificate" - See SSL Certificate

Certificate - See SSL Certificate

Certificate Authority - 1. A certificate used to sign (a.k.a. "issue") any other certificate. 2. A company or department which performs the operation of signing a certificate (e.g., Comodo, Thawte, etc.)

"Chain Up" - A phrase which indicates asks whether a particular certificate, the certificate's CA, the CA's CA, or any other member of the chain of CA signatures is signed by a particular CA. (e.g., "Does that client cert 'chain up' to Comodo?")

CN - Abbreviation for Common Name

Common Name - A text certificate attribute which frequently contains the username, full name, company name, hostname or email address of the person or computer a particular certificate was created for. (e.g., an SSL server cert might have a CN of "www.mycorp.com" and an SSL client cert might have a CN of "john.smith@mycorp.com")

Fingerprint - Usually, another name for "MD5 Hash", especially if SSH keys are involved. This term could also mean "SHA-1 Hash", especially if SSL certificates are involved. ("Fingerprint" tends to be more popular term in *nix environments. See also "Thumbprint")

Key - See "SSH Key"

MD5 Hash - A 128-bit checksum that is intended to uniquely represent an entire document or key. The MD5 algorithm is old; the FIPS-approved SHA-1 is preferred.

SHA-1 Hash - A 160-bit checksum that is intended to uniquely represent an entire document or key. The SHA-1 algorithm is approved by the National Institute of Standards and Technology.

SSH Key - A piece of data, a few kilobytes in size, that is used in setting up an SSH (Secure Shell) connection. An SSH key has two components, public and private, typically stored in separate files. The private component is secret; possession of this portion of the key is sometimes used as proof of identity, like a password. Any given SSH connection involves two SSH keypairs: one for the server, and one for the client.

SSL Certificate - A piece of data, a few kilobytes in size, which is assigned to a particular user or server and which is digitally signed by a trusted Certificate Authority. SSL certificates are used in establishing SSL (Secure Socket Layer) connections. Certificates issued to servers, such as web servers, are called server certificates. Certificates issued to individuals are called client certificates. Client and server certificates are used in different ways, and it is possible to use both during the establishment of an SSL connection.

Thumbprint - Usually, another name for "SHA-1 Hash", especially if SSL certificates are involved. This term could also mean "MD5 Hash", especially if SSH keys are involved. ("Thumbprint" tends to be more popular term in Windows environments. See also "Fingerprint".)

X.509 Certificate - Another name for SSL Certificate