New API breaks secure (https) downloads of DB backups

The new API creates database backups in the /_database folder. This folder is not available by https (not http for that matter). The only alternative is FTP download, which is insecure. It seems like secure/https (and authenticated) transport for a database backup should be available?

The lack of secure transports for backups, and lack of zipped backups files from the API is somewhat frustrating! Would appreciate some help here, thanks in advance.

At least give us the option to specify a backup folder, please.

 

I'm afraid I don't see the difference between authenticated https and FTP. If you are concerned about FTP downloads you can use FTP over SSL (IIS 7 accounts only).

People like to point at clear text FTP insecure, but it is insecure more in theory than in actual practice. Honestly, in almost 15 years in this business, I have never seen any "hack" of an FTP login either by packet sniffing or a brute force attack. Not once.

We do see FTP compromises, and they are always caused by one of two things; an easily guessable password (yes people still use them, lots of people), or a local computer virus/keylogger.

Monitoring network traffic for sensitive information was feasible (but still difficult) a long, long time ago, but the way traffic increases exponentially every year has made it too much trouble for the vast majority of bad guys and random dinks who want to get at your data. It is much easier to drop a worm onto your machine and log everything you do. In which case, of course, all the server security in the world will be ineffective.

 

The difference between authenticated https and plain text FTP is a) the user must be authenticated before being allowed access to the file and b) the transport is encrypted, not just plain text. It should be self-explanatory.

So let me try to understand; just because you, personally, have not seen such an attack, DASP customers should not worry about it? That is the wrong answer and wrong mindset for a hosting company - I hope that is not DASP's official point of view. I was just making what I feel is a reasonable request to reinstate the ability to securely download database backups.

I can't upgrade to IIS7 as I don't have a test environment for it.

 

It's not the wrong answer, it's a real world answer. And no, that is not company policy it is my opinion. As someone who has investigated thousands of exploited web sites, I will dare to continue to suggest that it is a valid opinion. You've referred to us as "dudes," before, so I assumed we could speak freely.

There's nothing wrong with taking strong security measures. Banks and large retailers have good reason to be paranoid and ultra secure. That being said I wouldn't discourage any average user from taking all the security measures they possibly can. But 99.999% of internet security hinges on passwords, and that is, always has been, and forever will be, the weak link in the chain.

And again, all the encryption, firewalls, intrusion detection systems and armed guard security in the world isn't going to keep your data safe if someone can simply log the keystrokes form your home computer. And doing that is far, far easier than pulling your password out of a flood of network traffic. That's all I'm saying. I wasn't trying to give you a hard time.

 

There is no way to move a file with FTP, except for copying it to a new location... which would kind of defeat the point, no?

 

Not exactly the best way to do it, but here's one way to move the backup file to a "/Backups" directory:

Code:

        protected void Page_Load(object sender, EventArgs e)
        {
            string dir = Server.MapPath("/");
            string dbFileName = "SQL2005_123456_dbname_backup.bak";
            File.Move(dir + "/_database/" + dbFileName, dir + "/Backups/" + dbFileName);
        }

 

Thank you.