SSL isn't the only "Secure" protocol to know
With the advent of PKI and other secure connection initiatives most Federal web administrators have already started working out how to get their sites up using the Secure Sockets Layer (SSL) and digital certificates. This will keep all the information transmitted between the web server and the browser encrypted and helps make for a more secure site, especially for those who have input forms for things like user names, passwords and SSNs.
However, there is another connection that should be secured with encryption that many do not know about or realize. With the growing complexity of web sites it has become prevalent to use what some call Pagemasters. These are people who are responsible for maintaining the content of a particular page or group of pages on a web site. This leaves what used to be called the Webmaster free to perform the daily system administration duties that always seem to need looking after. The Pagemasters quite often are not located in the same room, or even the same building/state/country as the actual web server. Thus we see the use of the File Transfer Protocol (FTP).
Everyone has probably used ftp but did you know that it sends the user name and password in the clear? Anyone with a simple port sniffer will be able to gain access to your web server by capturing the logins from the users using ftp. But what can be done about this? People still need to get their files up to the server. Enter the Secure Shell (ssh) and it's utilities.
Ssh is an encrypted connection to a remote host running an ssh server. This gives you the ability to log onto a system with an encrypted session so that everything, your name and password as well as your keystrokes are unreadable by any sniffer. One of the very handy tools that comes with most ssh implementations is a secure copy tool, usually called scp. Scp will let you transfer files from one computer to another over an encrypted connection. This way whenever a content manager needs to updated their web pages they can send the files up to the web server knowing that their user name and password are relatively quite safe.
The UNIX world has had ssh servers and clients for a while now but over the last few years these tools have become available for the WinXX and MacOS platforms. There are both commercial products, usually running around $100 for the clients, and also free ones. If you go to a search engine, I personally recommend Google <http://www.google.com>, and search for "ssh" it shouldn't take you long to find some links to follow to get one of these tools for your platform of choice.
Having an encrypted connection to your server is a Good Thing<tm> but you have to take into account any other ways people might access your system. Using an ssh/scp option for file transfers will greatly aid in the securing of your server and help keep your site off of the attrition.org mirror of pages that have been hacked.
[Joe Klemmer has been working in the computer field for 18 years, 10 of those online. He can be reached at joe.klemmer@us.army.mil]