Introducting SFTP over WebSockets

Lukas Pokorny — Sat, 10 Jan 2015 20:46:53 GMT

Contrary to common belief, SFTP doesn't stand for "Secure FTP" or "Secure File Transfer Protocol", but for "SSH File Transfer Protocol". This is actually a double misnomer:

Although SFTP is almost always layered on top of an SSH channel, it could just as well run over any reliable data stream.
SFTP is not really a file transfer protocol, but rather a simple remote file system protocol.

Because SFTP isn't related to the legacy FTP protocol at all, it doesn't suffer from it's shortcomings - FTP is notoriously firewall-unfriendly due to awkward distinction between control and data connection, and is not well-suited for much more that simple file upload or download.

Given the benefits of SFTP, it's not a surprise that lot of people have been looking for ways to use SFTP to transfer files from a web browser directly to an SFTP server. Some of them already had an SFTP server and wanted to eliminate the need of forcing their customers to install a stand-alone SFTP client, others just wanted to get rid of the nightmare of AJAX-based uploads.

The Past: Black Magic of AJAX

At Rebex, we got numerous questions from those unfortunate people, and we always had to reply that unfortunately, it's impossible to implement a web-based SFTP client unless the browser is extended with third-party plugins. And even though it's easily possible to transfer files between the web server and and SFTP server (using a suitable library), the transfer between the web browser and the web server has to be done by HTTP or the black magic of AJAX. Which was the very technology our customers wanted to get rid in most cases...

The Future: SFTP over WebSockets

Fortunately, those sad days will soon be over. Modern web browsers support WebSockets, a technology that makes it possible to open an efficient and persistent packet-based communication session between a web browser application and a web server. Because the SFTP protocol is packet-based as well, it's actually a perfect match. Additionally, the asynchronous nature of the SFTP protocol makes it ideal for the JavaScript environment. When the two protocols are combined, any modern web browser is perfectly capable of communicating directly with any SFTP server that supports SFTP over WebSockets, eliminating the need to use clunky and proprietary AJAX-based solutions.

Of course, there is a catch. SFTP servers only support SFTP over SSH for now, which means they can't be accessed by web browsers directly. I am currently trying to eliminate both of these issues:

I'm writing a SFTP over WebSockets server package for Node.js. Includes a client as well.
I also plan to write a proxy that adds SFTP over WebSockets support to any server that currently supports SFTP over SSH.

So far, everything is looking good. My SFTP/WS server is already working, and a proof-of-concept browser-based SFTP client should be ready soon!

If you are interested in SFTP over WebSockets, please let me know.

We have your email account

Lukas Pokorny — Thu, 11 Dec 2014 16:11:00 GMT

TL;DR: OSQA's update checker silently sends all administrator emails and other 'statistics' to DZone (its vendor) which uses it to spam its users with offers to upgrade to AnswerHub, a commercial alternative to OSQA. Do they seriously expect me to trust them with my data now?

I am well aware that some companies use questionable tactics. Usually, I don't care. But when they implement an 'updater' functionality whose main purpose is sending a list of administrator e-mails back home to the vendor (without my consent), it's simply too much.

Update: Soon after I published this blog post, I got a reply and atteched it to this blog post with OSQA's permission. If only it arrived sooner...

OSQA in troubles

At Rebex, we have been using using OSQA, an open-source Q&A system, to power our Q&A forum since 2010, when fee-based StackExchange 1.0 was discontinued. Although OSQA had its share of quirks, it mostly suited our needs. Unfortunately, a lot of OSQA sites have become a target of spam and the problem got quite out of hand recently, with hundreds of spam user accounts created every single day, possibly by some badly-written botnet. Dealing with this manually is no longer an option and we started looking into possible solutions.

One straightforward solution would be migrating to AnswerHub, a hosted Q&A platform from DZone, the makers of OSQA. Unfortunately, it has one major drawback - it doesn't have a publicly-known price, which usually translates to it will cost you a lot. But it was still on our shortlist, along with migrating Q2A, which got harder because DZone removed the exporter modules from OSQA few years ago.

We have your email account

Fortunately, AnswerHub made our decision easier by their super-aggresive marketing tactics. When I received an e-mail from them offering a free trial, it annoyed me a bit because I don't remember sharing my e-mail address with them. When I received a similar e-mail three days later, it annoyed me even more. But at least I thought they are trying, I thought - my e-mail is not exactly private.

But when half of my colleagues received the same e-mail, some of them to their private e-mail addresses, we all became a bit suspicious. Where did DZone got all those e-mails from? When we discovered that these e-mails are exactly those we used to register ourselves on our forum, the suspicion grew even more. What is going on here? Have the folks at DZone planted some kind of backdoor into OSQA?

So we asked, and got a reply within minutes. Unfortunately, it was very strange:

"As the creators of OSQA we have your email account."

Seriously? Now, I was becoming genuinely freaked out. The fact they used the term "email acount" instead of "email address" did not help either. I don't care about my e-mail address, but does this mean that the creators of OSQA might actually have e-mails of our customers who registered to our forum as well?

So I wrote another e-mail, where I asked:

"I’m a software engineer and I don’t understand! How is this possible? I have not installed your software myself and have not registered my e-mail with you. Does this mean your staff can actually access the administrator section of our forum?"

I hit the "Send" button and impatiently waited for a reply. But there was none. I interpreted this as "there is indeed something fishy going on and we don't know what to say now" and started looking into OSQA source code for possible backdoors.

Not a backdoor, but...

Fortunately, I have not found a backdoor. Instead, I found this. The good folks at DZone added code to their software that sends e-mail addresses of all administrators back home on every update check, and they somehow forgot to ask for a permission. And along with the e-mail list, they send some other useful info too:

They call this statistics in their code. And no, they don't ask for a permission to send this data - their UI clearly states that the purpose of the updater module is to receive notifications about the latest updates:

No, I really don't see any mention of "sending a list of administrators and other sensitive information" back home! But at least our customer's e-mails are safe.

OSQA's commit history reveals that this started gradually. The first version of the updater module was almost innocent. But soon they added administrator email sending, reporting of active user count since last update check, and so on. In the end, a database of all those statistics became useful for their marketing department. And while I don't have anything against marketing, I really don't like companies stealing potentially sensitive personal and business information behind my back and without my consent. And no, the fact that the software was free does not help.

Although this might not be illegal, it's definitely unethical. How can I trust AnswerHub with my and customers' data now? It's simple - I can't! I have no idea what they might be doing with all those useful information behind our backs.

And by the way, I have not received any reply from DZone yet. It's been 24 hours already. Quite suprising for a company that proudly calls itself fast-paced...

Update 1: Just found out I'm not the first one to complain.

Update 2:: Finally, I got a reply several hours after publishing this blog post:

Hi Lukas,

I am sorry I didn't reply sooner but I had to sit down with my technical team to make sure I understood exactly how we got your email address, not account. However, it has come to my attention that you have already discovered this by your own research. We plan to update the installation documentation to make it clear that we collect this information when updating. AnswerHub never sells this OSQA data nor the data of any AnswerHub users, as AnswerHub customers own all their own data.

I want to assure you that we truly meant nothing malicious by the email campaign. We've had some great success stories migrating OSQA users over to AnswerHub and our wish was just to make all OSQA users aware of the option.

I am sure at this point you don't wish to have further communication or provide further information. If you wish to give us an address, I'd be happy to send you a package to further extend our sincerest apologies for the inconvenience. If not, I certainly understand.

Sincerely,

...

Well, I have to admit the OSQA team can respond profesionally. When they do respond. Would they eventually respond as well had I not published the blog post? I don't know, of course. I hope they would.