Mickey, you seem to be defending the practice. While a large portion of the users don't even know how SFTP works, you should still build in proper security. What you have, accepting any key that comes along, is absolutely not secure. Yes, the traffic is encrypted, but with no supervision of the key, anybody in the middle can jump into the conversation and monitor everything.
Yes, more is required than just putting Wireshark on the line (as with FTP), because SFTP *IS* encrypted, but by not enforcing identity, what you are basically doing is saying Syncback encrypts traffic over SFTP, but doesn't care who it's talking to. I'm sure the hackers have a Man-in-the-middle (MITM) package to do this with very little effort. Hopefully, you understand the hole.
I find this stunning because I've used Syncback SFTP for many years, and I now realize I wasn't secure doing so because you didn't implement the entire SFTP model, only half of it. I could have been sending my data to anyone in between me and my servers.
Highly disappointing.
It's like saying you locked my front door all these years, and now I find you were putting the key on the bench next to the front door!!!
Yes, more is required than just putting Wireshark on the line (as with FTP), because SFTP *IS* encrypted, but by not enforcing identity, what you are basically doing is saying Syncback encrypts traffic over SFTP, but doesn't care who it's talking to. I'm sure the hackers have a Man-in-the-middle (MITM) package to do this with very little effort. Hopefully, you understand the hole.
I find this stunning because I've used Syncback SFTP for many years, and I now realize I wasn't secure doing so because you didn't implement the entire SFTP model, only half of it. I could have been sending my data to anyone in between me and my servers.
Highly disappointing.
It's like saying you locked my front door all these years, and now I find you were putting the key on the bench next to the front door!!!
