Securing Connections from Windows 95 or NT

Replacing Telnet

Free:

• Cigaly's free SSH client
  Note that if you use this, you'll need to obtain another library from another location. The URL has all the details.
• TTSSH
  This is a plug-in for another free terminal program, "TeraTerm Pro", so you'll need to get both. I haven't tried this yet but it sounds spiffy.
  ask@valueclick.com says: TTSSH works very well for me when I'm stuck on a
• Fresh FiSSH
  No idea, haven't tried this one, let us know if it works for you.
• MindTerm, a java client.
• PuTTY
  One success story from Tim Chambers <tbc@netbox.com>. Thanks, Tim. If others use it, let us know.
  ask@valueclick.com says: If I need a client now and for the next 5 minutes on a windows box I'm using the PuTTY client. Doesn't need to be unpacked or installed or anything. Just download, execute, work. Thanks, Ask!

Commercial:

• F-Secure SSH
  This is the one I've used since it came out a few years back. Something of a dog, but works fairly well. $99?
• Van Dyke Secure CRT
  This one looks & feels a bit nicer. $110?
• Zoc
  This is a dialup and terminal program that a couple of people have recommended. $60?

Not recommended (currently, this may change):

• Any of the "Cygwin" ports of the Unix standard SSH distribution. There are a couple out there on different pages, and I would recommend against them as they don't have a GUI and also expect certain things that aren't really present on a Win32 box, like a $HOME environment variable, etc. Given that there are a couple good free GUI-based tools, particularly those with source, why bother? The only benefit is that you can drive these programs from the command line, so for those of you who are more technical and want to use the ssh client for some scripting capabilities, then it might be worth it.
• Any tool that doesn't include port forwarding, aka "tunnelling". This is essential to being able to secure other protocols, like FTP or POP.

If you have any contributions to make to this list, let us know. You might also see references to "SSH 2" when looking around. This is a next-generation of the SSH protocol. Currently, I'm not running an SSH 2 server, since there is not a demonstrable benefit or need for it, and since SSH 2 clients are not free, or at least "as free" as the SSH 1.x family. Let me know if you know of a reason why we might want to support SSH 2, other than "because 2 > 1". However, if you plan on purchasing a commercial SSH client from F-Secure/Datafellows, then you might as well get the SSH 2 version since it can be used on 1.x SSH servers.

Securing FTP

There is no generally useful totally secure replacement for FTP yet. When development tools using WEBDAV start coming out (like Office 2000) then conceivably they could become "secure" by publishing to a secure HTTP server. For the time being, we have to rely on the use of SSH to tunnel FTP connections. See this document for more details on how to configure your SSH client to handle FTP.

Not all FTP clients, though, support this FTP tunnelling. I haven't yet found a completely free FTP client that works, that also has a typical nicer FTP interface than Netscape has. Here is a list of clients we have tested, and whether they worked or not:

Working:

• Netscape
  Yeah, it's ugly and a crappy FTP client, but it works. I tested this with 4.5, but 4.0 should work as well.
• FTP Voyager
  This is a decent, full-featured FTP client. 30-day eval, then $38 for a license.
• Absolute FTP 1.6 Some folks prefer this one. 30-day eval, then $28. Mike Brown says it works great.
• File Dog 1.31 Very cool scriptable FTP client. 30-day eval, then $28
• CuteFTP 3.5 Many people like this. Be sure and set it to use PASV mode under FTP->Settings->Options->Firewall. $40 after a trial period.

Doesn't work:

• eLeetFTP, v1.0
• Kaufman FTorpedo, v1.00
• SimpleFTP, v2.0.1
• CuteFTP, v2.8B1
• BreezeFTP, v2.1a

Let us know if you have others to add to this list, or updates on the "doesn't work" list. Some of the SSH vendors appear to be working on their own type of secure-file-transfer program, which would encrypt the files along with the control connection, but nothing like that is currently available.

Finally, you could consider FTP'ing from hyperreal to a server sitting on your personal computer. This will only work if you don't have a firewall between you and Hyperreal which might prevent incoming FTP connections; it would probably also not work for ISP's like AOL that use "network address translation" to make a bunch of computers look like the same IP number to the outside world. Otherwise, this should work; just be sure to change passwords on your FTP server frequently, and of course to take it down when you're not using it!

A good FTP server for Win32 is at http://home.sol.no/~jarlaase/tftpd.htm.

Securing POP

POP, or Post Office Protocol, is the protocol used for downloading email from the server to your desktop. It is used by Eudora, by Netscape, by Outlook, by Pine, by just about every decent mail user-agent out there.

There are two mechanisms for securing the password in POP:

• APOP
  Clients supporting: Eudora (3.0.6 or greater), ????
• S-POP Clients supporting: Netscape?, ????

Each page above explains how to configure it. If you have a mail program other than Eudora or Netscape, please let us know if they support any type of security protocol, like APOP or SPOP. If they don't, there is still a way to secure POP, much the same way we secured FTP. Follow the instructions we gave for FTP, but instead of using port 21, use port 110, which is the default port used by POP. This will cause your POP connection to tunnel over your SSH connection to fetch your email locally. However, like the FTP tunnel, this means you must be logged in via SSH in order to use this.