Is YouSendIt.com insecure?
December 16, 2009 6:21 AM   Subscribe

Is YouSendIt.com insecure? I need to send large files to a client in Dubai (I'm in Los Angeles). Their IT guy wants me to upload to their ftp server because he says YouSendIt is insecure. Fine with me, but I keep getting error messages. I'm pretty knowledgeable about ftp, and I think the problem is on their end, as their server keeps kicking me off.

I really need to get these files to them, and YouSendIt Pro (using YouSendIt express, their standalone app) always does the trick for me.

YouSendIt's security FAQ seems pretty robust, and Googling turned up no complaints from users about security issues with the site.

I'm sending the files right now via YouSendIt because I think his assessment of the security problem is unfounded and I have to get the files over there. Am I off base?
posted by ljshapiro to Computers & Internet (34 answers total)
 
I can only give you my anecdotal experience: I've sent two large files via YouSendIt, and both times the files originated and ended in the US. I had no problems and my recipient had no problems.
posted by dfriedman at 6:24 AM on December 16, 2009


If your client is concerned about security, can't you just encrypt the files first and then send them via yousendit?
posted by Admiral Haddock at 6:28 AM on December 16, 2009 [1 favorite]


Generally, when people say it "unsecure" it means they have no way to check how secure it really is. I have no problem going with the method that makes someone more comfortable.

Remember that this is a client so you should make them happy even if it means a little extra hassle.
posted by JJ86 at 6:30 AM on December 16, 2009


I'd say use their FTP server, and use a FTP client that supports resuming uploads. Personally, I wouldn't put confidential business files on a third-party server like Yousendit. (And it's unprofessional).

Alternately, host the files yourself and give them the link to download from your own website/FTP server.
posted by reptile at 6:36 AM on December 16, 2009


I can't imagine how FTP could be considered secure. If the guy says an FTP server is secure, it's an indication that they may not know what they are talking about. Consider that aspect when you are considering whether you should ignore his wishes :)

+1 on encrypting the file.

Also, not directly applicable here, but: sftp is more secure than ftp. Sftp is FTP-over-SSL, kind of.
posted by krilli at 7:02 AM on December 16, 2009


Well, YouSendIt is using a third party rather than going directly to their server, so that's one fundamental way it's less secure, sure. If the FTP server is a secure one itself, then that also removes some other worries.

I'm with JJ86 most of all, though. Not only is it unprofessional, it's just weird to argue this unless you're their security consultant. Why would you want to argue with your own client about something like this? Why are you flat-out ignoring the client's request and doing it the way you want anyway?

This had better not be an important client.
posted by rokusan at 7:03 AM on December 16, 2009 [1 favorite]


FTP isn't secure. Even the passwords are sent in the clear.
posted by one more dead town's last parade at 7:09 AM on December 16, 2009


What? Of course FTP can be secure. Run it over SSL or with SSH (aka SFTP).
posted by rokusan at 7:14 AM on December 16, 2009


Plain FTP doesn't offer transport-layer security. That said, if you're using it to transmit an encrypted file, and don't allow GETting of files once they've been uploaded (make it a drop-box), it's not so bad. And, it's still very very widely used, for better or for worse. (Running it over SSL is 100x better, obviously.)

There could be other reasons the remote admin is complaining: perhaps he doesn't let his users access that site, or perhaps Dubai has a country-wide filter that blocks it (I have no idea).

The point is you're entrusting the file in question to an unvetted third party. Many, many organizations would balk at that.

Don't argue with the client about security unless that's what you're paid to do. You're just taking on liability you don't need. Personally, as a security guy, I wouldn't use YouSendIt for anything that wasn't for public distribution.
posted by These Premises Are Alarmed at 7:15 AM on December 16, 2009


Best answer: Encrypt the file first whether it goes FTP or YouSendIt. It's true that YouSendIt is a third party, but with FTP your data is still traveling over third party networks. So, you're a little wrong and he's a little wrong. Encrypt, encrypt, encrypt.
posted by paulg at 7:33 AM on December 16, 2009


Not what you're asking but in case it'll help: I recently started a project pulling half a TB of mildly sensitive data over SFTP from a server across an ocean, and the staff admining remote server recommended either CuteFTP Pro or FileZilla, since both those clients support lots of security options. But CuteFTP Pro costs money and FileZilla was throwing errors (I suspect it had a problem with the sheer number of items within the remote directory). I ended up using a program called Core FTP. It's not perfect and the interface is a little clunky but it supports all the security options I need and seems pretty robust. Supports transfer resuming. I can just tell it to grab a 15 - 20 GB chunk and watch it churn for 24 hours, auto-reconnecting and resuming transfers along the way.
posted by BeerFilter at 7:44 AM on December 16, 2009 [1 favorite]


Yeah, just Nthing that your client may not know what they're talking about, given that ftp sends login is not secure. SFTP login is encrypted.

But, they're your client -- make them happy, encrypt the file, and send it via ftp (or sftp, if that's what they are indeed talking about).
posted by liquado at 7:57 AM on December 16, 2009


I work in a client-services capacity and often have to send files back and forth with clients. I would get *laughed at* if I suggested using YouSendIt.com or any other third party transfer mechanism. Nthing unprofessional. Do it the way they want it.

May as well send it via rapidsahre...
posted by jckll at 8:39 AM on December 16, 2009


Shorter version of the question:

Client says they don't want me to do X. I'm doing X anyway because I know better than them. Am I off base?

The answer, of course, is yes, for any value of X, if your goal is to continue working with this client.

(If you're having trouble with their ftp server, one option would be to place the file on your own FTP or in a password-protected area on your web server and let them download it from you instead. I very much agree with those above who say that using a consumer-oriented service like YouSendIt for client work looks extremely unprofessional.)
posted by ook at 8:47 AM on December 16, 2009


Youre giving the file to some third party. Of course thats not secure! Even plaintext ftp is better than yousendit. Heck, if they cant offer you sftp or ftps then encrypt the file. If the client is encryption clueless then you can encrypt it with 7zip, use AES and they can decrypt it with 7zip or Winzip for free. Dont email the passphrase, just have them call you for it.
posted by damn dirty ape at 8:53 AM on December 16, 2009


adrive.com has fat pipes and doesn't have the warez stigma of rapidshare and yousendit. Nthing encryption recommendations.
posted by porn in the woods at 9:00 AM on December 16, 2009


The FAQ claims all manner of precautions. You have no way to verify that these precautions have really been taken. You have no way to know that there are no security holes in the implementation of the precautions. They say "Our server rooms are protected by an iris scanner", but how do you know that the employees are to be trusted, or that the server doesn't belong to the FBI or a bunch of gangsters or a teenager in a basement with delusions of grandeur?

Security decisions like this are for your client to make, not for you to make.

I suggest asking this IT guy to help fix your problems with the FTP site.
posted by emilyw at 9:02 AM on December 16, 2009


JetBytes sends the file from you to them, via a live socket connection. The file never resides on the JetBytes server. Maybe that'll work?
posted by lexfri at 9:34 AM on December 16, 2009


And yes, while you should not be arguing with your client about this, secure transmission is really working the wrong end of the problem, here.

As others have said, encrypt the data, and then it doesn't matter how you send it. You could post a link on a public web page, even.

If something requires security, it deserves encryption. If you're not encrypting it, you don't care about security.
posted by rokusan at 9:57 AM on December 16, 2009


Response by poster: I understand the comments about pleasing the client, but the IT guy isn't answering my emails and I have a deadline that will be missed because he's not getting back to me. His server cut off my ftp upload 3 times.

I'm not arguing with my client - my client's IT guy isn't communicating with me to solve the problem, and I have a deadline that will be missed because of it, so I made a choice.

I have sent files to this client via YouSendIt before and they've had no problem receiving them, so it's not an issue about receiving YouSendIt in Dubai.

My question mostly is about whether YouSendIt is secure, and no one here has really answered that part of the question. Maybe it's not possible to know the answer.
posted by ljshapiro at 11:03 AM on December 16, 2009


His server cut off my ftp upload 3 times.

Sometimes you need to make sure the server isnt idling out. MS FTP is notorious for this. The client can be set to give keep alives if need be. I know Filezilla does this.

You can sometimes sidestep connectivity issues with large transfers by breaking the file into 1 megabyte chunks using zip, tar, rar, or whatever. Send them all the chunks. If one fails it will go to the next chunk and then retry the failed ones.


My question mostly is about whether YouSendIt is secure, and no one here has really answered that part of the question.


Define secure. I think a lot of people have addressed the issue: if you use encryption then dont worry. If you didnt, then worry. Yousend it isnt going to pay you back damages if they get hacked tonight and everyone has your files or if a bored admin goes through your stuff and puts it on p2p.
posted by damn dirty ape at 11:10 AM on December 16, 2009


My question mostly is about whether YouSendIt is secure, and no one here has really answered that part of the question. Maybe it's not possible to know the answer.

Bingo, and that's why it isn't secure. If its security cannot be known and proved, then it is not secure.
posted by jckll at 11:10 AM on December 16, 2009 [1 favorite]


Response by poster: I'm on a Mac (running Snow Leopard), so all the software links people have kindly offered don't seem to be applicable to me. The FTP program I currently use is Transmit. I'm sending large quicktime files.
posted by ljshapiro at 11:14 AM on December 16, 2009


Best answer: I'm really surprised by the hate for Yousendit. I've been using it regularly for getting files to people for over two years now. Many of my colleagues use it too, and none of us has ever had a single problem or any complaints. A lot of people seem to be arguing against it in theory, but have any of you ever had a bad experience of it in practice, or can point to someone who has? Have they had security lapses?
posted by Flitcraft at 11:24 AM on December 16, 2009


Best answer: Filezilla for OSX here.
posted by damn dirty ape at 11:24 AM on December 16, 2009


A lot of people seem to be arguing against it in theory, but have any of you ever had a bad experience of it in practice, or can point to someone who has?

Thats like saying "I have an open wireless access point. Whats the harm? Nothing bad has happened yet." The purpose of good security is so you dont have these problems to begin with. Not to mention certain laws and guidelines like HIPPA, PCI DSS, etc require it.
posted by damn dirty ape at 11:27 AM on December 16, 2009 [1 favorite]


Response by poster: The YouSendIt transmission has been canceled and the files deleted from their servers.
posted by ljshapiro at 11:29 AM on December 16, 2009


Response by poster: Good question, Flitcraft. They say they have all kinds of security precautions, but the general attitude is to not believe them. I am going to try Filezilla & encryption and hope for the best, as I still don;t have an answer from their IT guy. (Yes, I know it's the middle of the night in Dubai right now, but my questions were sent to him 12 hours ago.)
posted by ljshapiro at 11:42 AM on December 16, 2009


Some VERY interesting perspectives in this thread. The issue from the OP appears resolved but perhaps it might be useful for everyone to consider: What risks are we trying to secure the data from?

YouSendIt malfeasance / breaches: If you send unencrypted data to YouSendIt, and they are untrustworthy or incompetent, there's a problem. They can TELL you that they've deleted the data from their servers, but do you trust them? Or if they've had a breach, has some black hat downloaded the data before it was deleted or squirreled away another copy?

Legal process exposure: Is YouSendIt vulnerable to subpoena? Were they tagged while your data was on their servers, are they subject to ongoing law-enforcement assistance obligations (that you would be unaware of), or might their disaster-recovery systems be subpoenaed? "YouSendIt deleted it" isn't the same as "YouSendIt deleted everything that could be subpoenaed."

Forensic analysis exposure: Even if YouSendIt deleted the data, can any of that data be recovered through forensic analysis of the server? (How likely is it to reach that stage?)

Man-in-the-middle exposure: To download data from YouSendIt, you usually are talking about using a login/password. How vulnerable were those login credentials to interception (with the interceptor downloading the data)? There's download tracking on YouSendIt that can alert you to how many times it's been downloaded (if you trust the tracking).

If your client is someone like Dubai World and they think they're defending against the Mossad or the CIA snooping into their affairs, then the client's requirements for "security" are a lot different than most consumer entities would have.

I think it would have been more helpful to consider, "Is YouSendIt secure ENOUGH for the purposes which I am using it for?" (I agree that even with full knowledge about client use, this would be really hard, if not impossible, to answer. Among other things, we just don't know enough to verify YouSendIt does what it says it does.) This issue is totally separate from the IT responsiveness / client-service issues also mentioned upthread.
posted by QuantumMeruit at 1:36 PM on December 16, 2009


Not the question you asked, but the problem you are experiencing with the dropped connections is probably the fault of Transmit. It can be a bit flakey with very large uploads. It is a known problem, and there is a workaround, but I don't remember what it is off the top of my head. You might experiment with your Transmit settings, or try a different FTP client like Fetch or something. I love Transmit in general, but very large/long uploads is just something it isn't very good at.
posted by spilon at 2:52 PM on December 16, 2009


My question mostly is about whether YouSendIt is secure, and no one here has really answered that part of the question.

People have already given you the right answer: encryption. Encrypt the data and then do whatever your client is asking. That's what you do when security is a concern.
posted by secret about box at 9:44 PM on December 16, 2009


What? Of course FTP can be secure. Run it over SSL or with SSH (aka SFTP).

I find that when when people refer to "FTP" they don't mean (and often don't know about) SFTP.

But if you encrypt the file, and use a unique and strong password, you shouldn't have too much to worry about.
posted by one more dead town's last parade at 8:56 AM on December 17, 2009


You could use a transfer service that doesn't store the file, such as filesovermiles.
posted by chairface at 3:52 PM on December 18, 2009


My question mostly is about whether YouSendIt is secure, and no one here has really answered that part of the question.

The answer was "no", and the further helpful advice was "encrypt, and then it will be."

Pretty clear, I think.
posted by rokusan at 12:24 PM on December 21, 2009


« Older Best wet shave soap for sensitive skin?   |   Bitte helf mir! Newer »
This thread is closed to new comments.