From ftp-wg-owner@hethmon.com Tue Aug 7 06:47:25 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id GAA00023 for ; Tue, 7 Aug 2001 06:47:24 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807055232-35180-9 ; Tue, 07 Aug 2001 05:52:32 -0500 Received: from d06lmsgate-2.uk.ibm.com ([195.212.29.2] [195.212.29.2]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807055218-9326-8 ; Tue, 07 Aug 2001 05:52:30 -0500 Received: from d06relay01.portsmouth.uk.ibm.com (d06relay01.portsmouth.uk.ibm.com [9.166.84.147]) by d06lmsgate-2.uk.ibm.com (1.0.0) with ESMTP id LAA105302; Tue, 7 Aug 2001 11:28:20 +0100 Received: from d06ml035.portsmouth.uk.ibm.com (d06ml035_cs0 [9.180.35.16]) by d06relay01.portsmouth.uk.ibm.com (8.11.1m3/NCO v4.97) with ESMTP id f77Aj4u191660; Tue, 7 Aug 2001 11:45:05 +0100 Importance: Normal MIME-Version: 1.0 X-Mailer: Lotus Notes Release 5.0.6a January 17, 2001 Message-ID: X-MIMETrack: Serialize by Router on D06ML035/06/M/IBM(Release 5.0.6 |December 14, 2000) at 07/08/2001 11:43:44, Serialize complete at 07/08/2001 11:43:44 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 Aug 2001 05:52:30 -0500 X-OldDate: Tue, 7 Aug 2001 11:43:43 +0100 Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: "Paul V Ford-Hutchinson" To: ietf-apps-tls@imc.org, ftp-wg@hethmon.com Subject: Ftp-WG: FTP over SSL The ftp/ssl draft has been around now since 1997 and I feel it is time to ask for it to be put onto Standards Track. (see http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-07.txt) Do people on these lists have strong views on this ? I am struggling to find a path through the IETF processes for putting individual submissions onto Standards Track, so I'd love to know what others did. For a page of links to implementations, see http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html . Cheers, Paul -- Paul Ford-Hutchinson : eCommerce application security : paulfordh@uk.ibm.com MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL +44 (0)1926 462005 From ftp-wg-owner@hethmon.com Tue Aug 7 08:53:58 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id IAA02669 for ; Tue, 7 Aug 2001 08:53:58 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807075855-12736-14 ; Tue, 07 Aug 2001 07:58:55 -0500 Received: from solomon.io.com ([199.170.88.24] [199.170.88.24]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807075851-51095-13 ; Tue, 07 Aug 2001 07:58:51 -0500 Received: from arnold.texis.com (aus-as2-127.io.com [199.170.89.127]) by solomon.io.com (8.11.2/8.11.2) with ESMTP id f77CqEr13393 for ; Tue, 7 Aug 2001 07:52:15 -0500 Message-Id: <4.3.2.7.2.20010807075403.0293b520@mail.io.com> X-Sender: alun@mail.io.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Date: Tue, 7 Aug 2001 07:58:52 -0500 X-OldDate: Tue, 07 Aug 2001 07:55:16 -0500 Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Alun Jones To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL At 05:52 AM 8/7/2001, you wrote: >The ftp/ssl draft has been around now since 1997 and I feel it is time to >ask for it to be put onto Standards Track. > >(see http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-07.txt) > >Do people on these lists have strong views on this ? I am struggling to >find a path through the IETF processes for putting individual submissions >onto Standards Track, so I'd love to know what others did. I may have missed the wording, and certainly I don't have a copy in front of me right now, but it seems somewhat ambiguous whether the data socket in a protected transfer is terminated by simply closing the socket, or whether the sender should try to close the SSL session first, and then close the socket. The client I've tried against simply closes the socket. Alun. ~~~~ -- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT. From ftp-wg-owner@hethmon.com Tue Aug 7 09:00:58 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA02761 for ; Tue, 7 Aug 2001 09:00:57 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807080135-60757-15 ; Tue, 07 Aug 2001 08:01:36 -0500 Received: from watsun.cc.columbia.edu ([128.59.39.2] [128.59.39.2]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807080132-40322-9 ; Tue, 07 Aug 2001 08:01:33 -0500 Received: (from jaltman@localhost) by watsun.cc.columbia.edu (8.8.5/8.8.5) id IAA23973; Tue, 7 Aug 2001 08:54:57 -0400 (EDT) In-Reply-To: Your message of Tue, 7 Aug 2001 07:58:52 -0500 Message-ID: Date: Tue, 7 Aug 2001 08:01:33 -0500 X-OldDate: Tue, 7 Aug 2001 8:54:56 EDT Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Jeffrey Altman To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL > At 05:52 AM 8/7/2001, you wrote: > >The ftp/ssl draft has been around now since 1997 and I feel it is time to > >ask for it to be put onto Standards Track. > > > >(see http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-07.txt) > > > >Do people on these lists have strong views on this ? I am struggling to > >find a path through the IETF processes for putting individual submissions > >onto Standards Track, so I'd love to know what others did. > > I may have missed the wording, and certainly I don't have a copy in front > of me right now, but it seems somewhat ambiguous whether the data socket in > a protected transfer is terminated by simply closing the socket, or whether > the sender should try to close the SSL session first, and then close the > socket. The client I've tried against simply closes the socket. To be compatible with TLS it must try to close the TLS session first. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and kermit-support@kermit-project.org OpenSSL. SSH soon to follow. From ftp-wg-owner@hethmon.com Tue Aug 7 09:42:43 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA03729 for ; Tue, 7 Aug 2001 09:42:42 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807084758-42675-14 ; Tue, 07 Aug 2001 08:47:58 -0500 Received: from relay3.bt.net ([194.72.6.50] [194.72.6.50]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807084753-28953-12 ; Tue, 07 Aug 2001 08:47:54 -0500 Received: from [217.33.141.50] (helo=ford-hutchinson.com) by relay3.bt.net with esmtp (Exim 3.22 #1) id 15U76j-0004mW-00; Tue, 07 Aug 2001 14:41:17 +0100 Message-ID: <3B6FEFFD.71F9CF78@ford-hutchinson.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.17 i686) X-Accept-Language: en MIME-Version: 1.0 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Tue, 7 Aug 2001 08:47:56 -0500 X-OldDate: Tue, 07 Aug 2001 14:41:17 +0100 Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Paul Ford-Hutchinson To: FTPEXT Working Group , paulfordh@uk.ibm.com Subject: Ftp-WG: FTP over SSL Content-Transfer-Encoding: 7bit Jeffrey Altman wrote: > > > At 05:52 AM 8/7/2001, you wrote: > > >The ftp/ssl draft has been around now since 1997 and I feel it is time to > > >ask for it to be put onto Standards Track. > > > > > >(see http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-07.txt) > > > > > >Do people on these lists have strong views on this ? I am struggling to > > >find a path through the IETF processes for putting individual submissions > > >onto Standards Track, so I'd love to know what others did. > > > > I may have missed the wording, and certainly I don't have a copy in front > > of me right now, but it seems somewhat ambiguous whether the data socket in > > a protected transfer is terminated by simply closing the socket, or whether > > the sender should try to close the SSL session first, and then close the > > socket. The client I've tried against simply closes the socket. > > To be compatible with TLS it must try to close the TLS session first. > > Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available > The Kermit Project @ Columbia University includes Secure Telnet and FTP > http://www.kermit-project.org/ using Kerberos, SRP, and > kermit-support@kermit-project.org OpenSSL. SSH soon to follow. Well, the draft is silent on this issue (to be honest I hadn't even thought about it). Jeffrey is correct, however I'm not sure what the implication of the server getting a killed data connection without a close_notify alert actually is, and what it can do about it other than carry on regardless. Does the draft need to explicitly state behaviour in such cases ? I am happy to think about it and add it, but I'm not sure exactly what we would gain. Cheers, Paul (using this id for this week in London) From ftp-wg-owner@hethmon.com Tue Aug 7 09:55:10 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA03997 for ; Tue, 7 Aug 2001 09:55:10 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807085918-24560-11 ; Tue, 07 Aug 2001 08:59:18 -0500 Received: from watsun.cc.columbia.edu ([128.59.39.2] [128.59.39.2]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807085910-42342-10 ; Tue, 07 Aug 2001 08:59:13 -0500 Received: (from jaltman@localhost) by watsun.cc.columbia.edu (8.8.5/8.8.5) id JAA26131; Tue, 7 Aug 2001 09:52:35 -0400 (EDT) In-Reply-To: Your message of Tue, 7 Aug 2001 08:47:56 -0500 Message-ID: Date: Tue, 7 Aug 2001 08:59:15 -0500 X-OldDate: Tue, 7 Aug 2001 9:52:34 EDT Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Jeffrey Altman To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL > Well, the draft is silent on this issue (to be honest I hadn't even > thought about it). > > Jeffrey is correct, however I'm not sure what the implication of the > server getting a killed data connection without a close_notify alert > actually is, and what it can do about it other than carry on regardless. A failure to perform an SSL shutdown will result in an SSL error occuring. At which point the peer receiving the error should shutdown the SSL stack and close the connection. > Does the draft need to explicitly state behaviour in such cases ? I am > happy to think about it and add it, but I'm not sure exactly what we > would gain. I do not remember specifying the shutdown behavior in other TLS secured protocols. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and kermit-support@kermit-project.org OpenSSL. SSH soon to follow. From ftp-wg-owner@hethmon.com Tue Aug 7 10:45:37 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA05280 for ; Tue, 7 Aug 2001 10:45:37 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807095117-14251-11 ; Tue, 07 Aug 2001 09:51:17 -0500 Received: from relay1.bt.net ([194.72.6.100] [194.72.6.100]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807095112-53986-10 ; Tue, 07 Aug 2001 09:51:13 -0500 Received: from [217.33.141.50] (helo=ford-hutchinson.com) by relay1.bt.net with esmtp (Exim 3.15 #1) id 15U860-0007Ee-00 for ftp-wg@hethmon.com; Tue, 07 Aug 2001 15:44:36 +0100 Message-ID: <3B6FFED4.CA8EED05@ford-hutchinson.com> X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.17 i686) X-Accept-Language: en MIME-Version: 1.0 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Tue, 7 Aug 2001 09:51:14 -0500 X-OldDate: Tue, 07 Aug 2001 15:44:36 +0100 Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Paul Ford-Hutchinson To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL Content-Transfer-Encoding: 7bit Jeffrey Altman wrote: > > > Well, the draft is silent on this issue (to be honest I hadn't even > > thought about it). > > > > Jeffrey is correct, however I'm not sure what the implication of the > > server getting a killed data connection without a close_notify alert > > actually is, and what it can do about it other than carry on regardless. > > A failure to perform an SSL shutdown will result in an SSL error > occuring. At which point the peer receiving the error should shutdown > the SSL stack and close the connection. Which connection ? If the error occurs on the data connections are you suggesting that the control connection should be terminated ? If so, I'm not sure I agree, if not then I don't think there is any value in specifying anything in the draft. I do agree that it might be nice to point out that TLS requires this behaviour and implementations could be considered broken if they don't send close_notifys. cheers, Paul From ftp-wg-owner@hethmon.com Tue Aug 7 10:51:16 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAA05463 for ; Tue, 7 Aug 2001 10:51:16 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807095659-60831-12 ; Tue, 07 Aug 2001 09:56:59 -0500 Received: from watsun.cc.columbia.edu ([128.59.39.2] [128.59.39.2]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807095656-40305-10 ; Tue, 07 Aug 2001 09:56:56 -0500 Received: (from jaltman@localhost) by watsun.cc.columbia.edu (8.8.5/8.8.5) id KAA04772; Tue, 7 Aug 2001 10:50:20 -0400 (EDT) In-Reply-To: Your message of Tue, 7 Aug 2001 09:51:14 -0500 Message-ID: Date: Tue, 7 Aug 2001 09:56:57 -0500 X-OldDate: Tue, 7 Aug 2001 10:50:20 EDT Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Jeffrey Altman To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL > > occuring. At which point the peer receiving the error should shutdown > > the SSL stack and close the connection. > > Which connection ? If the error occurs on the data connections are you > suggesting that the control connection should be terminated ? If so, > I'm not sure I agree, if not then I don't think there is any value in > specifying anything in the draft. The Data connection should be terminated. The fact that the Data channel has been interrupted does not imply in any way that the security of the Control channel has been violated. > I do agree that it might be nice to point out that TLS requires this > behaviour and implementations could be considered broken if they don't > send close_notifys. Although, unnecessary. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and kermit-support@kermit-project.org OpenSSL. SSH soon to follow. From ftp-wg-owner@hethmon.com Tue Aug 7 12:18:06 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA07439 for ; Tue, 7 Aug 2001 12:18:05 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807112330-16467-9 ; Tue, 07 Aug 2001 11:23:30 -0500 Received: from solomon.io.com ([199.170.88.24] [199.170.88.24]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807112325-54894-8 ; Tue, 07 Aug 2001 11:23:26 -0500 Received: from arnold.texis.com (aus-as2-099.io.com [199.170.89.99]) by solomon.io.com (8.11.2/8.11.2) with ESMTP id f77GGmG20031 for ; Tue, 7 Aug 2001 11:16:49 -0500 Message-Id: <4.3.2.7.2.20010807105639.0293b818@mail.io.com> X-Sender: alun@mail.io.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Date: Tue, 7 Aug 2001 11:23:27 -0500 X-OldDate: Tue, 07 Aug 2001 11:16:08 -0500 Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Alun Jones To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL At 09:56 AM 8/7/2001, you wrote: >The Data connection should be terminated. The fact that the Data >channel has been interrupted does not imply in any way that the >security of the Control channel has been violated. Could you clarify - does this mean that you think if a sender gracefully closes the socket without first closing the TLS connection, the receiver should treat this as a successful completion of the transfer? Or not? > > I do agree that it might be nice to point out that TLS requires this > > behaviour and implementations could be considered broken if they don't > > send close_notifys. > >Although, unnecessary. There's at least one implementation out there - specifically, CuteFTP, that closes the socket without shutting down the TLS session on that socket. When I have time, I'll be getting onto them about this behaviour. However, it may be worth putting in a note as to whether it really matters for the purposes of FTP as to whether the client shuts down TLS properly, or just closes the socket gracefully underneath it. There are two RFCs at question here that may not be adequately read in depth - the first is venereal old RFC 959, with its concept of closing the socket to indicate end of transfer in stream mode. The second is whatever TLS RFC says that a TLS shutdown must be performed prior to closure. Now, seriously, while you and I may have bothered to read through that RFC, how many FTP app authors are going to do more than read the SDK documentation for whatever SSL library they're using? Alun. ~~~~ P.S. Sorry I haven't raised anything about the FTP / TLS draft until now - I haven't managed to get my own implementation working until recently, and I didn't want to post while my own understanding was apparently in such a seriously poor situation. -- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT. From ftp-wg-owner@hethmon.com Tue Aug 7 12:31:57 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA07815 for ; Tue, 7 Aug 2001 12:31:57 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807113738-60793-10 ; Tue, 07 Aug 2001 11:37:38 -0500 Received: from watsun.cc.columbia.edu ([128.59.39.2] [128.59.39.2]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807113735-13484-9 ; Tue, 07 Aug 2001 11:37:35 -0500 Received: (from jaltman@localhost) by watsun.cc.columbia.edu (8.8.5/8.8.5) id MAA19168; Tue, 7 Aug 2001 12:30:59 -0400 (EDT) In-Reply-To: Your message of Tue, 7 Aug 2001 11:23:27 -0500 Message-ID: Date: Tue, 7 Aug 2001 11:37:36 -0500 X-OldDate: Tue, 7 Aug 2001 12:30:59 EDT Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Jeffrey Altman To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL > At 09:56 AM 8/7/2001, you wrote: > >The Data connection should be terminated. The fact that the Data > >channel has been interrupted does not imply in any way that the > >security of the Control channel has been violated. > > Could you clarify - does this mean that you think if a sender gracefully > closes the socket without first closing the TLS connection, the receiver > should treat this as a successful completion of the transfer? Or not? I was making no statement about the success of the transfer. I was commenting on whether or not the control channel connection should be terminated in response to a failure to properly shutdown a data channel. I would argue that it is impossible to treat the data transfer as successful without a proper shutdown. > > > I do agree that it might be nice to point out that TLS requires this > > > behaviour and implementations could be considered broken if they don't > > > send close_notifys. > > > >Although, unnecessary. > > There's at least one implementation out there - specifically, CuteFTP, that > closes the socket without shutting down the TLS session on that > socket. When I have time, I'll be getting onto them about this > behaviour. However, it may be worth putting in a note as to whether it > really matters for the purposes of FTP as to whether the client shuts down > TLS properly, or just closes the socket gracefully underneath it. > > There are two RFCs at question here that may not be adequately read in > depth - the first is venereal old RFC 959, with its concept of closing the > socket to indicate end of transfer in stream mode. The second is whatever > TLS RFC says that a TLS shutdown must be performed prior to closure. Now, > seriously, while you and I may have bothered to read through that RFC, how > many FTP app authors are going to do more than read the SDK documentation > for whatever SSL library they're using? Every SSL library I know of states that a shutdown must be performed prior to a socket close. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and kermit-support@kermit-project.org OpenSSL. SSH soon to follow. From ftp-wg-owner@hethmon.com Tue Aug 7 22:00:44 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id WAA16597 for ; Tue, 7 Aug 2001 22:00:44 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807210548-40805-9 ; Tue, 07 Aug 2001 21:05:48 -0500 Received: from warp.hethmon.com ([208.171.56.198] [208.171.56.198]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010807210543-32608-8 ; Tue, 07 Aug 2001 21:05:44 -0500 Message-Id: <20010807210543-32608-8@mail.hethmon.com> X-Mailer: PMMail 2.10.1999 for OS/2 Warp 4.05 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Date: Tue, 7 Aug 2001 21:05:45 -0500 X-OldDate: Tue, 07 Aug 2001 22:01:59 -0500 () Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: "Robert Oslin" To: "FTPEXT Working Group" Subject: Ftp-WG: FTP over SSL Content-Transfer-Encoding: 7bit approved: zacaroo Hi, I've been following this discussion. CuteFTP Pro just closes the socket, both for normal FTP and TLS sessions. I'll check into proper closing of TLS for version 2.0 of Pro, due out in beta soon. Another thing fixed already, is the ability to perform PBSZ 0 / PROT P, and PBSZ 0 / PROT C for encrypted and clear data channels. Currently it only supports encrypted data channel via implicit or explicit SSL/TLS connection methods. I also have a couple of new (read proprietary) ftp commands which will be added to Pro 2.0 and our server. I'll pass them by the group soon to get your feedback, and also to inquire on whether they are worthy of consideration for future ftp drafts. Robert Oslin Chief Architect & CuteFTP Pro program manager GlobalSCAPE, Inc. -----Original Message----- From: ftp-wg-owner [mailto:ftp-wg-owner@hethmon.com]On Behalf Of Alun Jones Sent: 07 August, 2001 11:23 AM To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL At 09:56 AM 8/7/2001, you wrote: >The Data connection should be terminated. The fact that the Data >channel has been interrupted does not imply in any way that the >security of the Control channel has been violated. Could you clarify - does this mean that you think if a sender gracefully closes the socket without first closing the TLS connection, the receiver should treat this as a successful completion of the transfer? Or not? > > I do agree that it might be nice to point out that TLS requires this > > behaviour and implementations could be considered broken if they don't > > send close_notifys. > >Although, unnecessary. There's at least one implementation out there - specifically, CuteFTP, that closes the socket without shutting down the TLS session on that socket. When I have time, I'll be getting onto them about this behaviour. However, it may be worth putting in a note as to whether it really matters for the purposes of FTP as to whether the client shuts down TLS properly, or just closes the socket gracefully underneath it. There are two RFCs at question here that may not be adequately read in depth - the first is venereal old RFC 959, with its concept of closing the socket to indicate end of transfer in stream mode. The second is whatever TLS RFC says that a TLS shutdown must be performed prior to closure. Now, seriously, while you and I may have bothered to read through that RFC, how many FTP app authors are going to do more than read the SDK documentation for whatever SSL library they're using? Alun. ~~~~ P.S. Sorry I haven't raised anything about the FTP / TLS draft until now - I haven't managed to get my own implementation working until recently, and I didn't want to post while my own understanding was apparently in such a seriously poor situation. -- Texas Imperial Software | Try WFTPD, the Windows FTP Server. Find us at 1602 Harvest Moon Place | http://www.wftpd.com or email alun@texis.com Cedar Park TX 78613-1419 | VISA/MC accepted. NT-based sites, be sure to Fax/Voice +1(512)378-3246 | read details of WFTPD Pro for NT. ===================END FORWARDED MESSAGE=================== Paul Hethmon phethmon@hethmon.com http://www.hethmon.com From ftp-wg-owner@hethmon.com Thu Aug 23 22:45:18 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id WAA07520 for ; Thu, 23 Aug 2001 22:45:17 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010823215126-16386-9 ; Thu, 23 Aug 2001 21:51:26 -0500 Received: from alpha.ipswitch.com ([216.104.149.100] [216.104.149.100]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010823215122-59874-8 ; Thu, 23 Aug 2001 21:51:22 -0500 Received: from wks222 [216.104.149.222] by alpha.ipswitch.com (SMTPD32-7.03) id AF7B21A20146; Thu, 23 Aug 2001 22:44:11 -0400 Message-ID: <000c01c12c46$a8c15560$de9568d8@wks222.augusta.ipswitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 In-Reply-To: Importance: Normal Date: Thu, 23 Aug 2001 21:51:24 -0500 X-OldDate: Thu, 23 Aug 2001 22:44:13 -0400 Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: "Mark Symons" To: "FTPEXT Working Group" Subject: Ftp-WG: FTP over SSL Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id WAA07520 With apologies for not replying sooner... > The ftp/ssl draft has been around now since 1997 and I feel > it is time to ask for it to be put onto Standards Track. > Do people on these lists have strong views on this ? I would love to see the draft move to Standards Track. That's because WS_FTP client and server both use this draft. When I go back to ftp-ssl-05, there was brief mention of the HOST command. This mention was removed from ftp-ssl-06, because HOST had been dropped from the MLST draft. I am not holding my breath waiting for HOST to be re-introduced into its own draft, although I think it's critical for implementing ftp/ssl on virtual hosts. How else can one have a separate certificate store for each virtual host? My worry about the ftp/ssl draft is that section 15.1.1 is rather vague on this issue. In referring to such future extensions it says "interaction...will need to be carefully considered". I would feel much more comfortable if this were expanded to show that the definition of ftp/ssl is robust enough to allow for a future extension such as HOST. Mark Symons Ipswitch, Inc Augusta GA From ftp-wg-owner@hethmon.com Fri Aug 24 09:23:02 2001 Received: from mail.hethmon.com ([208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA04410 for ; Fri, 24 Aug 2001 09:23:01 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010824081857-18461-14 ; Fri, 24 Aug 2001 08:18:57 -0500 Received: from mail.vr.net ([205.133.13.8] [205.133.13.8]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010824081852-47220-12 ; Fri, 24 Aug 2001 08:18:53 -0500 Received: from osiris (osiris.vr.net [205.133.13.9]) by mail.vr.net (8.10.1/8.10.1) with SMTP id f7ODASU29591 for ; Fri, 24 Aug 2001 09:10:29 -0400 Message-ID: <005f01c12c9e$49a835a0$090d85cd@vr.net> References: <000c01c12c46$a8c15560$de9568d8@wks222.augusta.ipswitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Date: Fri, 24 Aug 2001 08:18:55 -0500 X-OldDate: Fri, 24 Aug 2001 09:11:25 -0400 Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: "Gregory A Lundberg" To: "FTPEXT Working Group" Subject: Ftp-WG: FTP over SSL Content-Transfer-Encoding: 7bit > I am not holding my breath waiting for HOST to be re-introduced into its own draft Not holding your breath is a Very Good idea. The HOST draft is stuck in limbo while I (1) find a job and (2) figure out how to sanely allow HOST in the context of RFC 2228 and the Murray draft. The only (unacceptable) solution I've found so far is to state the HOST command MUST NOT be used in sessions using RFC 2228. Which leads to the other reason I set it aside for a while; I found myself sidetracked toward a massive revision of RFC 2228. (And, by reference, the Murray draft.) If you want a HOST draft, the quickest solution would be to first have RFC 2228 moved from Standards Track to Experimental (in which case I'll ignore it for the purposes of the HOST command other than to say HOST won't work with it). What I have works well when we don't want to secure the communications channels, but leads to the "chicken and the egg" question when we do. The other option is to could follow the example of RFC 2228 and cobble together something which looks like it might work, and wait for the smoke to blow off so we can see who got burned. But I don't like that approach (and wish RFC 2228 hadn't taken it). From ftp-wg-owner@hethmon.com Fri Aug 24 09:44:57 2001 Received: from mail.hethmon.com ([208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id JAA04938 for ; Fri, 24 Aug 2001 09:44:56 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010824084046-60893-17 ; Fri, 24 Aug 2001 08:40:46 -0500 Received: from watsun.cc.columbia.edu ([128.59.39.2] [128.59.39.2]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010824084041-40451-13 ; Fri, 24 Aug 2001 08:40:41 -0500 Received: (from jaltman@localhost) by watsun.cc.columbia.edu (8.8.5/8.8.5) id JAA12646; Fri, 24 Aug 2001 09:33:52 -0400 (EDT) In-Reply-To: Your message of Fri, 24 Aug 2001 08:18:55 -0500 Message-ID: Date: Fri, 24 Aug 2001 08:40:43 -0500 X-OldDate: Fri, 24 Aug 2001 9:33:51 EDT Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Jeffrey Altman To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL > The HOST draft is stuck in limbo while I (1) find a job and (2) figure out > how to sanely allow HOST in the context of RFC 2228 and the Murray draft. > > The only (unacceptable) solution I've found so far is to state the HOST > command MUST NOT be used in sessions using RFC 2228. Which leads to the > other reason I set it aside for a while; I found myself sidetracked toward a > massive revision of RFC 2228. (And, by reference, the Murray draft.) Why would HOST have to be a MUST NOT for sessions using RFC 2228? As far as I can tell, the HOST command would be an optional command that would simply be ignored by a FTP server if it was not required. AUTH KRB4 and AUTH GSSAPI might use the advisory information provided by HOST to determine which service key table to use. AUTH SRP might use it to determine which SRP password file to use. Of course, AUTH TLS would use it to determine which Server certificate to send to the client. I do not see why it would be a MUST NOT for RFC 2228. Can you please elaborate? > If you want a HOST draft, the quickest solution would be to first have RFC > 2228 moved from Standards Track to Experimental (in which case I'll ignore > it for the purposes of the HOST command other than to say HOST won't work > with it). What I have works well when we don't want to secure the > communications channels, but leads to the "chicken and the egg" question > when we do. RFC 2228 is widely implemented and should not be changed to experimental. That is not to say that it could or should not be updated and refined while remaining on the standards track. > The other option is to could follow the example of RFC 2228 and cobble > together something which looks like it might work, and wait for the smoke to > blow off so we can see who got burned. But I don't like that approach (and > wish RFC 2228 hadn't taken it). Unfortunately it is too late for starting over from scratch. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and kermit-support@kermit-project.org OpenSSL. SSH soon to follow. From ftp-wg-owner@hethmon.com Fri Aug 24 10:11:51 2001 Received: from mail.hethmon.com ([208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id KAB05355 for ; Fri, 24 Aug 2001 10:11:50 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010824090741-18384-20 ; Fri, 24 Aug 2001 09:07:42 -0500 Received: from mail.vr.net ([205.133.13.8] [205.133.13.8]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010824090737-34157-13 ; Fri, 24 Aug 2001 09:07:37 -0500 Received: from osiris (osiris.vr.net [205.133.13.9]) by mail.vr.net (8.10.1/8.10.1) with SMTP id f7ODxEU00174 for ; Fri, 24 Aug 2001 09:59:15 -0400 Message-ID: <003601c12ca5$1a138f40$090d85cd@vr.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Date: Fri, 24 Aug 2001 09:07:39 -0500 X-OldDate: Fri, 24 Aug 2001 10:00:12 -0400 Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: "Gregory A Lundberg" To: "FTPEXT Working Group" Subject: Ftp-WG: FTP over SSL Content-Transfer-Encoding: 7bit > Can you please elaborate? RFC 2228 is incomplete in and of itself. It leaves a lot of possible cases up to the reader. This is not a big problem taken alone, but when adding a new authentication/authorization command like HOST it falls apart. Your reasons why RFC 2228 can't be eliminated are why I set the mess aside. I'm hoping, when I get back to the draft that some time away will allow me to see a "punt" .. some way to ignore RFC 2228's problems and come up with a HOST command which will work fine for clear-text and _might_ work _if_ you do everything correctly (without telling you what to do) if you're using 2228. I'm sorry if I seem short on this. The fact of the matter is my priorities are to find a job first. Then I'll have the time to take the days/weeks it will take to point out all the shortcoming of RFC 2228. At this point, all I really want to say is it's incomplete and seemed logically inconsistent (some internally, but mainly with respect to the way the rest of the FTP works). Frankly, since you say it's widely deployed, I'm scared. To me that means that there are a lot of differing and probably incompatible implementations out there. That's mainly an emotional reaction: I've not seen ANY RFC 2228 implementations other than the Murray-draft contribution to WU-FTPD and ONE other implementation (which, IIRC, was WS_FTP). But it's not totally emotional: one of the positions I'm looking at is for a VERY security conscious organization and, if there were a working RFC 2228 implementation out there, I am absolutely POSITIVE they would be using it. The fact they are not tells me either there are none, or their research showed that what was there had some reason for not using it (either there was nothing, or there were servers but no clients, or clients but no servers, or the (my guess) clients for some servers could not inter-operate with servers for other clients). Frankly, the ONLY reason I sponsored including the contribution of Murray-draft implementation into WU-FTPD was because it needs a second, independent implementation to proceed to RFC status. From ftp-wg-owner@hethmon.com Fri Aug 24 12:01:39 2001 Received: from mail.hethmon.com ([208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA08024 for ; Fri, 24 Aug 2001 12:01:38 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010824105724-24512-21 ; Fri, 24 Aug 2001 10:57:24 -0500 Received: from watsun.cc.columbia.edu ([128.59.39.2] [128.59.39.2]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010824105721-29279-10 ; Fri, 24 Aug 2001 10:57:21 -0500 Received: (from jaltman@localhost) by watsun.cc.columbia.edu (8.8.5/8.8.5) id LAA02666; Fri, 24 Aug 2001 11:50:38 -0400 (EDT) In-Reply-To: Your message of Fri, 24 Aug 2001 09:07:39 -0500 Message-ID: Date: Fri, 24 Aug 2001 10:57:22 -0500 X-OldDate: Fri, 24 Aug 2001 11:50:37 EDT Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: Jeffrey Altman To: FTPEXT Working Group Subject: Ftp-WG: FTP over SSL > Frankly, since you say it's widely deployed, I'm scared. To me that means > that there are a lot of differing and probably incompatible implementations > out there. That's mainly an emotional reaction: I've not seen ANY RFC 2228 > implementations other than the Murray-draft contribution to WU-FTPD and ONE > other implementation (which, IIRC, was WS_FTP). But it's not totally > emotional: one of the positions I'm looking at is for a VERY security > conscious organization and, if there were a working RFC 2228 implementation > out there, I am absolutely POSITIVE they would be using it. The fact they > are not tells me either there are none, or their research showed that what > was there had some reason for not using it (either there was nothing, or > there were servers but no clients, or clients but no servers, or the (my > guess) clients for some servers could not inter-operate with servers for > other clients). RFC 2228 has been implemented in the FTP client and servers shipped with MIT Kerberos (AUTH KRB4, AUTH GSSAPI); Heimdal Kerberos (AUTH KRB4, AUTH GSSAPI); and the Secure Remote Password (AUTH SRP) kit. These implementations have been available since at least the mid 90s. Microsoft has an implementation of RFC 2228 for authenticating their FTP client and server with NTLM. > Frankly, the ONLY reason I sponsored including the contribution of > Murray-draft implementation into WU-FTPD was because it needs a second, > independent implementation to proceed to RFC status. The TLS draft has been implemented in several clients and servers by Peter Runestig. His work is available at ftp://ftp.runestig.com/ Alun Jones has implemented it in the server for WFTPD. I've implemented in the Kermit client which also supports RFC 2228 for KRB4, GSSAPI-KRB5 and Secure Remote Password. Cute-FTP has it implemented in that client as well. IBM has implemented AUTH TLS in some of their server products. I think we have plenty of implementations. Jeffrey Altman * Sr.Software Designer C-Kermit 8.0 Beta available The Kermit Project @ Columbia University includes Secure Telnet and FTP http://www.kermit-project.org/ using Kerberos, SRP, and kermit-support@kermit-project.org OpenSSL. SSH soon to follow. From ftp-wg-owner@hethmon.com Mon Aug 27 17:19:54 2001 Received: from mail.hethmon.com (mail.hethmon.com [208.171.56.195]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA00912 for ; Mon, 27 Aug 2001 17:19:51 -0400 (EDT) Received: from mail.hethmon.com ([208.171.56.195] [208.171.56.195]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010827162413-64654-13 ; Mon, 27 Aug 2001 16:24:13 -0500 Received: from maureenlee.idv.tw ([203.204.4.44] [203.204.4.44]) by mail.hethmon.com (Hethmon Brothers Smtpd) id 20010827162407-11682-12 ; Mon, 27 Aug 2001 16:24:09 -0500 Received: from plain [148.246.137.167] by maureenlee.idv.tw (SMTPD32-6.06 EVAL) id A3D810A01D4; Tue, 28 Aug 2001 04:55:52 +0800 Mime-Version: 1.0 Content-Type: text/plain; charset="DEFAULT_CHARSET" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Message-Id: <200108280458781.SM00968@plain> Date: Mon, 27 Aug 2001 16:24:10 -0500 X-OldDate: Mon, 27 Aug 2001 15:03:41 Sender: ftp-wg-owner X-Listname: ftp-wg@hethmon.com Reply-To: FTPEXT Working Group From: To: ftp@dac.net Subject: Ftp-WG: If your sick of scams, then read this, and do what it says. Dear Future Millionaire: I'll make you a promise. READ THIS E-MAIL TO THE END! - follow what it says to the letter - and you will not worry whether a RECESSION is coming or not, who is President, or whether you keep your current job or not. Yes, I know what you are thinking. I never responded to one of these before either. One day though, something just said "you throw away $25.00 going to a movie for 2 hours with your wife". "What the heck." Believe me, no matter where you believe "those feelings" come from, I thank goodness every day that I had that feeling. I cannot imagine where I would be or what I would be doing had I not. Read on. It's true. Every word of it. It is legal. I checked. Simply because you are buying and selling something of value. AS SEEN ON NATIONAL TV: Making over half million dollars every 4 to 5 months from your home. THANK'S TO THE COMPUTER AGE AND THE INTERNET ! ================================================== BE AN INTERNET MILLIONAIRE LIKE OTHERS WITHIN A YEAR!!! Before you say ''Bull'', please read the following. This is the letter you have been hearing about on the news lately. Due to the popularity of this letter on the Internet, a national weekly news program recently devoted an entire show to the investigation of this program described below, to see if it really can make people money. The show also investigated whether or not the program was legal. Their findings proved once and for all that there are ''absolutely NO Laws prohibiting the participation in the program and if people can "follow the simple instruction" they are bound to make some mega bucks with only $25 out of pocket cost''. DUE TO THE RECENT INCREASE OF POPULARITY & RESPECT THIS PROGRAM HAS ATTAINED, IT IS CURRENTLY WORKING BETTER THAN EVER. This is what one had to say: '' Thanks to this profitable opportunity". I was approached many times before but each time I passed on it. I am so glad I finally joined just to see what one could expect in return for the minimal effort and money required. To my astonishment, I received a total $ 610,470.00 in 21 weeks, with money still coming in''. Pam Hedland, Fort Lee, New Jersey. ================================================== Another said: "this program has been around for a long time but I never believed in it. But one day when I received this again in the mail I decided to gamble my $25 on it. I followed the simple instructions and walaa ..... 3 weeks later the money started to come in. First month I only made $240.00 but the next 2 months after that I made a total of $290,000.00. So far, in the past 8 months by re-entering the program, I have made over $710,000.00 and I am playing it again. The key to success in this program is to follow the simple steps and NOT change anything.'' More testimonials later but first, ======= ==== PRINT THIS NOW FOR YOUR FUTURE REFERENCE ==== $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ If you would like to make at least $500,000 every 4 to 5 months easily and comfortably, please read the following...THEN READ IT AGAIN and AGAIN !!! $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ FOLLOW THE SIMPLE INSTRUCTION BELOW AND YOUR FINANCIAL DREAMS WILL COME TRUE, GUARANTEED! INSTRUCTIONS: =====Order all 5 reports shown on the list below ===== For each report, send $5 CASH, THE NAME & NUMBER OF THE REPORT YOU ARE ORDERING and YOUR E-MAIL ADDRESS to the person whose name appears ON THAT LIST next to the report. MAKE SURE YOUR RETURN ADDRESS IS ON YOUR ENVELOPE TOP LEFT CORNER in case of any mail problems. ===WHEN YOU PLACE YOUR ORDER, MAKE SURE === ===YOU ORDER EACH OF THE 5 REPORTS! === You will need all 5 reports so that you can save them on your computer and resell them. YOUR TOTAL COST $5 X 5 = $25.00. Within a few days you will receive, via e-mail, each of the 5 reports from these 5 different individuals. Save them on your computer so they will be accessible for you to send to the 1,000's of people who will order them from you. Also make a floppy of these reports and keep it on your desk in case something happens to your computer. IMPORTANT - DO NOT alter the names of the people who are listed next to each report, or their sequence on the list, in any way other than what is instructed below in step '' 1 through 6 '' or you will loose out on the majority of your profits. Once you understand the way this works, you will also see how it does not work if you change it. Remember, this method has been tested, and if you alter it, it will NOT work !!! People have tried to put their friends/relatives names on all five thinking they could get all the money. But it does not work this way. Believe us, some have tried to be greedy and then nothing happened. So Do Not try to change anything other than what is instructed. Because if you do, it will not work for you. Remember, honesty reaps the reward!!! This IS a legitimate BUSINESS. You are offering a product for sale and getting paid for it. Treat it as such and you will be VERY profitable in a short period of time. 1.. After you have ordered all 5 reports, take this advertisement and REMOVE the name & address of the person in REPORT # 5. This person has made it through the cycle and is no doubt counting their fortune. 2..Move the name & address in REPORT # 4 down TO REPORT # 5. 3.. Move the name & address in REPORT # 3 down TO REPORT # 4. 4.. Move the name & address in REPORT # 2 down TO REPORT # 3. 5.. Move the name & address in REPORT # 1 down TO REPORT # 2 6.... Insert YOUR name & address in the REPORT # 1 Position. PLEASE MAKE SURE you copy every name & address ACCURATELY! This is critical to YOUR success. ================================================== **** Take this entire letter, with the modified list of names, and save it on your computer. DO NOT MAKE ANY OTHER CHANGES. Save this on a disk as well just in case if you loose any data. To assist you with marketing your business on the internet, the 5 reports you purchase will provide you with invaluable marketing information which includes how to send bulk e-mails legally, where to find thousands of free classified ads and much more. There are 2 Primary methods to get this venture going: METHOD # 1: BY SENDING BULK E-MAIL LEGALLY ================================================== Let's say that you decide to start small, just to see how it goes, and we will assume You and those involved send out only 5,000 e-mails each. Let's also assume that the mailing receive only a 0.2% (2/10 of 1%) response (the response could be much better but lets just say it is only 0.2%). Also many people will send out hundreds of thousands e-mails instead of only 5,000 each). Continuing with this example, you send out only 5,000 e-mails. With a 0.2% response, that is only 10 orders for report # 1. Those 10 people responded by sending out 5,000 e-mail each for a total of 50,000. Out of those 50,000 e-mails only 0.2% responded with orders. That's=100 people responded and ordered Report # 2. Those 100 people mail out 5,000 e-mails each for a total of 500,000 e-mails. The 0.2% response to that is 1000 orders for Report # 3. Those 1000 people send 5,000 e-mail each for a total of 5 million e-mail sent out. The 0.2% response is 10,000 orders for Report # 4. Those 10,000 people send out 5,000 e-mails each for a total of 50,000,000 (50 million) e-mails. The 0.2% response to that is 100,000 orders for Report # 5. THAT'S 100,000 ORDERS TIMES $5 EACH = $500,000.00 (half a million dollars). Your total income in this example is: 1..... $50 + 2..... $500 + 3..... $5,000 + 4..... $50,000 + 5.... $500,000 .... Grand Total=$555,550.00 NUMBERS DO NOT LIE. GET A PENCIL & PAPER AND FIGURE OUT THE WORST POSSIBLE RESPONSES AND NO MATTER HOW YOU CALCULATE IT, YOU WILL STILL MAKE A LOT OF MONEY! ================================================== REMEMBER FRIEND, THIS IS ASSUMING ONLY 10 PEOPLE ORDERING OUT OF 5,000 YOU MAILED TO. Dare to think for a moment what would happen if everyone or half or even one 4th of those people mailed 100,000 e-mails each or more? There are over 150 million people on the Internet worldwide and counting, with thousands more coming on line every day. Believe me, many people will do just that, and more! METHOD # 2: BY PLACING FREE ADS ON THE INTERNET ================================================== Advertising on the net is very, very inexpensive and there are hundreds of FREE places to advertise. Placing a lot of free ads on the Internet will easily get a larger response. We strongly suggest you start with Method # 1 and add METHOD #2 as you go along. For every $5 you receive, all you must do is e-mail them the Report they ordered. That's it. Always provide same day service on all orders. This will guarantee that the e-mail they send out, with your name and address on it, will be prompt because they can not advertise until they receive the report. ===========AVAILABLE REPORTS ==================== The reason for the "cash" is not because this is illegal or somehow "wrong". It is simply about time. Time for checks or credit cards to be cleared or approved, etc. Concealing it is simply so no one can SEE there is money in the envelope and steal it before it gets to you. ORDER EACH REPORT BY ITS NUMBER & NAME ONLY. Notes: Always send $5 cash (U.S. CURRENCY) for each Report. Checks NOT accepted. Make sure the cash is concealed by wrapping it in at least 2 sheets of paper. On one of those sheets of paper, Write the NUMBER & the NAME of the Report you are ordering, YOUR E-MAIL ADDRESS and your name and postal address. PLACE YOUR ORDER FOR THESE REPORTS NOW : ================================================== REPORT# 1: 'The Insider's Guide To Advertising for Free On The Net Order Report #1 from Rene Frisen PMB 15329 10501 Gateway West El Paso, Texas 79925 USA ________________________________________________________ REPORT # 2: The Insider's Guide To Sending Bulk Email On The Net Order Report # 2 from: J.H. 12038 Van Gogh Drive 79936 El paso Tx. USA _________________________________________________________________ REPORT # 3: Secret To Multilevel Marketing On The Net Order Report # 3 from : Scott Katip 3110 5th Ave Beaver Falls, Pa 15010 ______________________________________________________ REPORT # 4: How To Become A Millionaire Using MLM & The Net Order Report # 4 from: Chris Rhodes 7915 Kleingreen Spring, Texas 77379 USA _______________________________________________________ REPORT #5: How To Send Out One Million Emails For Free Order Report # 5 From: S. Wong 50 Burnhamthorpe Rd West #401 Mississauga, Ontario, L5B 3C2 Canada _____________________________________________________ $$$$$$$$$ YOUR SUCCESS GUIDELINES $$$$$$$$$$$ Follow these guidelines to guarantee your success: === If you do not receive at least 10 orders for Report #1 within 2 weeks, continue sending e-mails until you do. === After you have received 10 orders, 2 to 3 weeks after that you should receive 100 orders or more for REPORT # 2. If you did not, continue advertising or sending e-mails until you do. **Once you have received 100 or more orders for Report # 2, YOU CAN RELAX, because the system is already working for you, and the cash will continue to roll in ! THIS IS IMPORTANT TO REMEMBER: Every time your name is moved down on the list, you are placed in front of a Different report. You can KEEP TRACK of your PROGRESS by watching which report people are ordering from you. IF YOU WANT TO GENERATE MORE INCOME SEND ANOTHER BATCH OF E-MAILS AND START THE WHOLE PROCESS AGAIN. There is NO LIMIT to the income you can generate from this business !!! ================================================= FOLLOWING IS A NOTE FROM THE ORIGINATOR OF THIS PROGRAM: You have just received information that can give you financial freedom for the rest of your life, with NO RISK and JUST A LITTLE BIT OF EFFORT. You can make more money in the next few weeks and months than you have ever imagined. Follow the program EXACTLY AS INSTRUCTED. Do Not change it in any way. It works exceedingly well as it is now. Remember to e-mail a copy of this exciting report after you have put your name and address in Report #1 and moved others to #2 .....# 5 as instructed above. One of the people you send this to may send out 100,000 ormore e-mails and your name will be on every one of them. Remember though, the more you send out the more potential customers you will reach. So my friend, I have given you the ideas, information, materials and opportunity to become financially independent. IT IS UP TO YOU NOW ! =============MORE TESTIMONIALS=============== '' My name is Mitchell. My wife, Jody and I live in Chicago. I am an accountant with a major U.S. Corporation and I make pretty good money. When I received this program I grumbled to Jody about receiving ''junk mail''. I made fun of the whole thing, spouting my knowledge of the population and percentages involved. I ''knew'' it wouldn't work. Jody totally ignored my supposed intelligence and few days later she jumped in with both feet. I made merciless fun of her, and was ready to lay the old ''I told you so'' on her when the thing didn't work. Well, the laugh was on me! Within 3 weeks she had received 50 responses. Within the next 45 days she had received total $ 147,200.00 ......... all cash! I was shocked. I have joined Jodyin her ''hobby''. Mitchell Wolf M.D., Chicago, Illinois ================================================ '' Not being the gambling type, it took me several weeks to make up my mind to participate in this plan. But conservative as I am, I decided that the initial investment was so little that there was just no way that I wouldn't get enough orders to at least get my money back''. '' I was surprised when I found my medium size post office box crammed with orders. I made $319,210.00 in the first 12 weeks. The nice thing about this deal is that it does not matter where people live. There simply isn't a better investment with a faster return and so big''. Dan Sondstrom, Alberta, Canada ================================================= '' I had received this program before. I deleted it, but later I wondered if I should have given it a try. Of course, I had no idea who to contact to get another copy, so I had to wait until I was e-mailed again by someone else.........11 months passed then it luckily came again...... I did not delete this one! I made more than $490,000 on my first try and all the money came within 22 weeks''. Susan De Suza, New York, N.Y. ================================================= '' It really is a great opportunity to make relatively easy money with little cost to you. I followed the simple instructions carefully and within 10 days the money started to come in. My first month I made $ 20, 560.00 and by the end of third month my total cash count was $ 362,840.00. Life is beautiful, Thanx to internet''. Fred Dellaca, Westport, New Zealand ================================================= ORDER YOUR REPORTS TODAY AND GET STARTED ON YOUR ROAD TO FINANCIAL FREEDOM ! If you have any questions regarding this great deal please write me at yourreports@ziplip.com If you wish to be removed from the mailing list please send an email to removemeplease@ziplip.com with the word REMOVE in the subject line. ================================================= If you have any questions of the legality of this program, contact the Office of Associate Director for Marketing Practices, Federal Trade Commission, Bureau of Consumer Protection, Washington, D.C. ================================================= ONE TIME MAILING, NO NEED TO REMOVE ================================================= This message is sent in compliance of the proposed bill SECTION 301, paragraph (a)(2)(C) of S. 1618. Further transmission to you by the sender of this email may be stopped at no cost to you by sending a reply to: removemeplease@ziplip.com with the word REMOVE in the subject line. This message is not intended for residents in the State of Washington, screening of addresses has been done to the best of our technical ability.