So I was able to successfully install CyberDuck on my MacBook and configure it with my VPS using SSH Authentication Keys and a Passphrase on my Private Key.

It seems to be working well, and I feel like I can trust it when uploading files to my VPS.

But what about downloading?

This may sound dumb, but I am not entirely sure how to securely download things (e.g. Server Backups) from my VPS to my MacBook using CyberDuck...

Sincerely,


Rob

I've not used CyberDuck but a quick look at the web site confirms my thoughts -- you drag and drop in the same way as uploading.

That is what I assumed, but it just makes me feel so uneasy...

How can I get better reassurance that I will NOT be sending a backup file of my VPS - and user data in my database - blindly across the open Internet??

Is there any thing I can look for visually?

Any way to tell if something is broken and not sending things over SSH?

Or is there a better way to get backups off my VPS and to a remote computer/disk like my laptop?

Sincerely,


Rob

If the encryption of SSH broke, then the file would not transfer. I don't understand where your anxiety comes from, why would things suddenly be connected without encryption?

the connection is the same, so either both upload and download are safe or none of them.

Okay.


Because every time you hear about a data breach in the news it is because people were not anxious enough like I am!!

Computer stuff breaks all of the time, and the longer you work with technology the more nervous it should make anyone!


Here is a real-world example...

I have a VPN service - which is turning out to be a piece of crap!

It is VERY common for me to think I am logged into my VPN, but the SSL tunnel was broken because of a microsecond hickup in my free wi-fi connection at the library or McDonalds.

So, I might be at the library doing something that requires privacy and security, and think that my VPN is covering me, when it turns out that I have been surfing the Internet for over an hour over an HTTP connection using Free Wi-Fi!!!


-----
When I dragged my test backup tar from my VPS last night, it appeared that CyberDuck was on and working, but the whole "drag and drop thing" isn't really scientific!!!

I guess I would feel more secure if I had to go into CyberDuck, navigate to my VPS, select the tar I want to transfer, and then click some button. That way I would know CyberDuck is working.

In the end, I am just trying to be REALLY CAREFUL until I master all of this new stuff, because I would feel horrible if I did something negligent and exposed a database with 10,000 people's customer data all because I didn't know how to safely download backups off of my VPS!!!

Sincerely,


Rob

P.S. This is where astrogeek would again probably encourage me to skip the GUI and do all of this via command-line. Probably not a bad idea, but it will take me time to learn, and in the mean-time, I am hoping that CyberDuck is an okay GUI alternative!

TBH, download and uploading in ssh is cli is almost too easy.

You use scp or Secure CoPy.

will copy file from hostname to directory/

Much of your fear makes sense, especially with so much being broken into or revealed as insecure.
OpenSSH (ssh) however has proved robust. Even the nsa has limited success with breaking it (you can use insecure stuff in ssh, so I wouldn't consider that a big suprise)

Fact is, the more layers above something you place, the more chance you have of it being cracked at some point.
By using the cli, you're pretty using the secure program, and nothing else.

However, to alleviate your fears, rather then being worried all the time I would suggest looking into how ssh works (the details) and decide for yourself if there is anything that could of flawed.

If you're ok with it and it does the job, then it's a ok alternative.

I was wondering when you and astrogeek would come out again!!


What about a Username and Password???

If things are that simple, then what would stop me from copying something nefarious onto your computer?!


I am not one to live by "blind faith" when it comes to security.

I have seen too many times where people said, "Don't worry, it'll be okay" and they got nailed!

Since I am a newbie to all of this, I am trying to respect it - which ultimately would lead anyone to be a little fearful!


I trust SSH.


A good reminder...


Again, I am sold on SSH.

My fears include a.) My newbie-ness and ability to easy screw things up, and b.) Suspicion of apps built by others!


I'm okay with CyberDuck if I am using it correctly to download backups off of my VPS, and if I had a little more reassurance that I would get some sort of an error or warning if I was ever transmitting a file in plain-text. (My stupid VPN service sure doesn't offer that!!!)

Sincerely,


Rob

You already said you set up ssh keys, didn't you? If you did, then it will just work. If you didn't, or if the keys aren't valid (wrong computer, etc.), then it would prompt you for a password as soon as you tried to establish the connection.

Correct


So if the connection ever "dropped" then I would get some sort of an error versus the transfer going through in plain-text, right?


Rob

Yes, that's the big difference between tunneling a connection through SSH versus a VPN.

A VPN alters the network settings on your computer so that all traffic goes through the VPN transparently. If the VPN isn't there, it goes through the regular network interface instead. The only way you know which it is is by trying to access a local resource (printer, server, etc.) using a local IP that will fail if you're on the VPN (or a remote IP that will fail if you're not on the VPN), or checking something like whatismyip.net to see where your traffic is originating from.

An SSH tunnel does not route all traffic through itself. It doesn't route ANY traffic through itself. Any connection that you want to pass through the SSH tunnel, rather than through the normal web, has to be explicitly set up to do so. This means that no traffic will go through the SSH tunnel unless you tell it to, and if you DO tell it to go through an SSH tunnel that is not active, it will fail.

Read through this to gain a understanding of the handshake of ssh.

ssh connecting or transmitting through plain-text would be against the foundation of it's design. It was designed to replace telnet which does transmit in plain-text.

1 members found this post helpful.

Okay, thanks for the clarification.

Guess I just have to trust that I implemented what you guys taught me correctly and that it is working as it should.


If you hear in the news... "Local Michigan man goes to jail over data breach!!' then you know I screwed something up!!

Thanks,


Rob

If you're worried about it, don't use a drag and drop GUI. Do it from the command line where you're made aware of everything that happens.

I looked at that - kinda stuffy! :P

So what about my earlier question about how SCP works?

When I SFTP something from my MacBook to my VPS, I have to enter my VPS's username plus my Private Key's Passphrase.

In the example your SCP, all that was included was the target host, the file being sent over, and and a destination...


Is the reason that nothing else was needed is because SCP runs over SSH? (And if so, in my case, then I guess the whole SSH Key Authentication thing has to work, right?)

Please educate me on this other method...

Thanks,


Rob