How does WinSCP verify if a file is downloaded or uploaded sucessfully

Advertisement

learning2learn
Guest

How does WinSCP verify if a file is downloaded or uploaded sucessfully

As the title says.

I'm suggesting to use WinSCP to download off a SFTP instead of having to code one in java. But my supervisor is wary and asks a lot of questions, and they want to know how WinSCP knows if a file is downloaded successfully or not.

I told him that WinSCP handles all of that stuff, so it's transparent to us but he *really* wants reassurance.

Reply with quote

Advertisement

Pathduck
Donor
Pathduck avatar
Joined:
Posts:
82
Location:
Oslo

Tell him people have been using SFTP and SCP safely for a long time, they are very mature and secure protocols. They are open specifications and so they can be analysed by security experts, and they constantly are under scrutiny to find flaws. WinSCP the application is also open source and has existed for nearly 20 years now.

They are based on the very secure SSH protocol which is one of the main standards for secure communications on the internet.

https://en.wikipedia.org/wiki/Secure_Shell
https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
https://en.wikipedia.org/wiki/Secure_copy_protocol
https://en.wikipedia.org/wiki/WinSCP

Tell him writing a client for file transfers from scratch is basically re-inventing the wheel, for something that already exists. Anything written from scratch is bound to have lots of bugs that will take a very long time to find and debug. Also implementing encryption from scratch is a lot of code, you'd need to use third-party libraries anyway, and how do you trust those libraries more than anything else already out there?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,517
Location:
Prague, Czechia

Re: How does WinSCP verify if a file is downloaded or uploaded sucessfully

learning2learn wrote:

But my supervisor is wary and asks a lot of questions, and they want to know how WinSCP knows if a file is downloaded successfully or not.
This is rather vague question. So I'm not really sure what to answer.
Maybe this helps (the first paragraph of my answer):
https://stackoverflow.com/q/30056566/850848

Reply with quote

Pathduck
Donor
Pathduck avatar
Joined:
Posts:
82
Location:
Oslo

Right - I think I misunderstood. If we're talking about error checking and file integrity and not security, then this is handled on the internet by the TCP protocol. This protocol ensures all packets sent arrive at the destination and are reassembled correctly. Downloads being corrupted on transfer should never happen.
https://en.wikipedia.org/wiki/Transmission_Control_Protocol

Like Martin said - to be completely secure in knowing the transferred file is the same as the original, one can use file checksums. This is usually to protect against man-in-the-middle attacks, not because the file transfer over TCP can't be trusted. You would create a checksum of the file on both ends and compare them.

This would require some lines of scripting but would still require a LOT less code than doing the whole thing from scratch in Java.

If going the scriping route, you could also consider using Rsync instead, it is available on Windows in for instance Cygwin. Rsync has a "--checksum" option.
https://en.wikipedia.org/wiki/Rsync

Reply with quote

Advertisement

You can post new topics in this forum