FTP/SSL secure but the HTTP part not secure?

Question

Hello,

After reading some of the docs on how this works I seem to understand the basics of what the FTP/SSL library is doing. Connecting to an ASP page, it opens up a FTP/SSL connection with an FTP server that is exchanging an SSL certificates. So that part is secure. But you are connecting to the ASP page via a non-encrypted HTTP.

--My Question--
So the data is not encrypted between your desktop and the ASP page when it travels over the HTTP? Then from the ASP server to the FTP/SSL server the data is encrypted?

Did I read things correctly? It's the ASP hosting server that actually connects to the FTP server and passes your data through, but it not encrypted until it hits that ASP server?

Your Desktop>>>HTTP>>>ASP server>>>FTP/SSL connection>>>FTP server

Answer 1

Yes, it is right.

In the ASP environment, the FTP/SSL library runs on the web server (ASP hosting server) and the ASP application connects to the FTP server from there.

The FTP/SSL library cannot affect security used for communication between the web server and the web client. However, you can set up it simply by requiring the HTTPS protocol on the web server.

To clarify, I can extend your schema:

MACHINE:  |  Web client        |           Web server           |
          |                    |       = FTP/SSL client         |         FTP server
----------|--------------------|--------------------------------|------------------------
SOFTWARE: |  web browser  >>> HTTP >>>  ASP application  >>> FTP/SSL >>>  FTP server 
          |                    |     using FTP/SSL library      |         application