Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Is my FTP program secure?

Question:

With all this talk about security on your site, I was wondering if the FTP
program I use (FileZilla) is secure. I use it to upload (locally developed)
websites to servers and it always worked fine, but now I’m thinking that a FTP
program may be more secure if you need to log in before you can use it. Also,
FileZilla has a function to export all the data of your various ftp accounts to
an xml file, but that’s unencrypted. I’m assuming it stores all the passwords
unencrypted as well.

Well, we have good news, and bad news. Sadly, it’s mostly bad news.

The good news is that FileZilla’s a great, free FTP program. I’ve used it
and have a copy of it as one of the tools I carry with me – ya just never know
when you might need to ftp Smile.

The bad news is that while FileZilla does have one security issue I’ll get
to, it’s not FileZilla – or any ftp program for that matter – that’s the weak
link here.

FTP itself is fundamentally insecure.

]]>

The Problem with FTP

FTP – which stands for File Transfer Protocol – is perhaps one of the oldest protocols for transferring data around the internet. For many years it was – and to be honest, in many cases still is – the workhorse for transferring files, often large files, around.

The fundamental problem with FTP is that it’s not encrypted.

“… that in today’s terms there is zero security built into FTP. None. Nada. Zip.”

As it turns out there are two fairly dramatic ramifications from it’s lack of encryption:

  • Any and all data being transferred via FTP is transferred in the clear – any network device along the way can see what’s being transferred. Perhaps more troubling is that if you use FTP over an unencrypted open WiFi connection anyone who cares to sniff the WiFi connection can see your data.

  • The username and password being used to login to the remote site are also transmitted in the clear. Once again anyone who can see or sniff your network traffic can see the username and password if they happen to be watching when you initiate the connection.

There are a couple of other issues with the protocol as well that can affect performance in some cases, and network routing in others, but the issue you should really care about is the fact that in today’s terms there is zero security built into FTP. None. Nada. Zip.

The Solution: SFTP

Fortunately, there is a solution: SFTP, which stands for Secure File Transfer Protocol. Even though the name is similar, it’s technically an entirely different and unrelated protocol. And as you can imagine from that name, security is built in; everything’s encrypted.

You can probably sense a “but…” coming.

But … you can’t use SFTP anywhere you can use FTP. Like I said, it’s a completely separate protocol and must be supported on the server that you’re connecting to. For reasons I can’t quite fathom, many servers – in particular the servers at many website hosting companies – don’t support SFTP. In those cases you’re stuck with FTP.

As you also might imagine, SFTP is the only way I access my own servers.

FileZilla: Good & Bad

Like I said, FileZilla is a fine, fine FTP program. It’s handy to have around.

The good news is that FileZilla supports the SFTP protocol. That’s perfect in most cases since if your server supports it you’re done – you already have a tool that you’re familiar with that you can use in this more secure way.

The bad news is that I was surprised to find that when you create a site profile in FileZilla’s site manager so that it remembers your login specifics – it remembers the password. In plain text. On your machine. (Check out the contents of %APPDATA%/FileZilla\sitemanager.xml.) So someone who gains access to your machine could in fact grab that file and learn your (s)ftp passwords.

The solution is to ensure the physical security of your machine as well as making sure that you never ever get any malware.

Well, either that or as you’ve pointed out never have FileZilla remember passwords for you.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

6 comments on “Is my FTP program secure?”

  1. My information was stored in filezilla.xml, but nevertheless, there it was. They even use the words “user” and “pass”. If I was going to write a program to store information in the obvious, I’d at least use cryptic wording.

    Reply
  2. GOOD one, Leo. I have been using the free WS_FTP LE for 15 years, but asked my ISP and they wrote:

    I have received and read about your query/concern, and in an effort to completely
    assist you, indeed there an alternative freeware for your use to connect to FTP.
    Could you please refer to this url links of information I have
    provided below on how you can be able to FTP/upload your website with us using Filezilla?

    Filezilla Download:
    http://filezilla.sourceforge.net/documentation/

    How do I use FileZilla to connect to my webspace?
    http://faq.1and1.com/web_space__access/ftp_account/filezilla_guide/1.html

    What is the required information for an FTP connection?
    http://faq.1and1.com/websites/access/ftp/2.html
    http://faq.oneandone.co.uk/website_building/website_publishing/ftp_file_transfer_
    protocol/1.html

    Most Website programs have a built-in FTP function. If you have this you can
    normally just enter the Host Name, FTP User name and FTP password and click
    publish. However if FTP is not built-in you can use any FTP Program such as
    WISE-FTP, Cute-FTP, Filezilla etc.

    Reply
  3. I’ve used FTP since 1975 for transfering files to and from a “Major Automotive Company”. We always ENCRYPTED the FILE before transfer, then you KNEW it was secure unless your codes were compromised.
    When in doubt, and security is necessary, ENCRIPT before SEND!

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.