With all this talk about security on your site, I was wondering if the FTP
program I use (FileZilla) is secure. I use it to upload (locally developed)
websites to servers and it always worked fine, but now I’m thinking that a FTP
program may be more secure if you need to log in before you can use it. Also,
FileZilla has a function to export all the data of your various ftp accounts to
an xml file, but that’s unencrypted. I’m assuming it stores all the passwords
unencrypted as well.
Well, we have good news, and bad news. Sadly, it’s mostly bad news.
The good news is that FileZilla’s a great, free FTP program. I’ve used it
and have a copy of it as one of the tools I carry with me – ya just never know
when you might need to ftp 
.
The bad news is that while FileZilla does have one security issue I’ll get
to, it’s not FileZilla – or any ftp program for that matter – that’s the weak
link here.
FTP itself is fundamentally insecure.
]]>
The Problem with FTP
FTP – which stands for File Transfer Protocol – is perhaps one of the oldest protocols for transferring data around the internet. For many years it was – and to be honest, in many cases still is – the workhorse for transferring files, often large files, around.
The fundamental problem with FTP is that it’s not encrypted.
As it turns out there are two fairly dramatic ramifications from it’s lack of encryption:
-
Any and all data being transferred via FTP is transferred in the clear – any network device along the way can see what’s being transferred. Perhaps more troubling is that if you use FTP over an unencrypted open WiFi connection anyone who cares to sniff the WiFi connection can see your data.
-
The username and password being used to login to the remote site are also transmitted in the clear. Once again anyone who can see or sniff your network traffic can see the username and password if they happen to be watching when you initiate the connection.
There are a couple of other issues with the protocol as well that can affect performance in some cases, and network routing in others, but the issue you should really care about is the fact that in today’s terms there is zero security built into FTP. None. Nada. Zip.
The Solution: SFTP
Fortunately, there is a solution: SFTP, which stands for Secure File Transfer Protocol. Even though the name is similar, it’s technically an entirely different and unrelated protocol. And as you can imagine from that name, security is built in; everything’s encrypted.
You can probably sense a “but…” coming.
But … you can’t use SFTP anywhere you can use FTP. Like I said, it’s a completely separate protocol and must be supported on the server that you’re connecting to. For reasons I can’t quite fathom, many servers – in particular the servers at many website hosting companies – don’t support SFTP. In those cases you’re stuck with FTP.
As you also might imagine, SFTP is the only way I access my own servers.
FileZilla: Good & Bad
Like I said, FileZilla is a fine, fine FTP program. It’s handy to have around.
The good news is that FileZilla supports the SFTP protocol. That’s perfect in most cases since if your server supports it you’re done – you already have a tool that you’re familiar with that you can use in this more secure way.
The bad news is that I was surprised to find that when you create a site profile in FileZilla’s site manager so that it remembers your login specifics – it remembers the password. In plain text. On your machine. (Check out the contents of %APPDATA%/FileZilla\sitemanager.xml.) So someone who gains access to your machine could in fact grab that file and learn your (s)ftp passwords.
The solution is to ensure the physical security of your machine as well as making sure that you never ever get any malware.
Well, either that or as you’ve pointed out never have FileZilla remember passwords for you.
Yeah, good reminder. I can’t believe ftp is still used these days.
My information was stored in filezilla.xml, but nevertheless, there it was. They even use the words “user” and “pass”. If I was going to write a program to store information in the obvious, I’d at least use cryptic wording.
GOOD one, Leo. I have been using the free WS_FTP LE for 15 years, but asked my ISP and they wrote:
I have received and read about your query/concern, and in an effort to completely
assist you, indeed there an alternative freeware for your use to connect to FTP.
Could you please refer to this url links of information I have
provided below on how you can be able to FTP/upload your website with us using Filezilla?
Filezilla Download:
http://filezilla.sourceforge.net/documentation/
How do I use FileZilla to connect to my webspace?
http://faq.1and1.com/web_space__access/ftp_account/filezilla_guide/1.html
What is the required information for an FTP connection?
http://faq.1and1.com/websites/access/ftp/2.html
http://faq.oneandone.co.uk/website_building/website_publishing/ftp_file_transfer_
protocol/1.html
Most Website programs have a built-in FTP function. If you have this you can
normally just enter the Host Name, FTP User name and FTP password and click
publish. However if FTP is not built-in you can use any FTP Program such as
WISE-FTP, Cute-FTP, Filezilla etc.
I’ve used FTP since 1975 for transfering files to and from a “Major Automotive Company”. We always ENCRYPTED the FILE before transfer, then you KNEW it was secure unless your codes were compromised.
When in doubt, and security is necessary, ENCRIPT before SEND!
In addition to SFTP there is also FTPS. Apples and oranges, but they both offer secure file transfer.
According to their doc, FileZilla supports FTPS
http://filezilla-project.org/client_features.php
Then too, there is SCP
http://en.wikipedia.org/wiki/Secure_copy
Comparison of SCP and SFTP
http://winscp.net/eng/docs/protocols
Can you suggest any good SFTP sites for my web based medical transcription business?