Helping people with computers... one answer at a time.
Your FTP program may or may not be secure. The real insecurity comes from the FTP protocol itself. I'll look at why, and what the alternatives are.
With all this talk about security on your site, I was wondering if the FTP program I use (FileZilla) is secure. I use it to upload (locally developed) websites to servers and it always worked fine, but now I'm thinking that a FTP program may be more secure if you need to log in before you can use it. Also, FileZilla has a function to export all the data of your various ftp accounts to an xml file, but that's unencrypted. I'm assuming it stores all the passwords unencrypted as well.
Well, we have good news, and bad news. Sadly, it's mostly bad news.
The good news is that FileZilla's a great, free FTP program. I've used it and have a copy of it as one of the tools I carry with me - ya just never know when you might need to ftp .
The bad news is that while FileZilla does have one security issue I'll get to, it's not FileZilla - or any ftp program for that matter - that's the weak link here.
FTP itself is fundamentally insecure.
FTP - which stands for File Transfer Protocol - is perhaps one of the oldest protocols for transferring data around the internet. For many years it was - and to be honest, in many cases still is - the workhorse for transferring files, often large files, around.
The fundamental problem with FTP is that it's not encrypted.
As it turns out there are two fairly dramatic ramifications from it's lack of encryption:
Any and all data being transferred via FTP is transferred in the clear - any network device along the way can see what's being transferred. Perhaps more troubling is that if you use FTP over an unencrypted open WiFi connection anyone who cares to sniff the WiFi connection can see your data.
The username and password being used to login to the remote site are also transmitted in the clear. Once again anyone who can see or sniff your network traffic can see the username and password if they happen to be watching when you initiate the connection.
There are a couple of other issues with the protocol as well that can affect performance in some cases, and network routing in others, but the issue you should really care about is the fact that in today's terms there is zero security built into FTP. None. Nada. Zip.
Fortunately, there is a solution: SFTP, which stands for Secure File Transfer Protocol. Even though the name is similar, it's technically an entirely different and unrelated protocol. And as you can imagine from that name, security is built in; everything's encrypted.
You can probably sense a "but..." coming.
But ... you can't use SFTP anywhere you can use FTP. Like I said, it's a completely separate protocol and must be supported on the server that you're connecting to. For reasons I can't quite fathom, many servers - in particular the servers at many website hosting companies - don't support SFTP. In those cases you're stuck with FTP.
As you also might imagine, SFTP is the only way I access my own servers.
Like I said, FileZilla is a fine, fine FTP program. It's handy to have around.
The good news is that FileZilla supports the SFTP protocol. That's perfect in most cases since if your server supports it you're done - you already have a tool that you're familiar with that you can use in this more secure way.
The bad news is that I was surprised to find that when you create a site profile in FileZilla's site manager so that it remembers your login specifics - it remembers the password. In plain text. On your machine. (Check out the contents of %APPDATA%/FileZilla\sitemanager.xml.) So someone who gains access to your machine could in fact grab that file and learn your (s)ftp passwords.
The solution is to ensure the physical security of your machine as well as making sure that you never ever get any malware.
Well, either that or as you've pointed out never have FileZilla remember passwords for you.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.