Helping people with computers... one answer at a time.

Your FTP program may or may not be secure. The real insecurity comes from the FTP protocol itself. I'll look at why, and what the alternatives are.

With all this talk about security on your site, I was wondering if the FTP program I use (FileZilla) is secure. I use it to upload (locally developed) websites to servers and it always worked fine, but now I'm thinking that a FTP program may be more secure if you need to log in before you can use it. Also, FileZilla has a function to export all the data of your various ftp accounts to an xml file, but that's unencrypted. I'm assuming it stores all the passwords unencrypted as well.

Well, we have good news, and bad news. Sadly, it's mostly bad news.

The good news is that FileZilla's a great, free FTP program. I've used it and have a copy of it as one of the tools I carry with me - ya just never know when you might need to ftp Smile.

The bad news is that while FileZilla does have one security issue I'll get to, it's not FileZilla - or any ftp program for that matter - that's the weak link here.

FTP itself is fundamentally insecure.

The Problem with FTP

FTP - which stands for File Transfer Protocol - is perhaps one of the oldest protocols for transferring data around the internet. For many years it was - and to be honest, in many cases still is - the workhorse for transferring files, often large files, around.

The fundamental problem with FTP is that it's not encrypted.

"... that in today's terms there is zero security built into FTP. None. Nada. Zip."

As it turns out there are two fairly dramatic ramifications from it's lack of encryption:

  • Any and all data being transferred via FTP is transferred in the clear - any network device along the way can see what's being transferred. Perhaps more troubling is that if you use FTP over an unencrypted open WiFi connection anyone who cares to sniff the WiFi connection can see your data.

  • The username and password being used to login to the remote site are also transmitted in the clear. Once again anyone who can see or sniff your network traffic can see the username and password if they happen to be watching when you initiate the connection.

There are a couple of other issues with the protocol as well that can affect performance in some cases, and network routing in others, but the issue you should really care about is the fact that in today's terms there is zero security built into FTP. None. Nada. Zip.

The Solution: SFTP

Fortunately, there is a solution: SFTP, which stands for Secure File Transfer Protocol. Even though the name is similar, it's technically an entirely different and unrelated protocol. And as you can imagine from that name, security is built in; everything's encrypted.

You can probably sense a "but..." coming.

But ... you can't use SFTP anywhere you can use FTP. Like I said, it's a completely separate protocol and must be supported on the server that you're connecting to. For reasons I can't quite fathom, many servers - in particular the servers at many website hosting companies - don't support SFTP. In those cases you're stuck with FTP.

As you also might imagine, SFTP is the only way I access my own servers.

FileZilla: Good & Bad

Like I said, FileZilla is a fine, fine FTP program. It's handy to have around.

The good news is that FileZilla supports the SFTP protocol. That's perfect in most cases since if your server supports it you're done - you already have a tool that you're familiar with that you can use in this more secure way.

The bad news is that I was surprised to find that when you create a site profile in FileZilla's site manager so that it remembers your login specifics - it remembers the password. In plain text. On your machine. (Check out the contents of %APPDATA%/FileZilla\sitemanager.xml.) So someone who gains access to your machine could in fact grab that file and learn your (s)ftp passwords.

The solution is to ensure the physical security of your machine as well as making sure that you never ever get any malware.

Well, either that or as you've pointed out never have FileZilla remember passwords for you.

Article C4407 - August 19, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

6 Comments
Bucky
August 20, 2010 1:57 PM

Yeah, good reminder. I can't believe ftp is still used these days.

Gabe
August 24, 2010 9:55 AM

My information was stored in filezilla.xml, but nevertheless, there it was. They even use the words "user" and "pass". If I was going to write a program to store information in the obvious, I'd at least use cryptic wording.

Ken Laninga
August 25, 2010 12:52 PM

GOOD one, Leo. I have been using the free WS_FTP LE for 15 years, but asked my ISP and they wrote:

I have received and read about your query/concern, and in an effort to completely
assist you, indeed there an alternative freeware for your use to connect to FTP.
Could you please refer to this url links of information I have
provided below on how you can be able to FTP/upload your website with us using Filezilla?

Filezilla Download:
http://filezilla.sourceforge.net/documentation/

How do I use FileZilla to connect to my webspace?
http://faq.1and1.com/web_space__access/ftp_account/filezilla_guide/1.html

What is the required information for an FTP connection?
http://faq.1and1.com/websites/access/ftp/2.html
http://faq.oneandone.co.uk/website_building/website_publishing/ftp_file_transfer_
protocol/1.html

Most Website programs have a built-in FTP function. If you have this you can
normally just enter the Host Name, FTP User name and FTP password and click
publish. However if FTP is not built-in you can use any FTP Program such as
WISE-FTP, Cute-FTP, Filezilla etc.

Robert K Brown
August 28, 2010 10:59 AM

I've used FTP since 1975 for transfering files to and from a "Major Automotive Company". We always ENCRYPTED the FILE before transfer, then you KNEW it was secure unless your codes were compromised.
When in doubt, and security is necessary, ENCRIPT before SEND!

Michael Horowitz
August 29, 2010 10:14 PM

In addition to SFTP there is also FTPS. Apples and oranges, but they both offer secure file transfer.

According to their doc, FileZilla supports FTPS
http://filezilla-project.org/client_features.php

Then too, there is SCP
http://en.wikipedia.org/wiki/Secure_copy

Comparison of SCP and SFTP
http://winscp.net/eng/docs/protocols

Sue
January 15, 2011 6:06 PM

Can you suggest any good SFTP sites for my web based medical transcription business?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.