Don’t believe me? Have a read of Why is FTP insecure, on the Deccanhosts blog. So to infer that employing secure encryption vaults is not really any more secure is incorrect, especially given all of these techniques available.īut the arguments of whether credentials should or shouldn’t be saved is moot, as there’s a key point which using FTP in the first place overlooks – your credentials and data are sent in the clear. These include 128 and 256-bit symmetrical keys, SHA512 and PBKDF2 encryption – along with a range of other features employed to protect the data files being accessed, all while retaining the ease of use and simplicity of them. Applications which are specifically designed to be a secure vault for passwords, and other secure information, would likely not be as easy to crack as this answer implies.įor example, a recent blog post from 1Password lists a number of the key mechanisms employed in the fight against crackers. I believe the above assertion doesn’t fully appreciate the design considerations of programs such as the two listed above. Meaning they will also have access to the encryption keys or the keys encrypting the encryption keys and so on. ![]() If a malware is running on your user account, they have as much access to what you (or any other application running at the same level) have. You see, encrypting the credentials requires an encryption key which needs to be stored somewhere. Louis Lazaris then linked to a discussion on Stack Exchange, which attempted to counter the position. People suggested that at the very least, the configuration files should be encrypted or be set up in such a way as to ask for a master password before access was granted, much like 1Password and KeePassX do. What About Encrypted Configuration Files? To be fair, in the latest version of FileZilla, storing passwords is disallowed by default. Sure, when you use the program, it obscures the password, as shown in the screenshots above, so that it can’t be read over your shoulder.īut there’s little point when you can just lift it from the computer, should you have access. But note how it stores your password in the clear too? You can see that it’s storing a lot of information about the connection, so that you don’t need to remember it. localhost 21 0 0 anonymous user 1 0 MODE_DEFAULT 0 Auto 0 test site 0 test site ![]() If you’ve not read the article, FileZilla stores connection details in a simple XML file, an example of which you can see below. One of the comments linked to a quite descriptive article which showed that, despite obscuring your credentials when using the software, if you save your credentials, they’re quite easy to retrieve. ![]() The discussion focused quite heavily on FileZilla, making a range of assertions as to how insecure it is (or isn’t).Ī key aspect of the debate centered around whether you should store your passwords with FileZilla. ![]() I’ll cut to the chase the reason I’m writing this is because of an interesting discussion on SitePoint back in August. But if you’re transferring data with FTP, these measures are effectively mitigated. They may implement measures such as obscuring passwords from view by those around you. Programs such as FileZilla, CyberDuck, Transmit, or Captain FTP can be secure. Do you deploy or transfer files using FTP? Given the age of the protocol and its wildly popular nature amongst a wide number of hosting companies, it’s fair to say you might.īut are you aware of the security issues this may open up for you and your business? Let’s consider the situation in-depth.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |