FileZilla Forums

Hi,

I analyzed sitemanager.xml and I'm surprised : passwords are clear stored !
With FileZilla 2, there are encrypted and It can help to protect them (better than nothing).
That feature is planned ? or not ?

Thanks

This is by design, it is the task of the operating system to protect your private data.

OK no problem, I already protected my data

In fact the problem is caused by the OS and its ACLs. In the case of vista, the ACLs force the 'userization' of data into folders such as 'Application Data' , and it is this which leads to password hashes, etc ending-up in all sorts of dark corners of the filesystem. This makes it very hard to uninstall a userized app with confidence. Most uninstall-routines in fact cannot handle this situation, and end-up leaving sensitive data in userprofiles when the app is removed. This is not the fault of the uninstaller but of the OS design, which makes it impossible to tell whether multiple userprofiles contain program-fragments.

IMHO the older arrangement of storing the XML file in the program's folder far more secure, especially as it made it possible to remove all sensiitve data from a computer with confidence. However, app-coders can do little but comply with Microsoft's 'userization' demands, or else ditch Vista support!

Anyhow, my question is: does anyone know how to switch (the older releases with this feature) into 'secure mode' where no passwords are saved?

This is the feature I'm waiting for the most.

Rejoice, next version will have this feature again. Will be called kiosk mode though.

Tried kiosk mode, works great. But there is a small problem with it. Filezilla correctly writes all data to disk except passwords. But it doesn't ask the password in case it is required again next session. Old Quickconnect entries become invalid because Filezilla sends an empty password string.

The entries are still valid. The dropdown handler just did not ask for the password.

So it will ask in the next version?

The main problem is already solved for me: passwords aren't saved anymore.

Will try the next nightly, then.

It would be good if we could at least MOVE the sitemanager.xml file into another folder. I am using software to create a virtual secret drive on my PC. So, I would like to move this file to encrypted drive, but it seems, there is no way to do that in FileZilla.


That is not quite right. I would like to ensure my private data is secure even if my PC is stolen. No OS can protect from that. Only encryption. The good move might be to encrypt the whole system drive, but this solution seems quite radical for me now. At this step I would like to use encrypted virtual drives for sensitive data.

A good OS has encrypted filesystems. Even Windows has built-in filesystem encryption!

Really? Is Windows really good OS? Do you know how many bugs were found in this EFS implementation? I don't trust Microsoft.
EFS is especially weak in earlier Windows versions. 40 or 56 bit key length.... Eh...

Especially with such tools: http://www.crackpassword.com/products/prs/mswin/efs/ EFS is a crap.

I don't think you should relate all security problems of FileZilla to Microsoft. There is still something YOU can do.

Yes, I can refuse to throw money at Microsoft and just use Linux instead