FileZilla Forums

Hi, ı say firstly , ı don't great speak english

A few day ago, my computer enfected a virus ( like 'iframe' virus, but not a iframe virus ). I storage 15-20 website password in filezilla. ( ı agree, this big a mistake )

I cleaned all virus my computer and website. Later, a discover filezilla storage all password in xml file ! And ı uninstall filezilla

Password storage directory ( win xp )

=> C:\Documents and Settings\USERNAME\Application Data\filezilla

This very unsecure ?

I have a suggestion :

1- This passwords not may storage plain text
2- Each program start ask me administrator password ?

I think this method stop virus.

1- This passwords not may storage plain text

And how should it store the passwords? Obfuscation does not work for an Open Source software.

2- Each program start ask me administrator password ?

Not possible. Simply do not store passwords.


If a virus manages to install on your PC, you have already lost. No encryption, obfuscation or master passwords will help against that. Viruses will install keyloggers that capture your passwords as you type them. And after entering a master password, normal passwords would have to be decrypted anyway. And, last but not least, unless your website hoster supports secure FTP/SFTP access (FTPS/FTPES/SFTP), your password is transmitted over the internet as clear text every time you log into the server!

Thanks for answer.

I do not agree. Each of my sites has a unique and impossible-to-remember password. I have 60 + sites and the filezilla site manager is the only place to store that information.

You cannot expect a normal user of an ftp tool to understand that Windows should be more secure. It just isn't. I use Windows XP because it is practical. I am an VMS system manager so I understand the limitations of the o/s.

As the majority of users use Windows, if you have a site manager tool it must encrypt the passwords so that they are not available in plain text. Other ftp clients have seen the sense in this.

Regardless of your opinion of the host o/s it is unacceptable that filezilla stores passwords in plain text by default. I have taken the trouble to warn other users of this fact on this and another forum.

My suggestion is that no Windows user should use use filezilla until the developer(s) accept that Windows is the major platform for this tool and that that password encryption functionality must be enabled by default.

If you have filezilla on your Windows PC then my suggestion is that you remove it until you fully understand the implications of using it on an insecure system.

Dean

PS. Windows is crap in so many ways but raging against the storm is pointless, you have to go with the flow.

Hm, difficult situation. What would be best? I store my passwords in general in a password-manager-application. But you can not start Filezilla from that because of the limited command-line options Filezilla has:

You could start filezilla with: [protocol://][user[:pass]@]host[:port][/path]
... but that doesn't allow you to set settings in servermaneger for every server (like pathes, time-shifts and so on).

You could start filezille with: -c, -site
... but that doesn't allow you to supply a password for this site.

So you always have to:
- Start filezilla
- Pick the site from the Servermanager
- Open the password-manager
- Input the password into the dialog Filezilla offers
... which is very annoying if you work often with Filezilla.

So what about extending the command-line-arguments to allow to give filezilla a password like:
filezilla.exe -site "MySite" -pass "MyPassword"

With that, Filezilla could be started out of a password-manager-software and would be secure for example for keyloggers (or am I missing something) and you only have to to:
- Open the password-manager and click the password for the site you need.

No protection, the baddies sniff the network traffic. And with plain FTP, your username and password are transmitted unencrypted (plain text) over the internet everytime you log on to the server.

And even the password management software actually has to decrypt the password in order to send it to FileZilla. You underestimate the virus writers.

Network Traffic: Shouldn't happen when using SFTP (which you should do when you care about your passwords anyway).

Thats why I suggest to give the password as a parameter instead via keyboard or clipboard: Writing a keyword- or clipboad-logger is more common then hooking into process-starting.

I mean: Of course there is always a possebility to get the passwords with enough afford (with a dll you can sniff into the memory of another application and get the passwords there), but I call it the "safety belt rule". I guess if you drive your car you wear your safety belt: You know that it won't protect you of all things that could happen, but it protects you at least of a part of them.

Yes, the OS should take care of that. But I guess introducing another parameter for password wouldn't hurt too much and why not make it as hard as possible to grap the keywords?

Network Traffic: Shouldn't happen when using SFTP (which you should do when you care about your passwords anyway).

Of course, but it depends on what the server supports. SFTP servers are not as common as FTP servers (or do you mean FTPS?).

Thats why I suggest to give the password as a parameter instead via keyboard or clipboard: Writing a keyword- or clipboad-logger is more common then hooking into process-starting.

Where do you have that information from? Process- and memory hooking would be the first a virus does. Keylogging wouldn't then not even necessary: the virus is "seeing" everything the application does. The dilemma is that FileZilla has to send the passwords, so the actual passwords have to be stored, other than the server which only stores MD5.

guess if you drive your car you wear your safety belt:

No, I don't. I don't have a car.

Your car analogy is flawed. Safety belt or not, you still need to be watchful to prevent accidents in the first place. If your car is crushed by a heavy truck the seatbelt doesn't matter anymore. If you can manager to prevent accidents, belts are useless.

In the world of computers, preventing accidents is so damn easy.

botg wrote:Safety belt or not, you still need to be watchful to prevent accidents in the first place.

Of course. But you still should put the safety belt on. Just in case. Sometimes it's not your fault and even you have been watchful you crash someone who wasn't. Sounds like a perfect analogy for me

botg wrote:In the world of computers, preventing accidents is so damn easy.

What do you mean? Like not using windows?

What do you mean? Like not using windows?

Would be a possibility. Besides, I'm using Windows, too, on many PCs, and my last and only virus infection was from 1994. Since then, nothing. Brain 1.0 Deluxe edition helps sometimes.

I use Windows without firewall and without virus scanners for over a decade. About 7 years of that using a public IP address not hidden behind NAT. Number of infections: ZERO.

Using a networked computer properly requires constant vigilance. You need to constantly spend time to maintain the security of your entire system. There is no silver bullet, no self-proclaimed security solution can protect you and neither can individual programs even remotely protect their own data if the very system they are running on is not properly maintained.

botg wrote:I use Windows without firewall and without virus scanners for over a decade. About 7 years of that using a public IP address not hidden behind NAT. Number of infections: ZERO.

How are you sure about that when you use no virus scanners?

Not using untrusted software. Going so far as not to even have Flash installed.

If I want to watch a clip on youtube I start up a virtual machine just for that.

I'm sorry but this is just unbelievable. I personally use Linux and Mac OS X and I am confident in my OS's ability to keep me secure. But even so I believe the passwords should be encrypted at a minimum, even if I decide to have the OS encrypt the folder the passwords reside in.

The reason why I want to use FileZilla is because it's cross platform. Currently my boss, who loves using Windows, uses CuteFTP and I use YummyFTP. What's a major pain in the ass is when we both have to work on the same site. Because FileZilla is cross platform I would ideally like to develop an internal service to sync the site credentials between our machines. But I don't want to have these site credentials on his machine stored in plain text, even if his OS supported encryption (which it doesn't).

Believe me I want more than anything for him to switch to a different OS, but that just isn't going to happen. If you want to store the passwords in plain text, fine... go ahead and do that. But there should be an option to encrypt the entire file with a master password. It may not be the most secure solution and shouldn't used alone, but it's at least something.

You can't just expect people to rely on the OS. If you really wanted to make that argument you'd be using Mac OS's keychain manager (most FTP clients on the Mac do!). But with being a cross platform application it can be ideal to have it stored in a file like it is now... It's just insecure to store it in plain text.

On the Mac a key-logger is not going to work, unless you're stupid enough to enable the assistive devices checkbox for keyboard based event taps (you can selectively give applications this access without checking that box). Even when that box is checked keyboard event taps don't work with the password dialog box. But Windows doesn't have such protection, and I can't convince stubborn people to switch.

All that I ask is a simple file encryption be implemented, something like RC4 where a master password is used as the encryption key (preferably an encryption method supported by PHP's mcrypt extension). That way I can easily transmit encrypted files to our workstations, and have some peace of mind (trust me I don't plan on stopping there as far as security is concerned).