FileZilla Forums

Welcome to the official discussion forums for FileZilla
Donate to project
It is currently 2014-04-16 18:56

All times are UTC




Post new topic Reply to topic  [ 15 posts ] 
Author Message
 Post subject: Hide password File ?
PostPosted: 2012-02-16 14:37 
Offline
500 Command not understood

Joined: 2012-02-16 14:20
Posts: 1
Hey guys,
SO I have been using Filezilla for a long time. BUT I also had my websites hacked a couple times, and after some vigorous work , I found out that my computer was infected and the virus was able to get my Filezilla password file. So My question sis this, is there a way to either hide or encrypt the Filezilla password file ?

Thanks

_________________
<Signature removed due to violation of forum rules (no promotion/advertising)>


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-02-16 14:55 
Offline
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19631
Location: Germany
Encrypt your user home directory.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-02-17 07:29 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 22516
You can disable saving of passwords in the settings dialog of FileZilla.


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-03-02 06:00 
Offline
450 Internal Error

Joined: 2004-11-13 01:19
Posts: 39
boco wrote:
Encrypt your user home directory.

And how exactly does that help? My understanding of how an encrypted home directory works (atleast it does with something like TrueCrypt) is that the encrypted volume is mounted while the computer is on and the user is logged in. This means your sitemanager.xml file is decrypted on the fly for any application that requests it and so no protection is provided. The encrypted home directory only helps when the volume is unmounted.

Thankfully, the project is open source and I have been able to modify it to suit my own needs.


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-03-02 22:06 
Offline
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19631
Location: Germany
Quote:
My understanding of how an encrypted home directory works (atleast it does with something like TrueCrypt) is that the encrypted volume is mounted while the computer is on and the user is logged in.
Yes, exactly. You are expected to log off or lock when you walk away.

Encrypting the home directory doesn't work against malware running in your user context. But neither does obfuscation.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-03-02 22:50 
Offline
450 Internal Error

Joined: 2004-11-13 01:19
Posts: 39
boco wrote:
Encrypting the home directory doesn't work against malware running in your user context. But neither does obfuscation.
Locking the front door to my house doesn't protect me against the competent thief who knows how to pick the lock but that doesn't mean I am going to start leaving my door unlocked so that anyone can get in. Same thing applies here. Just because someone can write specialized malware that knows to wait for me to enter my master password so it can read my passwords from RAM, doesn't mean that I want to make it easy for them by leaving them in a plaintext file on my hard drive.


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-03-03 08:56 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 22516
You're using the wrong analogy.

Correct one: If the thief is already in your house, locking the front door does nothing.


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-03-03 18:27 
Offline
450 Internal Error

Joined: 2004-11-13 01:19
Posts: 39
I figured you would come back with that...

Ok, so how about storing my valuables in a locked safe in my house instead of an unlocked safe?


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-03-03 20:20 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 22516
Same thing, is the thief is already in your safe...

If there's malware already on your computer, you've lost already. Your system has been compromised at that point.

However if your system is secure, you can use nuclear missile launch codes as desktop background.


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-03-27 08:29 
Offline
500 Command not understood

Joined: 2008-08-27 08:09
Posts: 5
Has anyone had experience with this one? I have... I'm switching!

http://www.couchcms.com/forum/viewtopic.php?f=4&t=6923


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-03-27 08:37 
Offline
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19631
Location: Germany
That's your good right. If you think security through obscurity is good enough for you, then bye.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-04-09 13:39 
Offline
500 Command not understood

Joined: 2008-08-27 08:09
Posts: 5
Let's not talk about "rights" ;-)

Don't you agree that keeping this kind of information in a plain text file is a bit too easy?

Even with a descent AV there's no guarantee to stay clean, so what would you suggest?
Not saving credentials?

:-)

ps, I chose to switch but I didn't like that at all since I liked FZ a lot ... !!!
That's why I was really surprised to discover this, I'd have guessed that our data was protected, anyway, hope to use FZ again soon...


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-04-09 22:47 
Offline
226 Transfer OK
User avatar

Joined: 2006-05-01 03:28
Posts: 19631
Location: Germany
Quote:
Don't you agree that keeping this kind of information in a plain text file is a bit too easy?
Define ''easy''. Any attempt to obfuscate password information will be countered by malware writers without any problems. Since FileZilla is Open Source, it is not even possible to keep anything secret in the code (the kind of ''hiding game'' some commercial closed source apps play).

Quote:
Even with a descent AV there's no guarantee to stay clean, so what would you suggest?
A decent AV (if such a thing even exists) is not an excuse to feel safe. Many people rely on AVs, firewalls and similar stuff, and then wonder why they get burned. The biggest security problem is in front of the screen!

Quote:
Not saving credentials?
Yes. I run kiosk mode 1 for years now. Maybe you can use a dedicated software like KeePass (Open Source, that one has strong encryption) if that gives you a warm and fuzzy feeling. KeePass can even auto-enter the information into the FileZilla dialogs IIRC.

Quote:
I'd have guessed that our data was protected, anyway, hope to use FZ again soon...
Only you can protect your data. No software can guarantee data safety, no matter what they tell you.

_________________
### BEGIN SIGNATURE BLOCK ###
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
All support requests per PM will be ignored!
### END SIGNATURE BLOCK ###


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-04-17 14:22 
Offline
500 Command not understood

Joined: 2012-04-17 12:36
Posts: 1
Hi guys,

before I start... I'm new to this forum. FZ is (still) my favourite FTP client. I'm a professional software developer (mainly C/C++) and consider myself as an "experienced" user :wink:

Let me tell you what I'm thinking about this issue:

Quote:
Only you can protect your data. No software can guarantee data safety, no matter what they tell you.

Agree. It is the user's own responsibility to care about security of his data.

Quote:
However if your system is secure, you can use nuclear missile launch codes as desktop background.

Agree also in that point. On a secure system the user's data are protected from other users or "evil software".

Some thoughts about this:

On Linux system, I see no need at all for password encryption. Via file and directory permissions it is easy to protect data from other users' courious looks :wink:
And Linux users usually "know what they are doing".
Recently I've read a tutorial about setting up a mail server on Linux. Even in some server configuration files, database passwords are stored in plain text. But where is the problem if only root can access them :)

However, let's talk about Windows:

My experience is that most Windows users don't really know what they are doing (although they often think so...).
I agree in that point, that if my PC gets infected with malware, I'm already in big trouble. So, MY first reaction would be to reinstall the OS and change my internet passwords. But several times I've seen PCs which were infected by malware whose owners didn't even KNOW about that. And let's be honest: the risk to get infected is still a lot higher for Windows systems than for Linux systems.

Unfortunately there seems to be a Windows malware which reads FZ's FTP credentials which are stored in Plain Text and uses them to infect web sites to spread around the internet. So you see It is really happening!!! Of course, password encryption (via Windows CryptoAPI, e.g.) without an additional user-defined key or entropy doesn't really solve that problem, because it's possible to write malware capable of decrypting the credentials. But this is still harder than just writing a little piece of software that parses the XML file. I understand that password encryption requiring user-defined information is not desirable for some users who expect it to work out of the box, however this would probably offer the security that some people want. That's a sort of dilemma :|

So what can be done? My suggestions:
1. "Save password" should be turned off by default.
2. If the user decides to save his passwords, he must be given a hint (maybe with a big red blinking exclamation mark :wink: ) that protection and security is his own responsibility (no matter if encryption is done or not).
3. Password encryption should be provided as an option.

This doesn't solve any of Windows's security flaws and it doesn't prevent an "average user's" PC to get infected by malware from time to time. This even happens to experienced users... But it might help to LIMIT THE DAMAGE caused by malware. This would be worth it. Think about this, dear developers. It is the least thing you can do to help the users.

But just saying things like "If your system gets infected, it is your own fault, don't bother me with that..." is, in my opinion, arrogant, ignorant and silly, considering of which "type" most Windows users are... with an attitude like this, you are helping the "bad guys"!

Dear developer(s), I'm not going to keep bothering you with that issue. But I'm seriously thinking about contributing some code concerning password encryption (or maybe I'll build my own FZ version. It is open source, so why not...).

Regards


Top
 Profile  
 
 Post subject: Re: Hide password File ?
PostPosted: 2012-08-02 06:36 
Offline
Site Admin
User avatar

Joined: 2004-02-23 20:49
Posts: 22516
What do you mean?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 

All times are UTC


Who is online

Users browsing this forum: Bing [Bot] and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Dedicated server provided by Artmotion.
Forum sponsored by Everyware.ch.
Powered by phpBB® Forum Software © phpBB Group