Add a "FileZilla and plaintext passwords" page to Website
Posted: 2014-02-28 15:55
Hi,
sorry if this is the wrong location for this post.
I've seen lots of posts from users of other websites that complain about FileZilla client storing passwords in plaintext. Obviously, users don't understand that there is no real way to secure passwords stored on the computer, besides using the OS'es functions for a multi-user environment to prevent other users from reading the passwords.
A complaint that I often see is, "It is totally easy for a trojan to get FileZilla's saved passwords, because they are not encrypted." What they don't understand is, if they were encrypted, FileZilla would need some way to decrypt them, because a FTP server needs to know the password in plain format, so the key used for encryption is available to FileZilla and thus also to a trojan - the encryption would be useless.
There is an exception to this, when the password file would itself be encrypted using a "master password". Then, an attacker would need to know that master password to read the other passwords. However, a trojan could simply activate a keylogger to get this master password, so this would also not be really secure.
So, although FileZilla is doing nothing wrong (and I think it is a great product), users may try to avoid using FileZilla because is is not "secure" in their opinion. I think FileZilla should create a page like "Why does FileZilla client store passwords in plain text?" that explains the reasoning for this to users, similar like this page from Apache Tomcat: http://wiki.apache.org/tomcat/FAQ/Password
On such page, I think about somehing like the following as content (assuming a Windows OS):
- an FTP server needs a password in plain format (non-hashed)
- if a client like FileZilla stores a password on the computer, it needs to be able to retrieve it later
- if the password would be encrypted, FileZilla will need to decrypt it, so the key used for encryption needs to be available for Filezilla and thus is also available to a trojan (because FileZilla is open-source, it is easy for everyone to know how filezilla would encrypt the passwords)
- this would be a case of "security by obscurity": Although the user may think passwords are safe from a trojan just because they seem "encrypted", in fact they aren't
- even if an attacker/trojan didn't know how FileZilla would store its passwords and what key it uses to encrypt them, he could simply copy the user profile folder (%AppData%\FileZilla) on his computer to the same folder, start FileZilla an his computer and look what passwords it sends when connecting to the FTP servers
- FileZilla can't help it if the user runs a trojan - whereas for protecting passwords from other users, the OS needs to ensure that they cannot read them
For better illustration, maybe an example with Mozilla Firefox (assuming a Windows OS):
- with Firefox, you can store passwords for website login forms
- you can see them if you go to Options, Security, Saved Passwords and click on Show passwords.
- this means, Firefox saves your passwords somewhere in your userprofile
- I don't know exactly where and how it saves them - it could be "signons.sqlite" as when you open it with a texteditor, you can see the URLs of the sites where passwords are stored, and the name of the form fields, but it seems the passwords are not stored in plaintext in this file
- however, if a attacker wants to know the passwords and runs a trojan on the computer, the trojan could simply copy the whole Firefox user profile (the contents of %AppData%\Mozilla\Firefox) to the attacker's computer to the same location
- the attacker would also have installed Firefox, so he can simply do the same steps as mentioned before - go to Options, Security, Saved Passwords and click on Show passwords - to view all the user's passwords in plaintext, although they didn't seem to be stored in plaintext
- Is this a vulnerability in Firefox? No, because Firefox cannot help it if you run a trojan - the same is true for FileZilla.
- Note however, that with Firefox a user can set a "master password" to protect the saved passwords - but this means every time the user wants to login to the website, Firefox asks him to enter his master-password
- in this case, if the attacker copied the userprofile, he would be forced to enter the master password to get the other passwords - however if the attacker already runs a trojan on the user's computer, the trojan could simply start a keylogger when the user enters the master password, so while increases the barrier for an trojan to read the passwords, it does not 100% protect them.
sorry if this is the wrong location for this post.
I've seen lots of posts from users of other websites that complain about FileZilla client storing passwords in plaintext. Obviously, users don't understand that there is no real way to secure passwords stored on the computer, besides using the OS'es functions for a multi-user environment to prevent other users from reading the passwords.
A complaint that I often see is, "It is totally easy for a trojan to get FileZilla's saved passwords, because they are not encrypted." What they don't understand is, if they were encrypted, FileZilla would need some way to decrypt them, because a FTP server needs to know the password in plain format, so the key used for encryption is available to FileZilla and thus also to a trojan - the encryption would be useless.
There is an exception to this, when the password file would itself be encrypted using a "master password". Then, an attacker would need to know that master password to read the other passwords. However, a trojan could simply activate a keylogger to get this master password, so this would also not be really secure.
So, although FileZilla is doing nothing wrong (and I think it is a great product), users may try to avoid using FileZilla because is is not "secure" in their opinion. I think FileZilla should create a page like "Why does FileZilla client store passwords in plain text?" that explains the reasoning for this to users, similar like this page from Apache Tomcat: http://wiki.apache.org/tomcat/FAQ/Password
On such page, I think about somehing like the following as content (assuming a Windows OS):
- an FTP server needs a password in plain format (non-hashed)
- if a client like FileZilla stores a password on the computer, it needs to be able to retrieve it later
- if the password would be encrypted, FileZilla will need to decrypt it, so the key used for encryption needs to be available for Filezilla and thus is also available to a trojan (because FileZilla is open-source, it is easy for everyone to know how filezilla would encrypt the passwords)
- this would be a case of "security by obscurity": Although the user may think passwords are safe from a trojan just because they seem "encrypted", in fact they aren't
- even if an attacker/trojan didn't know how FileZilla would store its passwords and what key it uses to encrypt them, he could simply copy the user profile folder (%AppData%\FileZilla) on his computer to the same folder, start FileZilla an his computer and look what passwords it sends when connecting to the FTP servers
- FileZilla can't help it if the user runs a trojan - whereas for protecting passwords from other users, the OS needs to ensure that they cannot read them
For better illustration, maybe an example with Mozilla Firefox (assuming a Windows OS):
- with Firefox, you can store passwords for website login forms
- you can see them if you go to Options, Security, Saved Passwords and click on Show passwords.
- this means, Firefox saves your passwords somewhere in your userprofile
- I don't know exactly where and how it saves them - it could be "signons.sqlite" as when you open it with a texteditor, you can see the URLs of the sites where passwords are stored, and the name of the form fields, but it seems the passwords are not stored in plaintext in this file
- however, if a attacker wants to know the passwords and runs a trojan on the computer, the trojan could simply copy the whole Firefox user profile (the contents of %AppData%\Mozilla\Firefox) to the attacker's computer to the same location
- the attacker would also have installed Firefox, so he can simply do the same steps as mentioned before - go to Options, Security, Saved Passwords and click on Show passwords - to view all the user's passwords in plaintext, although they didn't seem to be stored in plaintext
- Is this a vulnerability in Firefox? No, because Firefox cannot help it if you run a trojan - the same is true for FileZilla.
- Note however, that with Firefox a user can set a "master password" to protect the saved passwords - but this means every time the user wants to login to the website, Firefox asks him to enter his master-password
- in this case, if the attacker copied the userprofile, he would be forced to enter the master password to get the other passwords - however if the attacker already runs a trojan on the user's computer, the trojan could simply start a keylogger when the user enters the master password, so while increases the barrier for an trojan to read the passwords, it does not 100% protect them.