FileZilla Forums

The server admin doesn't want to fix it. What can we do?

A server administrator that does not want to fix a security vulnerability in his server? I'm shocked. Shocked I tell you!

I like this software and have used it for years. That said, this kind of hardline tactic is dissapointing. I have no control over whether this is changed on the servers I need to connect to in order to do my work. I guess I'll need to look for a different SFTP client, which is sad because, like I said, I like this one.

I also have to complain about this, even though I love Filezilla and otherwise love your hard work.

One server I need to connect to has an old operating system (not Linux or Windows) which is no longer being updated, and only has the diffie-hellman-group1-sha1 method. Rest assured that the company in question is working hard to migrate off this OS, but it is going to take them a couple of years. So now I have to find a new FTP client, even though FileZilla is by far my favorite.

Can't you just give a checkbox in Settings to enable this method, with a big fat warning that it is insecure?

I mean for goodness sake, Filezilla supports FTP which isn't even encrypted, but you haven't disabled that.

I mean for goodness sake, Filezilla supports FTP which isn't even encrypted, but you haven't disabled that.

Not yet.

Hello there,

First of all, thanks FileZilla team for this great application.

Second, botg I think you try to 'defend' FileZilla over the logical: It's nice to warn us about a possible security break but thinking about "user will skip the window" is not your decision, FileZilla is about to transfers, not about antivirus/firewall jobs. Forcing user to do things is the straight way to loose users.

I lost a lot of time by thinking I was doing something wrong, and nope, was an update of imposed rules.

It's nice to care about our security, but saying "tell the admin to fix" is not the solution because as others already said, this update made a big lost of time converted to big lost of money.

And of course, thinking that FileZilla is used against pure servers is a BIG mistake ... did you think about that devices, embedded devices, having 'only that server' and not a different or update/upgrade'able one? Thanks, now I can't connect to 10 embedded devices.

Finally, I say thanks to FileZilla development, I'm using it for free and I can't just come here to complaint ... I'm complaining about botg and that kind of "I will try to convince the user instead of think"

No, a forced behaviour which radically changes the user workflow is not a nice solution, don't try to convince us please, is like calling stupid at our face

barrychai wrote:downgrade to 3.16.0 would fix our issue.

https://sourceforge.net/projects/filezi ... nt/3.16.0/

Thanks, works perfectly

Bad advice.

I really have to agree with all of the other people. I have used FileZilla for years, but I can't control other companies servers. If they don't care about security flaws...and the data isn't of a confidential nature anyhow, then what can we users do?

You are forcing us to either downgrade to an old version or find another solution. As a business owner, if it were my software, I'd try to keep people using my newest version to keep it relevant and in demand.

(It's safer to drive wearing seatbelts too, but cars aren't disabled if you don't want to use them... )

As a business owner, if it were my software, I'd try to keep people using my newest version to keep it relevant and in demand.

By making the newest version exactly as insecure as the old ones? Srsly?

It's safer to drive wearing seatbelts too, but cars aren't disabled if you don't want to use them...

Only a matter of time, eventually wearing seatbelts will be enforced. Some people won't learn, otherwise.

apicton68 wrote:I really have to agree with all of the other people. I have used FileZilla for years, but I can't control other companies servers. If they don't care about security flaws...and the data isn't of a confidential nature anyhow, then what can we users do?

Another option: Stop doing business with a company that runs broken or insecure servers.

The snarky remarks do not help the situation. Actual users who have no control over SFTP servers should not be ridiculed for a simple question.

Using the old version of FileZilla 3.16 which still allows SHA-1 is a simple solution. That posting without all the snark would have sufficed.

In support of the sysadmins out there who know they have old SHA-1 servers, but non-technical management won't fund or prioritize the upgrade, well that is not a sysadmin problem, that's a business problem. Again snark doesn't solve the problem.

P.S. Ran into this issue myself, thanks for the link to the 3.16 download.

I don't think you understand the gravity of the issue. Using known broken ciphers is just as bad as blasting out your passwords in plaintext. Heck, you could just as well post them on Twitter.

@botg Yeah, I think we do get it, we just have little choice in the short-term.

Of course it's a bad idea to use broken ciphers but if a third party provider or business client still has them in use all we can do is ask them to change. In the meantime we can't do any of our work using your tool.
A warning plus option to skip is the best solution.

Time to get a new tool fellas. This tool refuses to help (double meaning totally intended).

First off big thanks to Filezilla devs for all the hard work and a great FREE product.

I must +1 the argument that a warning be provided instead of a connection blocked entirely. The question I think Filezilla decision makers need to ask is "Do we want to play security God? Or do we want to play security Guide?". I have faith you'll eventually go the right route here.

FYI, WinSCP is doing it right for those of you looking for a client that offers a warning instead of rejecting the connection:

https://winscp.net/eng/download.php

Again, thanks for the free amazing product. I've used it countless times!

The question I think Filezilla decision makers need to ask is "Do we want to play security God? Or do we want to play security Guide?"

Want to or have to? We want to be the latter, but have to be the former. Experience has shown that unless users are forced to increase security, they simply won't.

Case-in-point illustrating the problem: Firefox bug 1348902 which has been talked about a lot this week.