FZ not remembering 'insecure connection' choice...

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
johnny_canuck
503 Bad sequence of commands
Posts: 21
Joined: 2019-12-29 17:34

FZ not remembering 'insecure connection' choice...

#1 Post by johnny_canuck » 2021-05-16 20:57

With FZ 3.54.x, certain connections pop up a 'warning' message that'This server does not support TLS session resumption...'. At the bottom of the window, there is a check-box for 'Always allow insecure data connections for this server in future sessions'.

Fine, except the check-box doesn't seem to 'stick'. If I connect to a site that causes the warning, check the box, and then reconnect to the site, the warning pops up again. So despite checking the box to allow connections to the site, the warning keeps popping up...

Minor bug?

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FZ not remembering 'insecure connection' choice...

#2 Post by botg » 2021-05-17 08:14

Cannot reproduce.

Could it be intermittent, with the server only occasionally supporting session resumption?

johnny_canuck
503 Bad sequence of commands
Posts: 21
Joined: 2019-12-29 17:34

Re: FZ not remembering 'insecure connection' choice...

#3 Post by johnny_canuck » 2021-05-17 10:51

No, I don't believe so. It happens *every* time I try the newest FZ, and 2 different servers. I even tried a full uninstall (using IObit's uninstaller, which also wipes out registry entries), followed by a re-install, and problem persists.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FZ not remembering 'insecure connection' choice...

#4 Post by botg » 2021-05-17 11:59

Which FTP server software (product and version) are you using?

johnny_canuck
503 Bad sequence of commands
Posts: 21
Joined: 2019-12-29 17:34

Re: FZ not remembering 'insecure connection' choice...

#5 Post by johnny_canuck » 2021-05-17 12:08

Doesn't apply -- its not *my* server/software, but various commercial cloud servers.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FZ not remembering 'insecure connection' choice...

#6 Post by botg » 2021-05-17 13:08

No problem. Which FTP server software (product and version) is running on the commercial cloud server? Asks your cloud server administrator or cloud server hosting provider for further information.

johnny_canuck
503 Bad sequence of commands
Posts: 21
Joined: 2019-12-29 17:34

Re: FZ not remembering 'insecure connection' choice...

#7 Post by johnny_canuck » 2021-05-18 19:25

Different problem -- first attempt with commercial cloud types (to paraphrase) - 'We can't release that information -- security'. Just like it isn't always possible to determine what web server is running on many/most websites (in fact, that is the case with the website I run off my server(s) -- I implemented a variety of things to make it difficult at best to tell by the usual simple tricks). At most you could tell nginx, or apache (or something else...).

At any rate, you might have alternative ways to get the information. One of the 'problem' servers is hosted by box.com. Simply create a temp, trial account on box.com, point latest FZ at it, and see what happens.

In the meantime, I rolled back to FZ 3.52.2, which doesn't pop up anything I don't want to pop up.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FZ not remembering 'insecure connection' choice...

#8 Post by botg » 2021-05-19 00:18

"'We can't release that information -- security" Classic case of security by obscurity. Have they never heard of Kerckhoffs's principle?

Given enough eyeballs, all bugs are shallow. But if I can't look at the problem, due to not knowing what the server software is, my eyeballs will just float there and cannot see anything at all.


In a case of open source software vs blackbox, the burden of proof is always on the side of the blackbox vendor.

johnny_canuck
503 Bad sequence of commands
Posts: 21
Joined: 2019-12-29 17:34

Re: FZ not remembering 'insecure connection' choice...

#9 Post by johnny_canuck » 2021-05-19 00:26

Fair enough. I would still submit that the inability of FZ to have an option 'stick' is a bug on the FZ end. Irrespective of what the server software is -- the option 'don't warn me' simply doesn't work. The option should completely turn off the warning, no matter what the server side is presenting.

In the meantime, I'll stay with 3.52.2, which works fine, and has a stable feature set I'm unlikely to need to move beyond in the forseeable future.

User avatar
botg
Site Admin
Posts: 35492
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: FZ not remembering 'insecure connection' choice...

#10 Post by botg » 2021-05-19 07:49

The option does stick. It however gets cleared automatically if the server starts to support session resumption. This is a security measure.

Don't use outdated software, it puts you at great risk to have your data stolen.

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: FZ not remembering 'insecure connection' choice...

#11 Post by boco » 2021-05-19 12:52

Could be load balancing or a similar CDN. Clients are redirected to different mirrors depending on load. Some of them are "good" and some "bad". A "bad" server will cause the prompt to appear. After having been acknowledged, one of the next connections to a "good" server clears the flag again and the dialog reappears. Such a mixed bag of servers can be a real mess.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

zillaenous
500 Command not understood
Posts: 1
Joined: 2021-09-15 16:05
First name: Richard
Last name: Uttner

Re: FZ not remembering 'insecure connection' choice...

#12 Post by zillaenous » 2021-09-15 16:30

The option does stick. It however gets cleared automatically if the server starts to support session resumption. This is a security measure.
IMHO these sentences contain a logical contradiction, as well as the label of the checkbox in the dialog saying
Always allow ...
- or do I misunderstand the word "always"?
Just ran into this because it strikes me too every time I am using my private local FTP server running on my FritzBox (so really no security issue there). I agree to johnny_canuck that FZ should behave differently here, because the current implementation obviously does not apply well to real-world scenarios.

So e.g. you could either change the checkbox label to be sincere like 'Occasionally allow ...' or - much better - just do it really "always". I had spent some time looking for possible settings to "really enable" the wanted behaviour and finally was a bit angry because I am taking "always" literally as an unambiguous term.

Despite of this small problem FZ is a really useful and appealing piece of software - so please do not go in the direction of being "Redmondish" in the sense that the developers confuse taking care where necessary with patronizing the users 8)

User avatar
boco
Contributor
Posts: 26899
Joined: 2006-05-01 03:28
Location: Germany

Re: FZ not remembering 'insecure connection' choice...

#13 Post by boco » 2021-09-15 18:15

Checking that box will make the option stick as long as the server support for TLS session resumption stays unchanged.
As soon as the server starts supporting TLS session resumption, the checkbox is automatically cleared for security reasons.
This is to avoid situations where you get redirected to a rogue server not supporting TLS session resumption, enabling adversaries to steal sessions, without you noticing.

A wild guess: Eventually, FileZilla will start requiring TLS session resumption to work.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Please do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Post Reply