sitemanager.xml clear passwords

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
User avatar
Amour
504 Command not implemented
Posts: 9
Joined: 2008-08-18 08:00

sitemanager.xml clear passwords

#1 Post by Amour » 2008-08-18 19:57

Hi,

I analyzed sitemanager.xml and I'm surprised : passwords are clear stored !
With FileZilla 2, there are encrypted and It can help to protect them (better than nothing).
That feature is planned ? or not ?

Thanks ;)

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: sitemanager.xml clear passwords

#2 Post by botg » 2008-08-18 20:13

This is by design, it is the task of the operating system to protect your private data.

User avatar
Amour
504 Command not implemented
Posts: 9
Joined: 2008-08-18 08:00

Re: sitemanager.xml clear passwords

#3 Post by Amour » 2008-08-18 22:42

OK no problem, I already protected my data ;)

Anteaus
500 Command not understood
Posts: 5
Joined: 2007-11-30 15:13

Re: sitemanager.xml clear passwords

#4 Post by Anteaus » 2008-08-20 07:45

This is by design, it is the task of the operating system to protect your private data.
In fact the problem is caused by the OS and its ACLs. In the case of vista, the ACLs force the 'userization' of data into folders such as 'Application Data' , and it is this which leads to password hashes, etc ending-up in all sorts of dark corners of the filesystem. This makes it very hard to uninstall a userized app with confidence. Most uninstall-routines in fact cannot handle this situation, and end-up leaving sensitive data in userprofiles when the app is removed. This is not the fault of the uninstaller but of the OS design, which makes it impossible to tell whether multiple userprofiles contain program-fragments.

IMHO the older arrangement of storing the XML file in the program's folder far more secure, especially as it made it possible to remove all sensiitve data from a computer with confidence. However, app-coders can do little but comply with Microsoft's 'userization' demands, or else ditch Vista support!

Anyhow, my question is: does anyone know how to switch (the older releases with this feature) into 'secure mode' where no passwords are saved?

User avatar
boco
Contributor
Posts: 24118
Joined: 2006-05-01 03:28
Location: Germany

Re: sitemanager.xml clear passwords

#5 Post by boco » 2008-08-23 02:27

Anteaus wrote:
Anyhow, my question is: does anyone know how to switch (the older releases with this feature) into 'secure mode' where no passwords are saved?
This is the feature I'm waiting for the most.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: sitemanager.xml clear passwords

#6 Post by botg » 2008-08-24 13:10

Anyhow, my question is: does anyone know how to switch (the older releases with this feature) into 'secure mode' where no passwords are saved?
Rejoice, next version will have this feature again. Will be called kiosk mode though.

User avatar
boco
Contributor
Posts: 24118
Joined: 2006-05-01 03:28
Location: Germany

Re: sitemanager.xml clear passwords

#7 Post by boco » 2008-08-24 19:29

Tried kiosk mode, works great. But there is a small problem with it. Filezilla correctly writes all data to disk except passwords. But it doesn't ask the password in case it is required again next session. Old Quickconnect entries become invalid because Filezilla sends an empty password string.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: sitemanager.xml clear passwords

#8 Post by botg » 2008-08-24 20:29

The entries are still valid. The dropdown handler just did not ask for the password.

User avatar
boco
Contributor
Posts: 24118
Joined: 2006-05-01 03:28
Location: Germany

Re: sitemanager.xml clear passwords

#9 Post by boco » 2008-08-24 21:37

So it will ask in the next version?

The main problem is already solved for me: passwords aren't saved anymore. :mrgreen:
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: sitemanager.xml clear passwords

#10 Post by botg » 2008-08-24 21:58


User avatar
boco
Contributor
Posts: 24118
Joined: 2006-05-01 03:28
Location: Germany

Re: sitemanager.xml clear passwords

#11 Post by boco » 2008-08-24 22:09

Will try the next nightly, then.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

FractalizeR
500 Command not understood
Posts: 3
Joined: 2008-11-17 11:14
First name: Vladislav
Last name: Rastrusny

Re: sitemanager.xml clear passwords

#12 Post by FractalizeR » 2008-11-17 11:33

It would be good if we could at least MOVE the sitemanager.xml file into another folder. I am using software to create a virtual secret drive on my PC. So, I would like to move this file to encrypted drive, but it seems, there is no way to do that in FileZilla.
This is by design, it is the task of the operating system to protect your private data.
That is not quite right. I would like to ensure my private data is secure even if my PC is stolen. No OS can protect from that. Only encryption. The good move might be to encrypt the whole system drive, but this solution seems quite radical for me now. At this step I would like to use encrypted virtual drives for sensitive data.

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: sitemanager.xml clear passwords

#13 Post by botg » 2008-11-17 11:35

A good OS has encrypted filesystems. Even Windows has built-in filesystem encryption!

FractalizeR
500 Command not understood
Posts: 3
Joined: 2008-11-17 11:14
First name: Vladislav
Last name: Rastrusny

Re: sitemanager.xml clear passwords

#14 Post by FractalizeR » 2008-11-18 07:27

botg wrote:A good OS has encrypted filesystems. Even Windows has built-in filesystem encryption!
Really? Is Windows really good OS? Do you know how many bugs were found in this EFS implementation? I don't trust Microsoft.
EFS is especially weak in earlier Windows versions. 40 or 56 bit key length.... Eh...

Especially with such tools: http://www.crackpassword.com/products/prs/mswin/efs/ EFS is a crap.

I don't think you should relate all security problems of FileZilla to Microsoft. There is still something YOU can do.

User avatar
botg
Site Admin
Posts: 31510
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: sitemanager.xml clear passwords

#15 Post by botg » 2008-11-18 09:09

Yes, I can refuse to throw money at Microsoft and just use Linux instead

Locked