Filezilla FTP proxy stores Windows password in plain text

[blayderunner]

I have tested Filezilla with the Bluecoat proxy using Windows AD authentication for the Bluecoat. I need to store the Windows username and password in the FTP proxy configuration of Filezilla. I am not able to leave the password blank and be prompted for it.

This is a major weakness in the product. Our security guys are not happy to accept this as a solution.

Can we either have;

(i) Encrypted storage of the FTP proxy password
(ii) Prompting for the password for the first connection of each session

[botg]

(i) Encrypted storage of the FTP proxy password

• Open Explorer
• Go to %APPDATA%
• Right-click the FileZilla directory
• Click on Properties
• Click on Advanced
• Check the checkbox labeled Encrypt contents to secure data
• Click OK
• Click OK again

That so hard?

[mmenzer]

That so hard?

Not on my PC, not on my wife's, but surely not, if you want to use FileZilla in an Enterprise Environment. Every second User will ask stupid Questions about this. Also, secureing the passwords should preferably be in the installation routine.

[botg]

Home edition of Windows I guess. I'm amazed people even pay for that crippleware.

[mmenzer]

Not on my PC, not on my wife's, but surely not, if you want to use FileZilla in an Enterprise Environment. Every second User will ask stupid Questions about this. Also, secureing the passwords should preferably be in the installation routine.

Oh, and when using Group Policies, Encryption of folders can be forbidden and properties concerning the Key that is used for encryption can be changed.
I tried it on my Office PC and now cannot use the FileZilla-Directory anymore.

[botg]

Then don't save any passwords at all. Use "Ask for password" logontype in site manager.

[mmenzer]

Does this also apply to the Proxy Password? It didn't seem so to me...

[boco]

Then don't save any passwords at all. Use "Ask for password" logontype in site manager.

@botg: Please re-introduce 'Alzheimer' mode where Filezilla forgets every password at the end of the session (or crash). I know the Interactive logon but I'm working with Quick Connect only. Filezilla should keep the quickconnect history minus the passwords.

[banana]

Home edition of Windows I guess. I'm amazed people even pay for that crippleware.

If regular users buy PC's for home usage, you expect them to replace the Windows Home version that is included by default for a Pro version? (as if more than a few % would know the difference - or even have heard of it)

FileZilla 2 did encrypt passwords. Just out of curiosity, why exactly did you take the effort of disabling that in v3?

Is there any advantage in not encrypting the passwords?

[botg]

FileZilla 2 did encrypt passwords

Wrong.

[da chicken]

Version 2 of the client obfuscated the passwords using a reversible cipher. Because the source code is readily available, however, it was trivial to reverse the cipher. It was not secure. Programs like this one showed up that made accessing those passwords trivial. That page even tells you what to do to manually decipher the passwords.

Essentially, no matter how you encrypt the passwords, you have to store the key to decrypt the passwords on the same machine. Even if you generate a cipher on each individual machine, you've still got to store it somewhere so that you can decrypt the password again. It's the same design problem you have with DRM.

In theory, you could successfully encrypt the data file in a very secure manner, but to do so requires that a) the user must enter a password and b) FileZilla must encrypt the file on disk. It would be the same as storing the settings file in a password-protected .zip file or in an encrypted database like the program KeyPass. FileZilla would have to ask for a password at startup instead of on connection. The thing is, modern operating systems *already* ask the user for passwords and *already* restrict access to files based on user permissions. They also already allow files to be transparently encrypted on disk. The work has already been done in a more secure (excepting NTLM hash rainbow tables because the stupid thing is unsalted ) and platform independent manner.

If data security is a problem, secure your PC and secure your OS.

If FZ3 were still Windows-only, botg could use Crypto API and Cryptography Service Providers to encrypt the passwords.

[banana]

FileZilla 2 did encrypt passwords

Wrong.

How do you call this:

Pass="094115051024096047011051126009057100007116060025125"

[banana]

Version 2 of the client obfuscated the passwords using a reversible cipher.

Ciphering and Encrypting are different terms for essentially the same thing. And of course it has to be reversible, otherwise it's hashing (and unusable for the purpose in this situation).

Because the source code is readily available, however, (...)

I completely agree that it's never gonna be 100% secure. No matter what fancy encryption you use, if FileZilla is able to decrypt/uncipher it, then so are others.

Nonetheless, it helps keeping off the majority of situations where some noob gets a peek in your xml file. This not the biggest threat, but the most common one. Not the 31337 haxx0r who will get past any encryption anyway.

The thing is, modern operating systems *already* ask the user for passwords and *already* restrict access to files based on user permissions. They also already allow files to be transparently encrypted on disk.

Not true for Windows Home. You know, the OS used by the largest userbase in the world.

[botg]

How do you call this:

Pass="094115051024096047011051126009057100007116060025125"

Obfuscation.

it helps keeping off the majority of situations where some noob gets a peek in your xml file

If somebody can look into your settings files, you have a much bigger problem than plaintext passwords. It means your system's user account is compromised!

[banana]

Obfuscation.

What's the difference between encryption and obfuscation?

If somebody can look into your settings files, you have a much bigger problem than plaintext passwords. It means your system's user account is compromised!

Not if that sombody is physically standing behing me while I'm editting or viewing xml files.

If you think that's a non-issue, then why did you do

in the site manager dialog?


Let me rephrase two earlier questions:

FileZilla 2 did obfuscate passwords. Just out of curiosity, why exactly did you take the effort of disabling that in v3?

Is there any advantage in not obfuscating the passwords?