Filezilla FTP proxy stores Windows password in plain text

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
blayderunner
500 Command not understood
Posts: 1
Joined: 2008-06-03 11:22
First name: Michael
Last name: Mullins

Filezilla FTP proxy stores Windows password in plain text

#1 Post by blayderunner » 2008-06-03 11:27

I have tested Filezilla with the Bluecoat proxy using Windows AD authentication for the Bluecoat. I need to store the Windows username and password in the FTP proxy configuration of Filezilla. I am not able to leave the password blank and be prompted for it.

This is a major weakness in the product. Our security guys are not happy to accept this as a solution.

Can we either have;

(i) Encrypted storage of the FTP proxy password
(ii) Prompting for the password for the first connection of each session

User avatar
botg
Site Admin
Posts: 31605
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla FTP proxy stores Windows password in plain text

#2 Post by botg » 2008-06-03 12:01

(i) Encrypted storage of the FTP proxy password
  • Open Explorer
  • Go to %APPDATA%
  • Right-click the FileZilla directory
  • Click on Properties
  • Click on Advanced
  • Check the checkbox labeled Encrypt contents to secure data
  • Click OK
  • Click OK again
That so hard?

User avatar
mmenzer
504 Command not implemented
Posts: 7
Joined: 2008-08-06 17:39

Re: Filezilla FTP proxy stores Windows password in plain text

#3 Post by mmenzer » 2008-08-06 18:03

botg wrote:That so hard?
Not on my PC, not on my wife's, but surely not, if you want to use FileZilla in an Enterprise Environment. Every second User will ask stupid Questions about this. Also, secureing the passwords should preferably be in the installation routine.

User avatar
botg
Site Admin
Posts: 31605
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla FTP proxy stores Windows password in plain text

#4 Post by botg » 2008-08-06 22:10

Home edition of Windows I guess. I'm amazed people even pay for that crippleware.

User avatar
mmenzer
504 Command not implemented
Posts: 7
Joined: 2008-08-06 17:39

Re: Filezilla FTP proxy stores Windows password in plain text

#5 Post by mmenzer » 2008-08-07 07:55

mmenzer wrote:Not on my PC, not on my wife's, but surely not, if you want to use FileZilla in an Enterprise Environment. Every second User will ask stupid Questions about this. Also, secureing the passwords should preferably be in the installation routine.
Oh, and when using Group Policies, Encryption of folders can be forbidden and properties concerning the Key that is used for encryption can be changed.
I tried it on my Office PC and now cannot use the FileZilla-Directory anymore.

User avatar
botg
Site Admin
Posts: 31605
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla FTP proxy stores Windows password in plain text

#6 Post by botg » 2008-08-07 07:59

Then don't save any passwords at all. Use "Ask for password" logontype in site manager.

User avatar
mmenzer
504 Command not implemented
Posts: 7
Joined: 2008-08-06 17:39

Re: Filezilla FTP proxy stores Windows password in plain text

#7 Post by mmenzer » 2008-08-07 17:03

Does this also apply to the Proxy Password? It didn't seem so to me...

User avatar
boco
Contributor
Posts: 24156
Joined: 2006-05-01 03:28
Location: Germany

Re: Filezilla FTP proxy stores Windows password in plain text

#8 Post by boco » 2008-08-07 22:04

botg wrote:Then don't save any passwords at all. Use "Ask for password" logontype in site manager.
@botg: Please re-introduce 'Alzheimer' mode where Filezilla forgets every password at the end of the session (or crash). I know the Interactive logon but I'm working with Quick Connect only. Filezilla should keep the quickconnect history minus the passwords.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

User avatar
banana
550 Permission denied
Posts: 27
Joined: 2008-09-30 09:26
First name: Kazimir
Last name: Banana

Re: Filezilla FTP proxy stores Windows password in plain text

#9 Post by banana » 2008-09-30 19:54

botg wrote:Home edition of Windows I guess. I'm amazed people even pay for that crippleware.
If regular users buy PC's for home usage, you expect them to replace the Windows Home version that is included by default for a Pro version? (as if more than a few % would know the difference - or even have heard of it)

FileZilla 2 did encrypt passwords. Just out of curiosity, why exactly did you take the effort of disabling that in v3?

Is there any advantage in not encrypting the passwords?

User avatar
botg
Site Admin
Posts: 31605
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla FTP proxy stores Windows password in plain text

#10 Post by botg » 2008-09-30 22:47

FileZilla 2 did encrypt passwords
Wrong.

da chicken
226 Transfer OK
Posts: 619
Joined: 2005-11-02 06:41

Re: Filezilla FTP proxy stores Windows password in plain text

#11 Post by da chicken » 2008-09-30 23:56

Version 2 of the client obfuscated the passwords using a reversible cipher. Because the source code is readily available, however, it was trivial to reverse the cipher. It was not secure. Programs like this one showed up that made accessing those passwords trivial. That page even tells you what to do to manually decipher the passwords.

Essentially, no matter how you encrypt the passwords, you have to store the key to decrypt the passwords on the same machine. Even if you generate a cipher on each individual machine, you've still got to store it somewhere so that you can decrypt the password again. It's the same design problem you have with DRM.

In theory, you could successfully encrypt the data file in a very secure manner, but to do so requires that a) the user must enter a password and b) FileZilla must encrypt the file on disk. It would be the same as storing the settings file in a password-protected .zip file or in an encrypted database like the program KeyPass. FileZilla would have to ask for a password at startup instead of on connection. The thing is, modern operating systems *already* ask the user for passwords and *already* restrict access to files based on user permissions. They also already allow files to be transparently encrypted on disk. The work has already been done in a more secure (excepting NTLM hash rainbow tables because the stupid thing is unsalted :roll:) and platform independent manner.

If data security is a problem, secure your PC and secure your OS.

If FZ3 were still Windows-only, botg could use Crypto API and Cryptography Service Providers to encrypt the passwords.

User avatar
banana
550 Permission denied
Posts: 27
Joined: 2008-09-30 09:26
First name: Kazimir
Last name: Banana

Re: Filezilla FTP proxy stores Windows password in plain text

#12 Post by banana » 2008-10-01 07:42

botg wrote:
FileZilla 2 did encrypt passwords
Wrong.
How do you call this:
FileZilla 2's xml config wrote:Pass="094115051024096047011051126009057100007116060025125"
:?:

User avatar
banana
550 Permission denied
Posts: 27
Joined: 2008-09-30 09:26
First name: Kazimir
Last name: Banana

Re: Filezilla FTP proxy stores Windows password in plain text

#13 Post by banana » 2008-10-01 07:42

da chicken wrote:Version 2 of the client obfuscated the passwords using a reversible cipher.
Ciphering and Encrypting are different terms for essentially the same thing. And of course it has to be reversible, otherwise it's hashing (and unusable for the purpose in this situation).
Because the source code is readily available, however, (...)
I completely agree that it's never gonna be 100% secure. No matter what fancy encryption you use, if FileZilla is able to decrypt/uncipher it, then so are others.

Nonetheless, it helps keeping off the majority of situations where some noob gets a peek in your xml file. This not the biggest threat, but the most common one. Not the 31337 haxx0r who will get past any encryption anyway.
The thing is, modern operating systems *already* ask the user for passwords and *already* restrict access to files based on user permissions. They also already allow files to be transparently encrypted on disk.
Not true for Windows Home. You know, the OS used by the largest userbase in the world.

User avatar
botg
Site Admin
Posts: 31605
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla FTP proxy stores Windows password in plain text

#14 Post by botg » 2008-10-01 08:26

banana wrote:How do you call this:
FileZilla 2's xml config wrote:Pass="094115051024096047011051126009057100007116060025125"
:?:
Obfuscation.
it helps keeping off the majority of situations where some noob gets a peek in your xml file
If somebody can look into your settings files, you have a much bigger problem than plaintext passwords. It means your system's user account is compromised!

User avatar
banana
550 Permission denied
Posts: 27
Joined: 2008-09-30 09:26
First name: Kazimir
Last name: Banana

Re: Filezilla FTP proxy stores Windows password in plain text

#15 Post by banana » 2008-10-01 15:42

botg wrote:Obfuscation.
What's the difference between encryption and obfuscation?
If somebody can look into your settings files, you have a much bigger problem than plaintext passwords. It means your system's user account is compromised!
Not if that sombody is physically standing behing me while I'm editting or viewing xml files.

If you think that's a non-issue, then why did you do
Image
in the site manager dialog?


Let me rephrase two earlier questions:

FileZilla 2 did obfuscate passwords. Just out of curiosity, why exactly did you take the effort of disabling that in v3?

Is there any advantage in not obfuscating the passwords?

Locked