Filezilla FTP proxy stores Windows password in plain text
Moderator: Project members
-
- 500 Command not understood
- Posts: 1
- Joined: 2008-06-03 11:22
- First name: Michael
- Last name: Mullins
Filezilla FTP proxy stores Windows password in plain text
I have tested Filezilla with the Bluecoat proxy using Windows AD authentication for the Bluecoat. I need to store the Windows username and password in the FTP proxy configuration of Filezilla. I am not able to leave the password blank and be prompted for it.
This is a major weakness in the product. Our security guys are not happy to accept this as a solution.
Can we either have;
(i) Encrypted storage of the FTP proxy password
(ii) Prompting for the password for the first connection of each session
This is a major weakness in the product. Our security guys are not happy to accept this as a solution.
Can we either have;
(i) Encrypted storage of the FTP proxy password
(ii) Prompting for the password for the first connection of each session
Re: Filezilla FTP proxy stores Windows password in plain text
(i) Encrypted storage of the FTP proxy password
- Open Explorer
- Go to %APPDATA%
- Right-click the FileZilla directory
- Click on Properties
- Click on Advanced
- Check the checkbox labeled Encrypt contents to secure data
- Click OK
- Click OK again
Re: Filezilla FTP proxy stores Windows password in plain text
Not on my PC, not on my wife's, but surely not, if you want to use FileZilla in an Enterprise Environment. Every second User will ask stupid Questions about this. Also, secureing the passwords should preferably be in the installation routine.botg wrote:That so hard?
Re: Filezilla FTP proxy stores Windows password in plain text
Home edition of Windows I guess. I'm amazed people even pay for that crippleware.
Re: Filezilla FTP proxy stores Windows password in plain text
Oh, and when using Group Policies, Encryption of folders can be forbidden and properties concerning the Key that is used for encryption can be changed.mmenzer wrote:Not on my PC, not on my wife's, but surely not, if you want to use FileZilla in an Enterprise Environment. Every second User will ask stupid Questions about this. Also, secureing the passwords should preferably be in the installation routine.
I tried it on my Office PC and now cannot use the FileZilla-Directory anymore.
Re: Filezilla FTP proxy stores Windows password in plain text
Then don't save any passwords at all. Use "Ask for password" logontype in site manager.
Re: Filezilla FTP proxy stores Windows password in plain text
Does this also apply to the Proxy Password? It didn't seem so to me...
Re: Filezilla FTP proxy stores Windows password in plain text
@botg: Please re-introduce 'Alzheimer' mode where Filezilla forgets every password at the end of the session (or crash). I know the Interactive logon but I'm working with Quick Connect only. Filezilla should keep the quickconnect history minus the passwords.botg wrote:Then don't save any passwords at all. Use "Ask for password" logontype in site manager.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
- banana
- 550 Permission denied
- Posts: 27
- Joined: 2008-09-30 09:26
- First name: Kazimir
- Last name: Banana
Re: Filezilla FTP proxy stores Windows password in plain text
If regular users buy PC's for home usage, you expect them to replace the Windows Home version that is included by default for a Pro version? (as if more than a few % would know the difference - or even have heard of it)botg wrote:Home edition of Windows I guess. I'm amazed people even pay for that crippleware.
FileZilla 2 did encrypt passwords. Just out of curiosity, why exactly did you take the effort of disabling that in v3?
Is there any advantage in not encrypting the passwords?
Re: Filezilla FTP proxy stores Windows password in plain text
Wrong.FileZilla 2 did encrypt passwords
-
- 226 Transfer OK
- Posts: 619
- Joined: 2005-11-02 06:41
Re: Filezilla FTP proxy stores Windows password in plain text
Version 2 of the client obfuscated the passwords using a reversible cipher. Because the source code is readily available, however, it was trivial to reverse the cipher. It was not secure. Programs like this one showed up that made accessing those passwords trivial. That page even tells you what to do to manually decipher the passwords.
Essentially, no matter how you encrypt the passwords, you have to store the key to decrypt the passwords on the same machine. Even if you generate a cipher on each individual machine, you've still got to store it somewhere so that you can decrypt the password again. It's the same design problem you have with DRM.
In theory, you could successfully encrypt the data file in a very secure manner, but to do so requires that a) the user must enter a password and b) FileZilla must encrypt the file on disk. It would be the same as storing the settings file in a password-protected .zip file or in an encrypted database like the program KeyPass. FileZilla would have to ask for a password at startup instead of on connection. The thing is, modern operating systems *already* ask the user for passwords and *already* restrict access to files based on user permissions. They also already allow files to be transparently encrypted on disk. The work has already been done in a more secure (excepting NTLM hash rainbow tables because the stupid thing is unsalted ) and platform independent manner.
If data security is a problem, secure your PC and secure your OS.
If FZ3 were still Windows-only, botg could use Crypto API and Cryptography Service Providers to encrypt the passwords.
Essentially, no matter how you encrypt the passwords, you have to store the key to decrypt the passwords on the same machine. Even if you generate a cipher on each individual machine, you've still got to store it somewhere so that you can decrypt the password again. It's the same design problem you have with DRM.
In theory, you could successfully encrypt the data file in a very secure manner, but to do so requires that a) the user must enter a password and b) FileZilla must encrypt the file on disk. It would be the same as storing the settings file in a password-protected .zip file or in an encrypted database like the program KeyPass. FileZilla would have to ask for a password at startup instead of on connection. The thing is, modern operating systems *already* ask the user for passwords and *already* restrict access to files based on user permissions. They also already allow files to be transparently encrypted on disk. The work has already been done in a more secure (excepting NTLM hash rainbow tables because the stupid thing is unsalted ) and platform independent manner.
If data security is a problem, secure your PC and secure your OS.
If FZ3 were still Windows-only, botg could use Crypto API and Cryptography Service Providers to encrypt the passwords.
- banana
- 550 Permission denied
- Posts: 27
- Joined: 2008-09-30 09:26
- First name: Kazimir
- Last name: Banana
Re: Filezilla FTP proxy stores Windows password in plain text
How do you call this:botg wrote:Wrong.FileZilla 2 did encrypt passwords
FileZilla 2's xml config wrote:Pass="094115051024096047011051126009057100007116060025125"
- banana
- 550 Permission denied
- Posts: 27
- Joined: 2008-09-30 09:26
- First name: Kazimir
- Last name: Banana
Re: Filezilla FTP proxy stores Windows password in plain text
Ciphering and Encrypting are different terms for essentially the same thing. And of course it has to be reversible, otherwise it's hashing (and unusable for the purpose in this situation).da chicken wrote:Version 2 of the client obfuscated the passwords using a reversible cipher.
I completely agree that it's never gonna be 100% secure. No matter what fancy encryption you use, if FileZilla is able to decrypt/uncipher it, then so are others.Because the source code is readily available, however, (...)
Nonetheless, it helps keeping off the majority of situations where some noob gets a peek in your xml file. This not the biggest threat, but the most common one. Not the 31337 haxx0r who will get past any encryption anyway.
Not true for Windows Home. You know, the OS used by the largest userbase in the world.The thing is, modern operating systems *already* ask the user for passwords and *already* restrict access to files based on user permissions. They also already allow files to be transparently encrypted on disk.
Re: Filezilla FTP proxy stores Windows password in plain text
Obfuscation.banana wrote:How do you call this:FileZilla 2's xml config wrote:Pass="094115051024096047011051126009057100007116060025125"
If somebody can look into your settings files, you have a much bigger problem than plaintext passwords. It means your system's user account is compromised!it helps keeping off the majority of situations where some noob gets a peek in your xml file
- banana
- 550 Permission denied
- Posts: 27
- Joined: 2008-09-30 09:26
- First name: Kazimir
- Last name: Banana
Re: Filezilla FTP proxy stores Windows password in plain text
What's the difference between encryption and obfuscation?botg wrote:Obfuscation.
Not if that sombody is physically standing behing me while I'm editting or viewing xml files.If somebody can look into your settings files, you have a much bigger problem than plaintext passwords. It means your system's user account is compromised!
If you think that's a non-issue, then why did you do
in the site manager dialog?
Let me rephrase two earlier questions:
FileZilla 2 did obfuscate passwords. Just out of curiosity, why exactly did you take the effort of disabling that in v3?
Is there any advantage in not obfuscating the passwords?