Re: Filezilla a security risk
On Thu, Jun 28, 2012 at 04:24:43PM -0300, francis picabia wrote:
> On Thu, Jun 28, 2012 at 12:35 PM, Shane Johnson
> <sdj@rasmussenequipment.com> wrote:
>
> >
> > Please remember that FTP by nature is insecure. All it would take is
> > for someone to packet sniff the connection and they would have the
> > user name and password to the account as they are transmitted in plain
> > text.
>
> Yes, this is all correct. However filezilla does sftp as well and
> SFTP session passwords are also saved in this plain text file as
> a human readable password. That typically translates to SSH access.
>
True, but you can restrict certain users to SFTP access only. I do
that, and I only allow SSH access with public key authentication.
> In case this is lost on anyone, we are NOT talking about sniffing, but
> drive by malware reading a plain text file on the client OS containing
> the password.
> Even if you do not check the box for saving the password, the most
> recent entered password is saved there.
>
I notice that GFTP, for example, does not seem to save any passwords
unless you 1) create a bookmark for the connection, and 2) check the
"Remember Password" box. That seems like a sensible way to do it, but
you will still be at risk with an unsavy user and/or malware on the
machine.
Malware can be in the form of a key logger, which will get anything you
type. Unsavy users will typically check a box in the name of
convenience, and give little thought to the security implications.
-Rob
Reply to: