I use Filezilla as my FTP client and I like its features a lot. However, one thing bothers me: Filezilla stores all passwords in a plain text xml file so in case I get infected by some malware all passwords can be easily stolen. I haven’t yet been infected but I want to feel my data are safe. The problem is that Filezilla probably will never encrypt passwords because the developer thinks it’s the OS that should protect data, and he is stubborn about it and often rude (e.g. http://forum.filezilla-project.org/viewtopic.php?f=1&t=12481)
Do you think his point is valid? I agree that the OS should be secure and that a hacker will always find a way to steal data but it would be good to at least make it difficult for him.
So I am thinking of applying some sort of encryption of my own to filezilla.xml and sitemanager.xml files. Preferably, I would like to encrypt these 2 files so that when they are accessed (when starting Filezilla) I have to provide password. I have XP Home so the OS encryption is not available, are there any 3rd party tools that would do what I want?
I would disagree, each application should take adequate precautions to protect the needs of its users, by claiming its someone elses responsbility he’s essentially pawning off peoples privacy on the basis that he doesn’t believe he should be required to protect his product’s users, my advice would be to perhaps write an add-on which does the job, you could probably get some good traffic out of a utility like that
Yes, he doesn’t seem to care about people’s privacy. His points may be valid but only in a perfect world where systems are secure and all users are very computer savvy and able to protect their computers from all vulnerabilities. Of course, often that is not the case and there are endless scenarios of what can happen. But apparently he is using Linux and doesn’t like Windows so you can guess…
I have found a partial solution to the problem: Filezilla Portable. It is the same Filezilla as the standard one except it’s optimized for being run from any disk without installation and all settings are kept on the portable disk. I can mount an external drive only when I need to use Filezilla and unmount after I finish so that the password files are not accessible by the OS all the time plus they are in an unusual location, which makes it harder for malware to find.
I have made an encrypted virtual drive with TrueCrypt and mount the volume with Filezilla Portable when needed and unmount it after I finish.
For the time being the solution seems satisfactory enough for me, not perfect but certainly it should give more security.
edit: An extension for Filezilla would be great but I’m not so much into programming apart from php so it would require too much effort on my part to learn how to do these things.
Wouldn’t matter too much as it were since FTP sends your password plaintext over the network/internet as it was. Malware is most likely to setup a proxy server (then snoop around for Filezilla) on your computer which would collect passwords not only for FTP but every thing that is sent plaintext.
Better off not getting malware on your computer then worrying about a file to a protocol that sends the data out in plaintext anyways.
But that is just one password that can be eavesdropped at a time versus getting access to the database of all ftp account credentials saved in Filezilla. The scope of damage is much different. I suppose it’s fairly trivial for malware to guess the location of filezilla account database file and access all ftp credentials at once.
But I can connect via SFTP and then no one can collect passwords over the network. But they are still in plain text on my computer. My goal is to increase security and not to achieve full security, which is impossible.
This issue is still current today and the developpers have not gotten any wisers or open. They don’t listen to their users in this specific case.
I don’t think they will ever listen in this regard considering their responses. The interesting thing I learned today is that even if I choose not to remember passwords in filezilla and simply type them, the passwords are stored in plain text on disk in recentservers.xml. There’s a workaround for this in enabling kiosk mode in some super user-unfriendly manner: http://forum.filezilla-project.org/viewtopic.php?f=1&t=16155&start=15
For the time being I start up filezilla portable from an encrypted virtual drive just to be a little bit safer but I understand this also exposes passwords, however only for a short time. After using filezilla I dismount the volume and all password files disappear.