Friday, October 1, 2010

Filezilla 3 is NOT secure. Fullstop.

It is known that FileZilla is famous among the community who design and develop websites and applications. And it is also known that FileZilla is used widely as the de-facto FTP client software that transfers files from your PC to the server and vice-versa.

Now, do you know that the password for the sites that you managed in FileZilla, is stored in plain text without any effort of encryption?

It is of course not a sin to store these confidential information in plain text, and the author seems to think that it is YOUR responsibility to keep them safe. It is also mentioned that if your PC is exploited or infected with virus, encryption will not help at all. Well, these points are actually, TRUE. If you have a virus or rootkit living in your PC, they will steal anything and everything whenever and wherever they can, and most of the time you will be at the losing end. As with encrypted password, it will still be decrypted before a connection is established to the FTP server, and that's when and where your password is sniffed.

Having said that, we still think that password should be stored in some encrypted forms. Reason being that apart from virus, spyware and malware, there are other techniques being employed to steal information. For example if someone somehow grabs an encrypted password file by other means (use your imagination), rather than shouting hooray on the spot, they would now need to spend some good time in decrypting them before going for beers.

Maybe, it is time to think whether you should continue using FileZilla, or replace it with something else.

No comments:

Post a Comment