Filezilla is my favorite client for ftp and sftp so when I read over at mrtech that a version 3 was out of beta I wanted to try it out. More importantly I wanted to know if there were any security issues that would hasten my upgrade. I didn’t immediately see that info on the filezilla site, so I decided to check out their forum.
From some comments on their forum it sounds like version 3 is a good thing to stay away from for a while (even if you take the complaints with a grain of salt).
- Using 40% more memory than before, still a small number but a notable increase
- Opening more slowly than before
- Drag and drop not working in vista
But the main reason I stopped to blog about this is the discussion over password storage.
How do you want your applications to store your passwords? With Firefox or IE or Outlook Express you can save a password. Its starred out when you type into the password field so its secure right? Not so fast. With tools downloaded from the Internet those passwords could be revealed in seconds.
The same apparently is true for the password obfuscation used in Filezilla 2. For version 3 Filezilla has decided to remove the pretext of security and just store the passwords in clear text. Since I haven’t installed version 3 yet, I don’t know if they bother to warn anyone about that small little detail.
This has sparked a lively debate in the Filezilla Forums. Or rather people try to ask about it and they get a response like this:
Go back into your cave. If you actually had the technical understanding on how computers work, you would now that password obfuscation is pointless.
In another post, the forum admin dismisses a request that filezilla be password protected. He says that it is the Operating Systems job to protect the file.
The problem with that theory is that you can’t rely on file system access control lists. Too many people might have administrative rights on a corporate computer. EFS might lock the file down to one user, but what if a virus is running in the user’s context? Further not all companies allow EFS.
It would be nice if there were a setting we could deploy to all systems to disallow the saving of passwords in filezilla.
For myself, I guess I’m either going to have to enable EFS for this file or make sure I only save passwords in passwordsafe.