Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Encryption Security Open Source Privacy Technology

10 Years Later: FileZilla Adds Support For Master Password That Encrypts Your Logins (bleepingcomputer.com) 82

An anonymous reader writes: "Following years of criticism and user requests, the FileZilla FTP client is finally adding support for a master password that will act as a key for storing FTP login credentials in an encrypted format," reports BleepingComputer. "This feature is scheduled to arrive in FileZilla 3.26.0, but you can use it now if you download the 3.26.0 (unstable) release candidate from here." By encrypting its saved FTP logins, FileZilla will finally thwart malware that scrapes the sitemanager.xml file and steals FTP credentials, which were previously stolen in plain text. The move is extremely surprising, at least for the FileZilla user base. Users have been requesting this feature for a decade, since 2007, and they have asked it many and many times since then. All their requests have fallen on deaf ears and met with refusal from FileZilla maintainer, Tim Kosse. In November 2016, a user frustrated with Koose's stance forked the FileZilla FTP client and added support for a master password via a spin-off app called FileZilla Secure.
This discussion has been archived. No new comments can be posted.

10 Years Later: FileZilla Adds Support For Master Password That Encrypts Your Logins

Comments Filter:
  • I've found WinSCP to be better than FileZilla especially since so many providers offer SFTP now anyway. I don't store my passwords so the master password thing is not an issue to me. Don't store passwords if you don't want them to be found.
    • by antdude ( 79039 )

      Can it resume downloads and uploads?

      • FileZilla can do this. You right-click on the Queued Files section and select Export. It will save an XML file with all the queued items. Then, all you have to do is go to File-->Import and then right-click on the Queued Files section again and select Process Queue.
        • by antdude ( 79039 )

          Interesting! So, it can resume transfers for SCP? I will need to check it out again.

      • Yes. It will see the partial file and ask you if you want to resume or restart from scratch.
        • by antdude ( 79039 )

          Cool. In the past, I wasn't able to resume download and upload files with SCP, SFTP, etc.

    • Also WinSCP is not Adware. Some people may prefer Filezilla for that reason. Filezilla is better if you like being served ads. WinSCP does not include Astromenda.

      • by TheOuterLinux ( 4778741 ) on Saturday May 27, 2017 @12:16AM (#54496141) Homepage
        Where are you getting your FileZilla from to have adware? Neither my Mac or Linux system's versions show ads, and I'm getting it from here: https://filezilla-project.org/ [filezilla-project.org]. Maybe it's just a Window$ thing?
        • by Zocalo ( 252965 ) on Saturday May 27, 2017 @03:36AM (#54496521) Homepage
          At a guess, SourceForge, or maybe some other third party download mirror site with similar practices, and yeah, AFAIK, it's mostly a Windows thing. SourceForge - and others - went through a period of bundling crapware [techgage.com] with tools being downloaded from them, and since they were a popular means for small projects to offset bandwidth costs a lot of projects got bitten until they were forced to provide an opt out - and FileZilla the poster child for projects involved. There was an outcry, as you'd expect, but I have no idea which the mirror sites stopped the practice or not because this pretty much killed my use of them for downloads (sorry, small projects!), but I believe most mirror sites that are claiming to be reputable either no longer do so at all, or at least provide projects an opt out.
        • Yeah I guess it's a Windows thing. The developers wanted to make some extra cash with bundled adware, but I think they left Linux and Mac users alone. The Windows version still has the bundled adware when you download it from the link you posted.

          The only way to avoid the adware on Windows is to compile the binary yourself from the source code or maybe use the Chocolatey package. There used to be download links that avoided the malware infected versions but those were taken down a long time ago. Presumably b

          • I haven't used Window$ since 2008 unless forced to in an office/mdeia center environment. When I see things like this on a Micro$oft system in an environment with a lot of people, it doesn't shock me at all. However, every now and then when I see a friend showinf off their new laptop, I cringe and complain about what they are using, yet they expect it from a Linux user like me. In other words, freemium/adware/30-day trial is socially excepted, even though they are paying $900 for a laptop on top of being lo
          • [citation needed]

            The news was the Sourceforge was adding adware to the packages and the one that caused the outrage was FZ. Is not the developers that added the adware on their side, they might have signed up for the Ad program offered by SF which they dumped once they realized whats was all about.

            Also because I even got to download one of the bundled installers for FZ on windows and the AV picked the Adware package. Easily removed with 7z and FZ installed cleanly afterwards.
      • AND if you don't use Windows anymore, WinSCP is a non-starter, and as far as I'm concerned, Filezilla is the best ftp/scp/ftps client for Linux....

    • by DrYak ( 748999 )

      I've found WinSCP to be better than FileZilla especially since so many providers offer SFTP now anyway.

      Note that Filezilla support SFTP too.

      I don't store my passwords so the master password thing is not an issue to me. Don't store passwords if you don't want them to be found.

      Even better :
      don't use passwords. Use Public Keys pairs.

      (Filezilla supports them, and can use Putty's key agent to handle them)
      (I'm sure that WinSCP can too, just didn't bother to check).

      Best part : you can then completely switch off the support for password on the SSH/SFTP server.
      Your server is then (obviously) immune to brute force / password guessing.

  • Filezilla is so behind the times I switched to Transmit on the mac and have never looked back

    • Filezilla is so behind the times I switched to Transmit on the mac and have never looked back

      $34 seems like a bit much for an ftp/sftp app...

      • by SeaFox ( 739806 )

        Possible responses:

        1) He's a Mac user. He's used to overpaying for basic functionality.
        2) If he was a Windows user, I bet he would have paid for WinRAR, too.

    • Cyberduck is free and open source and very easy to use if you need a Mac client.
    • Behind on the times? What is it that Filezilla is missing? A frigging like button or something?

  • Holy crap (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Friday May 26, 2017 @09:21PM (#54495741)

    By encrypting its saved FTP logins, FileZilla will finally thwart malware that scrapes the sitemanager.xml file and steals FTP credentials, which were previously stolen in plain text.

    You've got to be kidding me.

    • Thankfully pidgin has disappeared into irrelevance with the rise of cell phone messaging; they still store their passwords in plain text.

      • by SeaFox ( 739806 )

        Pidgin became irrelevant for two reasons -- in the following order chronologically:

        1) The developers only wanted to add features they personally were interested in, and their desires didn't correspond to those of anyone else who used the program.

        2) IM networks taking protocols private.

    • by Anonymous Coward

      Yes, how dare they use XML when they could have used SQLite and JSON like Firefox or instead do it like Chrome on Windows where Microsoft is expected to do the right thing.

      Storing passwords on a system where those passwords can be accessed by software without user interaction doesn't strike me as very secure. Then again, if malware is on the system you probably have already lost, so the keychain encryption schemes help against attacks on turned off/logged out devices.

      The integration of a password manager su

      • by Anonymous Coward

        THEY (the original Filezilla devs) DIDN'T do that... Someone else forked Filezilla and added that feature.. Read the article ffs

  • Yawn. Who cares. Filezilla is adware. It is *not* free software. Does anyone still use it? Why bother when there is truly free software that works just as well or better.

    • by Anonymous Coward on Saturday May 27, 2017 @12:39AM (#54496187)

      It is *not* free software

      Yes, it is. On the main site I can download the source code and compile it, something I've had to do when the pre-built Linux binaries didn't work on older distros. The software license is GPL v2.

      How the fuck is it NOT free software? If you're still referring to it as adware, I'm assuming it's because of the partnership with SourceForge which bundled adware in certain versions of the software (of which you could easily still download a clean version if you knew what you were doing). That program ended quite a while ago. Of course, you'd know this if you bothered to be more understanding and check if what you actually typed matched reality, but that's too much work. Hatred is easier.

      • How the fuck is it NOT free software?

        Well I guess it's free in the sense that all malware is free.

        If you're still referring to it as adware, I'm assuming it's because of the partnership with SourceForge which bundled adware in certain versions of the software (of which you could easily still download a clean version if you knew what you were doing).

        In all versions. There are no longer any binaries available that are not adware/malware. Yes what you are saying used to be true some years ago, but it is not true anymore. Also don't blame Sourceforge. Filezilla specifically chose to have Sourceforge bundle the adware because it makes money for them. They openly admitted it and had no plans to make any changes despite the complaints.

        Yes if you are willing to go through the trouble of compiling th

    • by Zocalo ( 252965 )
      FileZilla has its faults, but being adware is NOT one of them. It was one of many victims (GIMP and VLC were others) of third party mirror sites like SourceForge that decided to make some additional money by bundling crapware [techgage.com] with downloads, often without the knowledge of the projects involved. Unless you've been sourcing your software from a particularly shady mirror site, this bundling was usually made pretty clear during the install process, such as the screenshot in the link.
      • by Anonymous Coward

        Actually, the maintainer of FileZilla repeatedly defended this practice of SourceForge in their forums. He also made money from the bundled software. He insisted repeatedly in the forums that it was not malware, and that people were free to choose not to install them. I think *technically* they were not malware, but they were certainly unwanted by the vast majority of the people who installed them.

        I do believe that the program has been ended (by SourceForge's action, not by FileZilla), but FileZilla does

    • So you clearly don't use Filezilla.

    • I use Filezilla extensively on Linux and I gar-on-tee you theres NO ads here.... Couldn't say about the Winblows version, as I quit fucking with Microsoft crap over 7 years ago.....

  • I wince any time I have to access a logged account on a server with FTP. Isn't the password sent over the wire unencrypted? FTP has been replaced by SCP for a reason.

    If I am wrong please correct me.

    • I wince any time I have to access a logged account on a server with FTP.

      For anything other than, for example public FTP software downloads, most people who use FileZilla use SFTP. The fools at WordPress still use FTP for auto-updating. Though SFTP is an option, noobs will probably use FTP.

      But why do hosting companies even allow it? It's got to be a HUGE vector, and although hosting companies generally will not take any responsibility for hacked sites that they host (and why should they), it's got to be a Help Desk pain in the ass.

      • How is FTP *MORE* of a pain in the ass to the helpdesk than SFTP? The only thing they have to do is manage password resets. It's just as easy to do that for FTP as it is for SFTP.
        • How is FTP *MORE* of a pain in the ass to the helpdesk than SFTP? The only thing they have to do is manage password resets. It's just as easy to do that for FTP as it is for SFTP.

          From the resulting account hacks was my thinking, but I can't confirm that.

  • by n3r0.m4dski11z ( 447312 ) on Saturday May 27, 2017 @12:45AM (#54496209) Homepage Journal

    The fact that they have near daily updates (Basically every time i turn on filezilla, there is a new client), I am extremely surprised that they wouldn't handle feature requests promptly. What the hell are all the damn updates for then?? NO software can be THAT buggy!

    But back in the day, I do remember them implementing a suggestion I pushed for which was the addition of autoban. So I considered them quite responsive.

    And for saying "filezilla is DYING!" that hasnt been my experience. I thought it was considered the de-facto standard because: 1) they offer a client on virtually every platform and 2) its the ftp client that ninite installs. Most people who arent using filezilla, are using browser based FTP and locking out their accounts with unstandard behaviour. So i like being able to tell literally anyone, to just go to one website to get a great free ftp client.

    I personally don't save passwords in an ftp client in the first place. Perhaps that was why it was not a popular suggestion. The people who are concerned with security enough to know what a master password would do, and yet still want to store their passwords inside the program instead of in their head or document, has got to be a small group. I know its envogue for password managers now and maybe thats why he implemented it.

    This is really just a positive story for open source software in general. You can have a program constantly maintained for so long that it can accumulate 10 year old feature requests that ACTUALLY GET IMPLEMENTED! hooray!

  • I guess there's still hope for FileZilla Server to eventually get SFTP support before I die. It's quite astonishing that this "obvious" feature of file transfer server software hasn't been implemented yet (despite the FileZilla Client having had SFTP support for years). I mean, it's "only" been 13 years [filezilla-project.org] since the feature was originally requested - easily beating the master password encryption feature request by a full 3 years. And, yep, someone recently suggested closing the SFTP feature request because Tim

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...