Slashdot Mirror
R.I.P. FTP
On July 1st I found that one of my less important websites, hosted on a low-cost shared Web hosting service, had been broken into. A friend emailed me to say that the site was showing up in Google's search results with the Google "This site may harm your computer" warning listed next to it. I found that on one of the pages, about 1,500 HTML script tags had been inserted, loading JavaScript files from pseudo-random Russian hostnames like "www.chk06.ru" and "www.errghr.ru", none of which are currently resolving. Usually, when such script tags are maliciously inserted into a page on a website, the script tags attempt to install spyware on the machines of people who visit the site.
I immediately replaced the infected file on the website with the backed-up clean copy from my machine, and changed the password on the website in case the attacker had gotten in by using the old one. (The original file with the script tags inserted is here if you want to examine it, but use with caution -- if the .ru hostnames in the script tags start resolving again, then opening the file could cause the JavaScript on the pages to be loaded, which might infect your machine.) Then I started investigating (a) how this probably happened; (b) whether future similar attacks could be prevented, by changing some defaults in the way that hosting accounts are set up; and (c) whether the incentives for hosting providers are such that these changes are likely to happen by themselves, or whether it will require some third-party advocacy to change what we think of as "best practices".
Denis Sinegubko, the webmaster of Unmask Parasites, a free service that scans websites on demand for signs of break-ins, says:
The majority of web site compromises happen because of:
- Stolen FTP credentials. Spyware on webmasters' computers: key-loggers, traffic sniffers (FTP protocol sends username/password as plain text), trojans that steal credentials from various programs' configuration files (FTP clients, DreamWeaver, etc).
- Security holes in popular web software: CMS (Joomla, Drupal, etc), Forums (phpBB, vBulletin, Simple Machines, etc), Blogs (WordPress). Once a vulnerability discovered, hackers configure their automated tools to search the web for websites running vulnerable versions of the software and exploit them. This can be done easily and at almost no cost when they have an army of zombie computers.
- Security hole in "in-house" web software. Many novice (and even many experienced) web developers don't properly sanitize user input making various attacks possible (SQL injections, XSS, etc)
- Poor security practices (Something that should be manually configured by site/server admins and cannot be fixed with automated security updates): Weak passwords, open ports, insufficiently strict permissions for limited accounts, files and directories with world write permissions, etc.
I didn't have any third-party web software or custom-made software installed on the PublicEditorMyAss.com site, the password was a seven-letter meaningless mix of letters and numbers, and I didn't have permission to change most of the things like open ports and file permissions. That left the possibility of stolen FTP credentials. This is in fact what Sinegubko says is the most common cause of such break-ins:
I guess 90% of attacks use stolen FTP credentials this year. Check this Google's graph that shows the top 10 malware sites as counted by the number of compromised web sites that referenced it:
http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html
I reviewed 4 most widespread of them (Gumblar, Martuz, Goooogleadsense, Googleanalytlcs). All four used stolen FTP credential to penetrate web sites and upload malicious content. The chances are the rest used this vector too.
When the PublicEditorMyAss.com site was set up, the default setting was for pages to be edited over FTP. Even though FTP sends and receives passwords without encrypting them (in contrast with alternatives like SFTP or "secure FTP", which encrypts passwords), for a long time I had assumed that this was not a major security problem, because in order for an attacker to intercept the passwords in transit, they would have to control a machine somewhere on the path between my home computer and the PublicEditorMyAss.com server. I figured this wasn't worth worrying about, because it was much more likely that an attacker would attempt to steal the password by installing spyware on my home computer. And if an attacker managed to do that, then I assumed that the risk of passwords being stolen by spyware was about the same whether I used FTP or SFTP -- because either way, the spyware could just steal my password by reading it out of a configuration file where the password was stored. (Even though FTP and SFTP programs both store passwords in an encrypted format, the programs have to be able to decrypt the passwords in order to use them whenever the user wants to open a connection. So the spyware could just mimic whatever steps the client programs use to decrypt the stored passwords, in order to steal one of my passwords stored in a file.) So, I assumed it made no difference whether I used FTP or SFTP.
But according to what Sinegubko told me, this reasoning was probably wrong. The problem is that even though spyware installed on your machine could read passwords that are stored in configuration files, it would be a lot of work to write a spyware program that could do this, because every FTP program and SFTP program stores passwords according to a different algorithm. It's much simpler for spyware to simply watch the traffic sent and received from your machine, so that any unencrypted passwords will be spotted:
[Passwords can be stolen by] sniffers that read all TCP traffic on local computers. Like personal firewalls but malicious. They can easily intercept FTP credentials since they are sent as a plain text.
Sinegubko describes how one of his contacts obtained evidence that a common spyware program was doing exactly this:
One of them even infected a spare WinXP computer (with Gumblar) to test the consequences. On the infected computer he created a new account in a popular FTP client and saved it. The server address was correct (his server) and the username/password pair was not valid. A few hours later in FTP logs, he discovered login attempts that used that invalid username/password pair from a Singapore IP, then from a Florida IP, the some other country's IP. Apparently the FTP credentials were somehow stolen from that infected computer.
I know of only two instances where I've ever definitely been infected with spyware. I don't do stupid things like downloading and running strange programs from third-party sites, so I think both infections were probably caused by a site exploiting a security hole in Internet Explorer, or in a plug-in like Adobe Acrobat or the Flash player. Both times, once I noticed I was infected, I got rid of the infection with Malwarebytes, but I don't know how much damage the spyware did in the meantime.
So this was a case where a little knowledge can be a dangerous thing. If I had known nothing about Internet architecture, and someone told me "FTP is less secure than SFTP," I would have found a way to switch to administering the site via SFTP. But because I knew that the main reason FTP was considered "insecure" was because it transmitted passwords unencrypted, but I also knew that most of of the machines relaying those passwords in transit were secure and trustworthy, I thought it didn't matter. Now it seems that is probably how my password got compromised after all.
In that case, why don't more people switch to administering their sites via SFTP instead of FTP? Here are the steps it took me to enable SFTP on my GoDaddy hosting account. Feel free to use this as a reference, but the obvious point is that as long as this many steps are required, it's safe to say that most users won't be switching:
- Go to the "Hosting" menu and pick "My Hosting Account."
- Next to the name of your website, pick "Manage Account." This will open the Hosting Control Center.
- In Hosting Control Center, click to expand the "Settings" options.
- In the "Settings" control panel, click the "SSH" icon.
- You will see a page saying "SSH is not set up", and prompting you to enter a phone number so that their automated service can call you with a PIN number. After you enter your phone number, the phone rings a second later, and you enter the PIN in a form on the GoDaddy website.
-
You will then see a page which says:
Current Hosting Account Status: Pending Account Change
Your request to enable SSH is being processed. This upgrade may take up to 24 hours.
In fact, even if only one step were required to switch, most users probably wouldn't change from the default setting to use FTP, due to the eternal, unchangeable fact that most people do not change their default settings, ever. (What percent of users ever change the default set of toolbars that are displayed at the top of their Web browser window?)
If more Web hosting companies made SFTP the default, then the number of websites that were compromised by stolen login credentials, would probably go down. Spyware authors might start to make their programs smarter at that point, enabling them to read the passwords stored by popular FTP and SFTP programs, so that it would make no difference whether the passwords were transmitted in the clear or not. However, this would be harder for spyware authors to do correctly, so it would at least raise the bar for a successful malware attack, and the number of compromised websites would be reduced.
Unfortunately, Web hosting companies don't have much incentive to make users switch to the more secure SFTP protocol. This isn't necessarily true of all security risks; sometimes the hosting company has a strong incentive to pass on the right wisdom (and select the right default settings) for their customers. From the hosting company's point of view, you could divide risks into three categories:
-
Risks where the hosting company pays a large part of the price for a customer's machine being compromised. For example, if a cyber-criminal takes over a customer's machine and uses it to launch a denial-of-service attack by sending it a flood of traffic, the hosting company will see that traffic spike on their network. The hosting company has the most incentive to help prevent these types of attacks.
-
Risks where the hosting company doesn't directly pay a price for the customer's machine being compromised, but they may have to deal with complaints sent in by third parties. For example, a customer's website could get broken into, and script tags could be inserted into the pages that cause visitors' machines to be infected with spyware. Those visitors might complain to the webmaster of the infected site, or they might complain to the hosting company, which then forwards the complaint to the webmaster. The hosting company may have to provide a few minutes of tech support to the customer, advising them to change their password and scan their own machine for spyware, but they probably won't incur any other material costs.
-
Risks where neither the hosting company nor the customer pays a price for the machine being infected, but the price is paid by "Internet users as a whole." The only attack that I can think of in this category, is an attack where a cyber-criminal inserts key words into your web page and links them to his site, in order to increase his Google ranking for searches for those key words. Neither the website owner, nor any visitors to the website, are victimized directly; the harm being done is that the quality of Google search results is reduced for everybody. The only reports of the attack would probably come from "good Samaritan" Web surfers, who tell the hosting company or the webmaster that one of their pages has been vandalized.
When a customer's FTP credentials are stolen, the price paid by the hosting company lies somewhere in the middle. An attacker who stole my current PublicEditorMyAss.com credentials would only be able to deface the content on the site, but they wouldn't be able to launch an attack against a third-party network (my PublicEditorMyAss.com hosting account doesn't have the ability to initiate an outgoing connection to a third-party site).
Weighing in the other direction are the costs of switching to SFTP. If existing customers are forcibly switched over, phone lines will be clogged by customers wanting to know why their old method of logging in to their site has suddenly stopped working. A better choice would be to allow existing customers to stay with FTP while making SFTP the default for new customers. But there is a time and money cost of changing anything, even a default setting.
So GoDaddy doesn't have much incentive to make SFTP their new default. Indeed, I've used many different shared hosting companies before I started running proxies exclusively on dedicated servers, and none of the shared hosting companies ever used anything but FTP as the default method for customers to administer their websites. So who can blame them? They're not making the choice that makes the most sense for their customers or for Internet security as a whole, they're making the choice that makes the most sense in terms of costs and benefits for themselves, and I'm not being judgmental about that. We shouldn't expect most companies to ever behave in any other way.
That's why I think that glib "solutions" to security problems, like "Everybody install anti-virus software", or "Everybody stop using Windows", aren't helpful, because regardless of whether these ideas would work if everybody actually followed them, the fact is that most people won't. The problems have to be addressed in terms of changing incentives for the choices people make.
What's an idea for reducing the risks of FTP credentials stolen by malware, that addresses the incentives problem? Maybe give tax breaks to Web hosting companies that set up customer accounts to use SFTP instead of FTP by default? Or ask more computer vendors to include a desktop link to pre-installed SFTP software, so that when Web hosting companies present options to their customers, it's easier for users to choose the SFTP option since they have a client already installed? (I was tempted to recommend that Microsoft include a universal SFTP client pre-installed in Windows with a prominent desktop link, but the problem with that is that if almost everybody used the same SFTP client, malware authors would have greater incentive to reverse-engineer the algorithm that the client used to store saved passwords -- and then passwords would be just as easily accessible to spyware, as if the user were using FTP all along. So a good mix of SFTP clients is safer for this purpose.)
Since the difference between SFTP and FTP usually only matters in cases where a customer's machine has been infected with malware, obviously the best solution is to avoid malware altogether, but that's much harder problem to solve, as long as malware authors can keep finding security holes in Internet Explorer and other popular programs. Making SFTP the new standard for Web hosting accounts is something that we know how to do, right now. The incentives aren't currently right for Web hosting companies to make it happen. But there may be ways to change that, and I'll bet some people can think of better ideas than the ones I've suggested. I'm just saying that the incentives problem is where attention should be focused.
Malwarebytes is good software, but as you point out you don't know how much damage was done. Secondary infections can easily be missed, and many malware programs open your machine to further exploitation. As tired as the suggestion is, you needed to do what you did with your website: revert the machine to a known good backup of the system state, formatting first. Anything less and you *should* have that nagging doubt that you haven't actually cleaned everything up. There are ways to diminish the concern: inspecting the machine for unexpected packet flows, using anti-rootkit tool, etc... but only by formatting and restoring a know clean state or formatting and just restoring your data files will you be confident).
Sig under construction since 1998.
Back we go then to HTTP based web forms...
It pays to be obvious, especially if you have a reputation for being subtle.
Isn't that the sound someone makes after eating enough chili or lentils?
Is this a plea for everyone on /. to come look at your site?
This came up in a class I took at college. It was a bullshit "internet concepts" class, where they talked about setting up a website, basically. One of the things they talked about was ftp and how it's used to upload content to your "web host". Needless to say I felt the need to hurt those responsible for promoting this crap. While I did the assignments as they wanted, I made it a point to try to educate people in the class as to the proper protocols to use for uploading content.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
How to secure WebDav
http://www.howtoforge.com/webdav_with_ssl_and_two_factor_authentication
login: guest
password: anonymous@host.com
Look, if your machine is infected by malware, it's not going to make any difference if you use FTP or SFTP or god know what else.
Either your passwords are stored on your harddisk or you're going to have to type them in at a later point. In both cases software is going to be able to get your passwords. And they have that they can get in without a problem, regardless of protocol used.
So instead of this looooong article, some more vigilance online to avoid the infection to begin with would be more helpful.
And if you _have_ to use MSIE, use SandboxIE.
It's unfortunate that FTPS still seems to be widely unknown. FTPS is an extension of the FTP protocol which secures the control & data channels with TLS. It's standardized in RFC 4217.
Restricting users to their home directory is much easier with FTPS than with SSH. The latter requires you to setup a chroot jail for each user. At least OpenSSH has built-in chroot support that allows you to specify a chroot environment for each user via /etc/passwd.
Many FTP clients and servers support the FTPS protocol, for example:
* FileZilla
* curl (and curlftpfs)
* lftp
Servers:
* vsftpd (can enforce encrypted FTP)
(What percent of users ever change the default set of toolbars that are displayed at the top of their Web browser window?)
I'm guessing that when it comes to users who administer their own websites, and do it through FTP rather than the Geocities page builder, it's actually pretty high. This is a group of people that could probably navigate a simple menu to the SSH toggle intuitively. Now, the whole phone-number-PIN rigmarole is an un-necessary headache, but generally this isn't an end-user usability issue, it's an end-user risk assessment issue. They assume that because SFTP is an obscure, buried option, then it's not necessary for their everyday work, and ordinary FTP is sufficient. This leads to the same set of solutions - make SFTP default and bury the ability to disable it, or make it hard for the user not to notice that they can secure the connection - but for different reasons.
No kidding!!! What do you say at this point?
And that's why I bought a Saturn.
Our end users keep asking and referring to FTP, when all they need is a way to transfer files temporarily (especially when the email server doesn't like 2 gig attachments). So we setup a web interface to post files, download them, and autodelete. They have been happy with it since then. What do they call it? The FTP server.
The FTP term has lost its meaning to represent a protocol (which is what the IT staff thinks of it as) vs the end users with think of FTP as a generic term to transfer files.
With SSH you also know you are talking to the right server, not a man-in-the-middle or a DNS hijack.
one of our clients web hosting company was the victim of a similar attack. we were able to trace the attack back to an extremely out of date version of PHP.
check the versions of the software your web hosting company is running.
Switching from FTP to SFTP on the server side is great, in theory, but it's really only a trivial task for people running Unix type operating systems.
SSH isn't an integral part of most Windows operating systems, and nearly all of the well-regarded, commercial FTP servers for Windows have no SFTP support in them.
(I understand the Serv-U FTPD for Windows does support it, but it's an exception to the rule.)
I recently ran into this at my workplace. We've run the commercial WFTPD product (from Texas Imperial software) for years, but I had to get rid of it when our bank started requiring SFTP connections to send us electronic scans of daily check deposits.
Any credentials being stolen is a security Risk. I had some sites on Ipowerweb, which the credentials were stolen. They deny all knowledge of it, but it was the only source of the leak. I tracked this when I moved a site to my own server, but used the same credentials.
Fight Spammers!
I run a linux server that has FTP services on it.I did have an issue a while back where someone's ftp account got cracked, someone uploaded a malicious root kit, then executed it through the web and... BLAMO! I was compromised. Every .html and .php file on the server was over written. I didn't feel like cleaning it up, so I just loaded the back ups on the a clean server and took the compromised one out of production.
But I did make one change on the new server... I upped the security substantially. One of the changes involved enforcing SFTP and discontinuing my FTP services.
For me, all it took was one serious compromise to wake me up. I'm sure for a lot of other people it will be the same.
I just had a flashback to 1999...
Shocking. At 10 O'clock: why telnet should not be used.
A much better test would have been to create the account first in the client, and then infect the computer. How do you know the malware was sniffing the traffic and not capturing the credentials when the account was being created?
The author's personal experience aside, unless customers ask for it, hosting companies will not change it. And customers will not ask for it because most web editing programs have FTP support built in, but not SFTP.
Yes, we tell people to not use FTP (I run a security consulting company), and despite that I see major financial services companies with lots of business-critical processes built around FTP.
Bottom line: there is no business case, until a lot more people get burned.
And then of course there is the minor matters that [a] SFTP is not immune to keyloggers and [b] once you get a trojan like that on your computer, all bets are off.
SSH, SFTP, SCP, FTP, ZMODEM, KERMIT, AND ALL THAT CRAP MEANS NOTHING!
Why? because moron employees surfing for p0rn at work will get a keylogger by accident installed and grab more information then packet sniffers EVER will. Regardless of how well the encryption is the keylogger and malware will trump all measure if employees are careless.
You can get a silent VNC session going and lockout the physical keyboard and mouse and by the time they figure out what has happened you have enough control to grab what you need.
Hell just track the next time they go to amazon.com or any onther online site. Who gives a rats ass about SSL when you are seeing them type in their info?!
FTP vulnerable? No more then your home phone line or cell phone. The problem is and always will be PEOPLE. One they have control of the physical machine all bets are off for ANY security measure.
Arguing protocols being secure or not is like arguing which unloaded gun is more dangerous....
-=[ Who Is John Galt? ]=-
I can't see why they should be considered well-regarded then. That's negligence. Pretty much every Windows FTP client for the last 5 years commercial or otherwise does SFTP now.
Its an amazingly simple protocol, lightweight, and easy to setup and administrate. Concerned about security? Tunnel it with SSH. I think there is a packaged app out there somewhere (sftp?), but really, I tunnel all insecure protocols with SSH, using an incredibly simple, yet powerful app (putty).
Hi, I Boris. Hear fix bear, yes?
My apologies, but you must be new at this if you are just now recognizing the insecurities in ftp. I've did what Sinegubko did on a VM and watched. All I had to do was visit an infected page with IE and the machine was infected. It then 'stole' the bogus ftp passwords I put in a Dreamweaver install and away things went.
Sorry to hear you had a problem, but you really should have known better.
...user gets infected with spyware, is surprised when information is stolen as a result? Y'know, it's called spyware for a reason.
--- Mr. DOS
A rootkit compromises your entire OS by modifying system files and binaries and allowing remote root access. Mucking up the web server files is annoying but hardly in the same league. And more fool you if you ran apache (or whatever) as root. Also if you'd set it up properly you wouldn't have to "clean it up". You'd just rm -rf the web server directory tree and untar from the backup you made the previous night, right?
The reality is, only the kind of people who read this site actually give a damn, and I bet for at least some, it's an academic concern.
Hosting companies don't care.
Server management software vendors (CPanel, etc) don't care.
Other vendors whose software relies on FTP (Dreamweaver, etc) don't care.
Why don't they care? Because retraining users and staff is something on which they can all put a reasonably certain dollar amount, which is almost certainly higher than maintaining the status quo of tedious disclaimers and putting out fires when they erupt.
The average user doesn't care, because they assume that a product or service is reasonably secure, and many of them can't be bothered with any technical details.
I agree, and have for years, that FTP should be unmercifully killed, certainly on public networks. I'm no security zealot, but this is pretty basic stuff.
I send my files in by paper tape sent by a bonded, armed courier.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I have tried to set up an FTPS site.
Even with vsftpd, I was unable to configure it with settings that allowed it to connect with more than 1 different type of client at a time. So far as I can tell, there are a half-dozen different implementation of FTPS out there, none of which are able to interoperate properly.
SFTP is much more standard and well-supported, and more or less just works, and there are various tutorials out there for setting it up.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
SFTP...use it. That or make a torrent and set it so only those given the torrent can access it. Different torrnet programs have different privacy capabilities to allow you to utilize their program to transfer files, securely, from your computer to a specific recipient.
I do not support "The Man". I also do not support your irrational stupidity
If the server's been compromised and it's key stolen and nobody in charge knows it's stolen, all bets are off.
PS: "It's been 4 minutes since you last successfully posted a comment" what happened to only waiting 1-2 minutes between postings?
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Once you have discovered you are infected, the ONLY way to be safe is to assume that you have also been infected in at least 100 other, undiscovered, ways.
Security companies like to sell the lie of "buy our product! Be safe! And if something slips through, just hit "delete" and be safe again!" but it really doesn't work like that: If there's one, there's three, and those three turn into a hundred very easily.
The only way to be safe is not "buy some guy's security software" (you're machine's been compromised, how the hell is running something else on the same machine supposed to help??), it's "reformat, treat every backed-up file as compromised". Sad, annoying, true.
In summary: when you found out you were infected, you did the equivalent of nothing at all, then were surprised when a password was stolen several months later.
-- 'The' Lord and Master Bitman On High, Master Of All
tl;dr
I spend a lot of time on working on closed subnets -- ftp is v useful for systems when there's only one or two users with access -- and everything is done in a secure room. Do we really need to sledgehammer of ssh? Admittedly I didn't RTFA (on principle, you understand), so why should everyone be denied ftp when it is not dangerous to all?
get rid of the people
all joking aside, people are people. they are a known quantity. as such, they are the yardstick against which we judge securability, not to which we assign blame. and since this whole intarwebs thing is relatively new, then the obvious answer is we have a long way to go to fix the TECHNOLOGY so that the people in the equation can't cause as much damage as they are now doing
its very easy to blame the lusers. your post means nothing
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Amazing how this article (and so many people responding) seem to be missing the point entirely. The real problem is people using operating systems that are vulnerable to these types of attacks! I don't know about Vista, but even if Linux was ever targeted for this kind of attack/spyware, you would have to run the software as root to enable packet sniffing! And anyone who uses IE for regular browsing and not just local site development is clearly not a competent web developer and has no business working in this industry! Seriously--how can anyone still use IE, FTP, or anything like that in this day and age? I think I stopped using FTP, what...10 years ago now?
The bottom line is that all hosting companies must disable all access to their services via insecure FTP. It's shameful how many companies still use it. I'm in such an isolated bubble, apparently, that I didn't even know this was still going on until recently I had to access a shared web service to migrate a particular client. I was shocked, to say the least! Secure-FTP (over SSL) is not sufficient as it only encrypts things without verifying the authenticity of the host you are connecting to. It's bad enough that people keep using Windows, but since we can't control this, competent sysadmins really need to take the initiative in disabling FTP. Likewise, unencrypted pop3, imap, telnet, or whatever unencrypted services they provide.
Yes. Doesn't TFA write understand that keyloggers will get _ALL_ keystroeks, before they are encrypted for transmission?
I'm sorry. Is this Slashdot? This articles reads like it was written for the idiots, by idiots.
I've only skim read this dross, but it doesn't seem to make any concrete points. It draws attention some stupifyingly obvious security considerations (I wouldn't go as far as to call them bugs), babbles on about Windows spyware and then has a short excerpt from the GoDaddy help (what the fuck?)
What a waste of text, this boils down to 4 things:
1. User chose an easily guessable user/password for FTP.
2. User left user/password for FTP somewhere world readable
3. User got spyware which stole FTP details stored on his machine.
4. MITM attack on FTP session, stealing user/password over the wire. (this one I assumed because it's recommending SFTP without tellings us WHY)
Let me cut this craptastic essay down to size:
Easy to crack passwords get cracked easily.
Spyware steals login credentials.
Hackers can use MITM attacks to intercept data.
People are stupid and sometimes leave login credentials in a public page.
Frankly the editors should be embarrassed.
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
ftp vs sftp is not the issue.
using windows to (ftp *or* sftp) vs using a secure platform to (ftp *or* sfp) is the issue.
Switching to use sftp using going to do you any good if you are still working from a windows based client, and your stored passwords will still be stolen by the deluge of crapware that windows is specifically designed to support.
From TFA:
And if an attacker managed to do that, then I assumed that the risk of passwords being stolen by spyware was about the same whether I used FTP or SFTP -- because either way, the spyware could just steal my password by reading it out of a configuration file where the password was stored. (Even though FTP and SFTP programs both store passwords in an encrypted format, the programs have to be able to decrypt the passwords in order to use them whenever the user wants to open a connection. So the spyware could just mimic whatever steps the client programs use to decrypt the stored passwords, in order to steal one of my passwords stored in a file.) So, I assumed it made no difference whether I used FTP or SFTP
This is incorrect. A decently-written program will not store your password anywhere, either encrypted or as plaintext. What it will store is a one-way hash of your password. When someone connects, it will compute a hash of the password they entered and compare it to the stored hash. Nowhere in this process is the actual password decrypted.
Rainbow tables allow one to attack these kinds of schemes, but adding salt to passwords basically makes even this impossible.
This may seem to contradict the "DRM is impossible" principle but it does not because the problems are different. For passwords, you only need to prove to me that you know the secret; you don't need to tell me what the secret is. For DRM, the music or movie is the secret, so it has to be revealed: You wouldn't pay iTunes for proof that they know what a certain song sounds like; what you want is the actual song!
No protocol is secure if your side aren't. A keylogger, in your pc, not in the remote site, defeats anything that is password based. Trojans that read or steal configurations of common clients (even ssh certificates) also defeats a lot of usually secure solutions. Even installing software that enables remote administration and not worrying ever about announces of remote vulnerabilities is wrong. When worrying about something that can be accesed in internet, remember that you are in internet too.
Where you should start changing things? replacing the ftp protocol? the ssh protocol? tcp protocol? Start changing yourself, securing your desktop in effective ways (drastically lowering odds switching away from windows could be an start), and how you use it.
graphical ftp is included in windows and mac. graphical sftp is included by default in most linux distros. since it is "so hard" to download filezilla for windows and mac, that could be the final hurdle? why don't they just include a standard graphical sftp client in windows and mac?
ORLY?
WTF BBQ!
TL;DR.
You see? You see? Your stupid minds! Stupid! Stupid!
There are many ways of securing plain ftp
1. FTPS
2. OpenVPN
3. IPSEC (I use transport mode)
4. GSSAPI authentication
Those are just a few.
SFTP is nice but does not have as many features as fanilla FTP
I'm not trying to be a jerk here, but am I the only one who thinks this slashdot posting is total rambling nonsense? It's about 100 times longer than it needs to be. I'm not really even sure what he's talking about.
Basically this guy has discovered that sending data in the clear is bad, so that is why he now thinks FTP is bad. But for some reason he believes that this is a new discovery? I'm confused.
From TFA:
I figured this wasn't worth worrying about, because it was much more likely that an attacker would attempt to steal the password by installing spyware on my home computer.... So, I assumed it made no difference whether I used FTP or SFTP.
But according to what Sinegubko told me, this reasoning was probably wrong. The problem is that even though spyware installed on your machine could read passwords that are stored in configuration files, it would be a lot of work to write a spyware program that could do this, because every FTP program and SFTP program stores passwords according to a different algorithm. It's much simpler for spyware to simply watch the traffic sent and received from your machine, so that any unencrypted passwords will be spotted
Same goes for keyloggers, by the way. You can look at everything I type and hope you get a password, or you can just intercept FTP, where you know exactly where the password is being sent.
Not that we shouldn't protect against keyloggers, but why would you make it easy?
FTP vulnerable? No more then your home phone line or cell phone.
Not true -- while eavesdropping is probably easier with a phone conversation, man-in-the-middle attacks are much harder. If you said something, I know it was you who said it, because it sounds like you -- whereas with FTP, the server doesn't know if I uploaded the file, or someone in the middle uploaded the file, or someone who stole my password uploaded the file.
You can get a silent VNC session going.... Hell just track the next time they go to amazon.com or any onther online site. Who gives a rats ass about SSL when you are seeing them type in their info?!
Because you have to 0wn me first.
If you don't bother with SSL, then there's no way the user could be careful enough or savvy enough -- the next time they order something from a wireless hotspot, someone else's laptop will automatically pick out their credit card number.
If you do, they suddenly have to not only compromise your machine, but actively watch for you to hit amazon.com, or write a much more complex program that hooks into IE (but what if you're not using IE?) and watch for amazon.com, or search through pages and pages of keylogs.
The problem is and always will be PEOPLE. One they have control of the physical machine all bets are off for ANY security measure.
Both very true. But until the person or the physical machine is compromised, all of these other things mean a good deal more than "nothing".
It sounds very much like you're suggesting that we ignore security and encryption, because it's all futile anyway -- you certainly haven't offered a better approach. Well, you know what? Fuck you and your defeatist attitude. The rest of us will be working to actually make things better.
Don't thank God, thank a doctor!
What I get from this overly long article is the author thinks that simply by not being the same as the herd (the herd being people who use FTP) that increases security.
While there's some truth to this, it's a lot less than you think. Being different in one way doesn't save you from all the other ways you're the same. If someone can install malware on your machine, a keylogger would grab ANYTHING you type in. It's not too hard to parse out all of that for username/passwords. It's like saying having a strange non-standard layout to your house keeps you safe from really dumb burglars that've already broken in.
AccountKiller
FYI for those of you who rely on Dreamweaver you can in fact get it to use SFTP without any addons or tweaks. In the remote info under manage sites, in the advanced tab, selecting ftp up top, you can check Use Secure FTP (SFTP). If you run the server yourself, you want to install openssh, the common package name for which is openssh-server and its conf files may be found in /etc/ssh. If you don't run the server, ask your ISP to fire it up if they haven't already.
This of course won't defend you from getting nailed by a keylogger phoning home... but ditching XP and using nano or emacs on *nix of course would help. Do regular backups just in case -- not just the docroot folder but sql if you use that as well.
Calling out bogus battery capacity claims.
FTP is still fine for providing big files that don't need to be protected by a password. But yes, if you're CHANGING data, raw ftp is usually a bad idea.
If you're uploading files, I heartily recommend using rsync+ssh. It's incredibly fast, since only the files that CHANGED are uploaded, and ssh makes it all secure. It can be a pain to set up on some cheap hosting sites, but I've figured out how to make rsync+ssh work even on some cheap hosting sites. Hope that helps.
- David A. Wheeler (see my Secure Programming HOWTO)
Hi,
I'm Denis Sinegubko. The one quoted in this article.
I want to clarify one thing about how malware steals passwords from webmasters' computers.
TCP traffic sniffing was only one of possible vectors.
However, now I have more proofs that malicious programs just read configuration files and registry settings.
Just check how this trojan steals FTP, email and IM credentials:
http://www.viruslist.com/en/viruses/encyclopedia?virusid=147349
I checked programs, installed on my computer and indeed many of them store passwords in _plain text_, not encrypted. And those that encrypt
passwords use very weak algorithms.
FileZilla stores FTP credentials (including passwords) in .xml files in plain text. And this is "by design"! Check this thread:
http://forum.filezilla-project.org/viewtopic.php?f=2&t=12280
So why would malware bother with sniffing traffic or key logging (this activity can be detected by antivirus), when it can simply read everything it needs from files and Windows registry?
That is the real question.
Considering that windows will not natively run ssh, sftp, scp, etc... That leaves millions of site owners with no way to upload content. Unless they want to run cygwin, or pay for programs, and this is all assuming that they are connecting to a *nix server from a windows machine... what do you do on a windows server? IIS? even Apache on a windows server, as far as I know windows servers still tout telnet, ftp, and rtp as the methods of remotely manipulating files. So as it comes down... I still have to blame windows... for once I would like to be able to blame something other than windows, or some Microsoft product... but it seems that I always have to come to the same conclusion.
Please note that the last IIS server or windows server I worked with was a SB2k3 server about 4 years ago, so something may have changed.
42 69 6C 6C 20 47 61 74 65 73 20 69 73 20 61 20 77 68 6F 72 65 21
Why the hell would ANYONE still be using FTP these days? I don't even allow its mere existence on my servers! sftp or scp is fine. Regular old FTP? This is NOT the 80's!
Ruby Neural Evolution of Augmenting Topologies
I don't know about Vista, but even if Linux was ever targeted for this kind of attack/spyware, you would have to run the software as root to enable packet sniffing!
As a service on the local machine perhaps, but thinking that Linux solves everything is a fairly head-in-the-sand approach in itself. There's always:
a) In-transit packet sniffing. Plenty of places between your PC and the destination server for your unencrypted traffic to be sniffed.
b) Local password caches: Plenty of users locally store their passwords for convenience. It's not impossible or even that difficult to pull them. The "wallets" may to some extent work to protect these, but an infected user account could still happily launch a background service that politely asks for the password at a convenient time
c) Config files: Local infected accounts can have local configuration files (firefox, etc) overwritten without the user knowing. Will you notice if your proxy is set to funky server for a few days?
d) Menu items, etc: When you click on the firefox icon, are you really running what you think? What if it's a wrapper with a 3rd-party app? OK, you run from commandline... is your $PATH set to run /usr/bin before "./.hiddenvirusdir/usr/bin" ?
There are PLENTY of ways to compromise a 'nix desktop without root access. Yes, windows is less secure in many ways, but 'nix is far from invulnerable, because at some point it all comes down to the fine balance between security an convenience. My former co-worker and I use to play what was essentially "security wars." We would find fun ways to get into each others systems and muck things up. In the process we learned how easy it is, and migrated some of our practises to the web.
Actually (d) was my favorite, as before I left he asked me "why is it when I sometimes start my firefox it still goes to mylittlepony.com" (or whatever it was I'd set). Other fun tricks include a .tar.bz in a convenience location, sourced when they load a particular app, to overwrite their SSH authorized_keys or some other fun files. Having the data compressed means that they can't grep for expected items
Yes, windows has issues. For the experienced, so does Linux. If fact, short of writing actual trojans or binaries, I generally managed to more easily subvert my friend's 'nix machine more often than our other co-workers windows box.
The solution is so simple, yet people are too dumb to do anything about it properly.
1.) Use OpenBSD's OpenSSH suite for SFTP (not FTPS crap) - be it in OpenBSD, FreeBSD, Linux or even Windows, etc.
2.) For windows clients, there's WinSCP or FileZilla (or PSCP or PSFTP from PuTTY) + PuTTY, PageNT, PuTTYgen,
The trick here to avoid passwords being logged with keyloggers, sniffed, etc. hence, the use of public / private key pairs and an SSH-Agent such.
3.) For *BSD UNIX and Linux systems (and others), there's the OpenSSH suite + ssh-agent(1).
Anonymous, chroot'ed SFTP only accounts and/or chroot'd user accounts are extremely simply to set up and use. Head over to openbsd.org and read the FAQ and man pages.
Enjoy!
1. Protect your computer from malware or your FTP credentials could be swiped. Then they will post junk on your web site.
2. Use FTPS, FTPES, or SFTP instead of straight FTP. It protects you from most or all FTP-credential-swiping malware.
Good lord.
FTPS = FTP over SSL or TLS
SFTP = Totally different protocol from FTP and is unique unto itself. Bears no resemblance to FTP protocol except you are moving files to and from.
FTP over SSH = FTP over SSH where the FTP commands are tunneled inside an SSH session.
FTPS still uses passive ports to push data but FTPS client has to negotiate yet another TLS handshake which means you or the FTPS client has to re-authenticate or chain up the certificate every time a passive port is open. If your firewall allows clients to make passive connections to your FTP server then FTPS will work just fine. From the clients perspective, passive connections are the way to go since the client originates all connections to the server.
There are two modes of operation for FTPS - explicit and implicit. Implicit is weak because you can send you username and password in clear and then secure the connection. It should even be supported by FTPS clients but it is for legacy purposes. Explicit FTPS means right when the FTP connection is made from the client to the server, a TLS handshake and connection is created and then your credentials are passed in. All communications after the AUTH TLS command are secured within the TLS protocol.
There is a LOT of confusion when talking about FTP, SFTP, FTPS, FTP over SSH, or FTP over X.
http://en.wikipedia.org/wiki/FTPS
http://en.wikipedia.org/wiki/File_Transfer_Protocol
it does not go up or down
nor are you immune to it yourself
the idea is indeed to technologically minimize the impact of typical human stupidity
the technology we are talking about here, ftp, the internet, etc, is very much still in its infancy
for you to suggest the technology need not change, and everyone else suddenly become highly technically qualified and proficient, AND become miraculously immune to basic human foibles is quite ridiculous. the article this thread lies under describes a highly knowledgeable user still becoming a victim. do you really wish to assert that the solution to these problems is everyone using a computer become a security expert somehow on the order of six figure technicians working for international banks?
please, get real
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Nice Article. I wonder about a strategy for Hosting Providers that changes to SFTP for just those sites that are affected. Those people who do a poor job of protecting their own pc's should be the ones who you work at minimizing the problem. I don't know if both FTP and SFTP can be supported for the same server, but I would think that they can.
Not sure about the client, but for well over a year now, MS ships an FTPS server with Windows Server 2008. Of course, you said SFTP (SSH FTP), not FTPS (SSL FTP), so maybe that's not good enough.
As someone else pointed out, getting infected with a piece of malware is extremely serious... Not something you can run some automated tool to "clean up"...
Most of the malware i've seen is not just a single infection, it tries to install additional malware too (to decrease the chance of you finding it all, nothing detects every piece of malware) and will often change system configuration to make it intentionally insecure, because none of the anti malware tools will detect if you have a legitimate but old (ie vulnerable) system binary installed, or if you have an insecure configuration such as allowing activex controls to run automatically without prompting. What you need to do is restore the system from known clean media and manually verify any data files you copy back (don't copy back any executable binaries).
Another issue with public shared hosting, is that often the web server runs as a single user, so that all the different sites need to be readable by that user. If one site gets compromised and an attacker gets a shell as the web server user they can read and possibly modify every other user's files... Quite often this will be enough to retrieve database passwords if not more.
Also consider the popular website authoring tools people use, which usually default to FTP and often don't support anything else. If your webhost doesn't support FTP you will lose customers.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
FTP is insecure and shouldn't be used, generally, when there is a password at stake. However, FTP also makes for a very easy and light way to share files to a large group. It's sort of the lowest common demoninator of file transfers. FTP isn't going anywhere, because it's still very useful and resource light compared to other protocols. Which is why companies like HP and Dell use FTP servers to serve up drivers and other software.
In my practice setting up sftp server is a problem due to lack of sftp server software. Yes, there is openssh based sftp server which can do almost nothing.
No sql, no non filesystem quotas, no virtual fs etc.
If there were something like pureftpd or vsftpd supporting sftp...
h0w 4m 3y3 g01ng 2 g3t 4ll my w4r3z mp3z and pr0n n0w?
Terrorists can attack freedom, but only Congress can destroy it.
The other side of the coin is the lawlessness and lack of enforcement of anti-computer crime laws. This is all as much a social, political and legal problem as a technical one.
It's no secret that much of the crime happening online comes from Eastern Europe (particularly, Russia, Ukraine, Romania, Bulgaria), and China. Russia and China in particular, are rabidly anti-West in their outlook. The governments over there think it's funny and cool for legions of bored and greedy kids to rob people and destroy other people's property, so long as they're not Slavs/Chinese.
Of course, the problem is going to get so bad, that the entire generation of criminals they're incubating will start attacking their own countries; but in the meantime, we have what is basically a law enforcement problem (clueless law enforcement), caused by a political problem (clueless and/or hostile foreign governments).
Believe me, if the Russian kids robbing people on the Internet today were actually made to face the consequences of their actions (e.g. chopping trees and dying of AIDS and TB somewhere in Siberia), the problem wouldn't be anywhere near as bad.
The original file with the script tags inserted is here if you want to examine it, but use with caution
Do you also send virus emails to your addressbook so people can examine them? Your site is still blacklisted, and that's a good thing.
Second, every single security "problem" with chroot is based on the root user breaking out. Non-root users cannot break out of a chroot'ed environment. It therefore does add some additional security.
Surely you jest!
It is possible! Ever heard about local root exploits? Just ask the OpenBSD guys, they remember this one.
Then you don't know how to use SSH properly. You need to obtain the public key beforehand
Are there any recognized best practices for SSH public key distribution?
Once upon a time ftp's port usage made a twisted kind of sense but I agree it is time to take old FTP out behind the woodshed and put her down if just for this reason.
Using a key-pair is *so* much easier than remembering 47 different passwords I'm amazed people use anything else.
Have you tried tunneling ftp with it's bizarre two port usage? Tunneling is harder than the average bear can comprehend to begin with but tunneling two ports is silly. sftp which is not just a tunnel is a better way of handling file transfers kinda like a prius is better than a K car.
One major issue with FTP over SSL/TLS is that network address translation (NAT) devices, such as firewalls and load-balancers, that eavesdrop on the FTP control channel in order to open dynamic data ports fail hard with FTPS.
If you use "explicit mode" FTPS, the client negotiates up to FTPS via a standard port 21 connection. After secure authentication, they can issue a 'CCC' (clear control channel) command which backs the control channel back to a NAT compatible mode. Problem is, this is a client side option. It cannot be pushed by the server. So, it is yet another thing that users must be educated over.
If you use "implicit mode" FTPS, which runs up on port 990, negotiation is not an option. You're immediately forced into crypto mode, and you cannot back out either the control or data channel. "Implicit mode" FTPS is incompatible with NAT devices unless you do some seriously nasty hacks.
In my opinion, SFTP (the file transfer subsystem of SSH) is a much better protocol. It does not utilize dynamic ports, and it doesn't involve callbacks (like active FTP) that make firewall rule management a PITA.
Well, here are some benchmarks:
http://jamiew.tumblr.com/post/382844/macfuse-sshfs-vs-webdav-benchmarks
Obviously blocksize makes a difference.
A simple test you can perform: time the copy of a large file over WebDav via HTTPS vs an SCP transfer using the same client+host. (Beware using putty or filezilla on windows as it's slow; at least compared to scp from linux to linux)
WebDav makes sense for subversion as it's built that way, so your other repository users will expect it. But for a plain remote file system, webdav may not be the best for you.
Being a sys admin for a hosting company (a medium sized one), here are some suggestions.
1. FTP passwords - 10 characters, numbers, letters, capitalization, changed every 90 days. I don't use FTP for uploading content, though. :)
2. SCP for uploading files. Can be used with Windows and Linux hosting, using generally much more secure SSH. Also move SSH to a different port (won't stop major scanners, but will keep most script-kiddies off your box).
3. File Permissions. Make sure they are set correctly. i've fixed more Linux boxes with incorrect permissions than I care to count. 755 on directories, 644 on files. Some CMS screw this up, so watch for it.
4. Disable local mail relaying from your boxes. Make all web forms use PHP PEAR to authenticate to a SMTP server to send out mail. Some yahoo that doesn't know how to program a php mail script can cause some major problems.
I recalled SFTP can't do resume downloads and uploads when I last tried it, years ago. So I use good old Z-modem's sz and rz commands through SSH(1-2) connections with SecureCRT clients (wished PuTTY could do it and SyncTERM's Z-modem seems to be broken [never worked correctly]). FTP can do resumes too, but obviously insecured. Are there any other popular/common protocols that will transfers, with resume support, securedly on various platforms (Apple Mac, Windows, and Linux/UNIX)?
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I'm the founder and main admin of a web hosting company and we've been trying to switch people to SSH/SFTP/SCP for many years. We even put an ultimatum on FTP users back in 2006 that by the end of the year, we'd be turning off FTP. You know what happened? Users backlashed and complained that their old antiquated website software like old versions of Dreamweaver or whatever couldn't do SFTP or SCP even though versions that did had been available for a few years. Also, people who came from other hosting companies too us didn't know about more secure protocols and complained when they had to switch away from their old programs that they liked, even if WinSCP works great. So in the interest of keeping customers, we had to leave it on. We've been pushing SSH since the 90s. And I wrote the # 1 ranked SSH tutorial on the net. So how do you think I feel? Its a really annoying problem and it may take several more years before it completely goes away.
On the other hand, there is one thing that I haven't seen available with SSH and that's the ability to have virtual users and let them be created by the parent user. Maybe there is a trick to make it possible in SCP/SFTP, but there are customers out there who need the ability to have sub users who manage parts of their site and so on. Many FTP servers allow this, but SSH does not. So this is another FTP feature that keeps it going.
And while I'm griping about it, it REALLY doesn't help the situation that WinSCP started supporting FTP.
SFTP and SCP do not properly handle symlinks. It only takes one smart-aleck upstream to create a symlink, by any means, and make your SCP or SFTP duplication go _insane_. FTP could at least report these and attempt to handle them properly. Frankly, I prefer rsync over SSH and even WebDAV over HTTPS: WebDAV over HTTPS is built into Microsoft's 'Network Neightborhood' and allows direct cut&paste operations. It's also the underlying technology of Subversion's HTTP access, so it gets some attention to functionality and regular bugreports.
Just like it's time to deprecate the teletype monospaced tag out behind the woodshed and put her down if just for this reason.
Most people don't know How-To use key authentication :-p
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
horray for SFTP! :)
Have you tried not using the visual abortion that is tt ?
Have many groups looked at WebSAV or FTPS (FTP over SSL/TLS) as a replacement for FTP?
1. Encrypted communication, using the industry standard TLS or SSL.
2. WebDAV offers the power and maturity of Apache HTTPD. I believe that several of the mature FTP packages also support FTPS.
3. Apache authentication options include Radius, LDAP, etc. and are generally easy to install, provided you have the infrastructure.
I still mostly use SFTP. However, the design of FTPS looks a little more elegant and standards-compliant.
"Can of worms? The can is open... the worms are everywhere."
Speak for yourself. I'm not a toady!
factor 966971: 966971
sentence.
Is fools logic. It's how salesmen made killings. Let me explain. If you spend time doing something, and have 0 gains, you actually have negative gains because you wasted your time. If you had to milk a cow and bake the cookies, your time might be better spent on something else.
For a recent verizon issue I had,
Upgrade early, and there's a $20 fee, you loose the $100 every two bonus (it restarts from time of upgrade) And you pay the current contract price for the phone. Looking at a $79 phone for the wife & I (one account is eligable, the other is not) What is the cost of upgrading the phone? if you thinkn the "real" cost is $99 you'd be forgetting the $100 bonus you'd get in 2 months.
So the real cost is 2 months to wait for a new phone and 0 upgrade costs, or get the phone right now and spend $200 (100 "real" dollars, and a guaranteed $100 should you wait) If you feel it's worth $100 a month to have a state of the art phone, great for you, but I'm not so sold, and thus I don't care. I'll wait as my income means more to me than that, but that is an exercise for the person in that position. If you're phones broke, what choices do you have?
While the risk is REAL and has value to switch from FTP to SFTP etc... the people who make those decisions have to do a risk/benefit analysis. Small companies won't come out on top (in favor of a switch)as far as security is concerned unless they get hacked 10 times in a row. It's just not economical for them, and so I'm all for setting it to default for all new users, then posting a bulletin to all your customers, along w/ an e-mail and written letter explaining why you did this.
In a some-ways-similar situation, my bank alerted me that a major credit card company had ben compromised and my credit card was on their list. They said you should take this time to change your card. I figured, well, I monitor my account really well, have purchases text me, etc... so I didn't really wory, and felt I may be in a rare position to help authorities catch the criminals. 3 months later, they sent me a letter and changed it anyway, they didn't want the risk.
How much is your data worth? Back it up now.
Anonymous Coward Transfer Protocol - let's just say it involves anonymous cowards, Slashdot posts, and /dev/null.
There, fixed that for ya!
Hydraulic pizza oven!! Guided missile! Herring sandwich! Styrofoam! Jayne Mansfield! Aluminum siding! Borax!
Do I get a medal for reading that thing?
At any rate, railing against FTP is kinda quaint seeing as how there are lots and lots of other ways to intercept the data if you've been pwned.
If you've got a keylogger (or registry scraping malware in the case of Win), it doesn't matter if you're got some outlandish quantum encryption link between machines.
The real story here is:
- Wordpress is insecure, news at 11. Lots of injection attacks happen, interestingly they're disproportionately successful on newer versions of Wordpress.
- Substitute "Wordpress" for your favorite off the shelf blog/forum/cms script.
- If you're on a shared hosting plan and one box/instance/etc at the facility has been pwned, it's likely able to capture data going to other machines/VMs on the same subnet, particularly if you're using a ghetto-tastic shared Win server (there are no other kinds... all shared Win-based hosts suck ass on all fronts due to incompetent administration and terrible cpanels).
- If your workstation has been pwned, your FTP passwords are the least of your concerns. Trust me.
I mean, it's nice that the author decided that the world needs a little bit of edumacation, but the big picture is more important than "FTP bad"
More like you were attacked through one of the many http or sql injection attacks that are constantly being run out there. Which is not to say you aren't right - everything else uses encryption so why not FTP?
But how can you be sure that your first connection was without a MITM?
Usually, because I'm actually physically right next to the machine.
But in a lot of cases where SSH would appear useful, you don't have convenient physical access to the machine. Say you're renting a virtual dedicated server from Go Daddy.[1] Now you probably don't have the money to fly to Go Daddy's datacenter to be right next to a server to which you're trying to connect, nor do you have the money for an international phone call to have the owner read you the key fingerprint over the Plain Old Telephone Service.
In general, I'm working with probability. The fact that I've never had the "somebody nasty" message unexpectedly (that is, when I didn't just reformat or replace a machine), even when I move the same laptop from home, to work, to the airport, and back home, means it would take a truly massive network of people intercepting my packets at every turn, or I'd have at least detected it at some point.
In a lot of cases, the person renting space on a server never connects to the server except from a single connection at home or from a single connection at work.
[1] Replace with another hosting provider.
There, fixed that for you ;)
(Yes, you can put a pass-phrase on your key-pair, but then you're still either at the point of having one password for everything or having 47 key-pairs and 47 passwords ;) )
Maybe people still use FTP rather than SFTP because of firewalls. At work we've got a firewall that blocks all unexpected ports and even does a degree of protocol checking on the expected ports. We're allowed to use the Net for personal use at lunch etc, and we have a proxy for FTP that lets use get at FTP servers, but anything encrypted like SSH/SFTP is right out.
It's probably not just the old legacy apps that don't support the protocols (which people will keep on using once they've bought them if they're expensive for the new ones and it isn't a commercial site) and a lack of knowledge, but sometimes it'll be technical limitations as well. FTP is a nice common denominator that people can rely on more than encrypted stuff.
Yet another dumb death announcement. FTP will be here for years to come, probably long after anyone reading this right now has passed on. Want to announce a death? How about twitter. Only a twit uses twitter. You don't want to be a twit do you?
I didn't know about CompleteFTP before. Just looked at the web site. It sounds pretty full-featured, but I'm not so impressed by the pricing.
$299 for a single sever "professional" license, I could swallow, IF it included unlimited free updates for the life of the product or something. But that "1 year support + updates" thing doesn't do much for me.
I realize it's far cheaper than Serv-U (which wants something like $1000 for an equivalent-featured product with 1 year of support). But that pricing is WAY out of line, IMHO.
You guys selling these Windows FTP servers aren't so much competing against each other, as you are, competing against my cost of putting together a free Linux or BSD server solution instead.
The longer I use one of your product, the more costly it becomes, if "support" has to be constantly re-purchased.... That heavily tilts the value equation towards Linux or BSD.
It isn't easier.
If I had to remember 47 password they would either be so simple that you wouldn't have to steal them. Or there would really only be 3 unique ones. Or they'd all be stored on the computer anyway.
So stealing that one pass phrase and key isn't any easier than stealing 47 passwords.
Plus the advantage that the admin on one of those machine can't tweak the login/passwd/whatever commands and collect a password that will work on some of those other 46 machines.
If your proxy supports https connections, you have ssh access. You might need to run an ssh server on port 443 depending on how tight the proxy is, but most ssh clients now support using an https proxy for connections - basically they just have to issue a 'CONNECT server:port' command to the proxy, and they have a clean line.
"I think it would be a good idea" Gandhi, on Western Civilisation
Unless the bit where they seem to do some kind of protocol sniffing and make sure that HTTP traffic is HTTP traffic gets in the way (so we can't check out SVN over HTTP because it rejects some commands it needs for not being POST or GET). The main corporate network also intercepts HTTPS and accesses the site for you, returning content using its own certificate (if the site is approved), although it doesn't seem to do that on our developer network.
Here is another Blog Post on steps to prevent this type of attack. http://blog.igothacked.com/2009/06/steps-to-prevent-gumblar-martuz-nine.html
A corporate network that intercepts HTTPS traffic breaks HTTPS. The whole point of HTTPS is that it is encrypted point-to-point. If that were the case the browser should be popping up warnings all over the place, since what you have described is the definition of a man-in-the-middle attack.
"I think it would be a good idea" Gandhi, on Western Civilisation
Not when it is a corporate network, they have their own certificate installed in your browser as "auto-approved", and all communication is re-encrypted using that certificate (and so looks like HTTPS) by the proxy server. Yes, it is a MITM attack, but if your certificate is installed and says it is valid for all domains then no browser will complain.