User Forks FileZilla FTP Client After Getting Hacked

Slashdot reader Entropy98 writes: A frustrated FileZilla user took matters into his own hands after getting hacked due to the fact that his saved passwords were being saved in plain text files. Despite years of numerous requests over almost 10 years the FileZilla devs refused to add a Master Password option to encrypt the stored passwords. Finally fed up one user forked FileZilla and created FileZilla Secure with the Master Password option.

This stuff drives me nuts

When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.

Re:This stuff drives me nuts

[BenFranske]

Filezilla also supports SFTP and FTPS though and is probably the best Windows client for those protocols so it's used for a lot more than just FTP. In fact, I would venture to guess that Filezilla FTP use is pretty minimal.

Re:This stuff drives me nuts

[BenFranske]

A) I would guess Filezilla is used much more as an SFTP and FTPS client (is there a better one on Windows?) than as an FTP client.

B & C could apply to SSH clients such as PuTTY as well, so we should stop using that?

If we only implemented security enhancements when they were perfect solutions we wouldn't implement very much security. Usually there is a balancing act between usability, security, and cost. In this case there seems to be very little usability impact on encrypting the password store so why not do it?

All that said I'm pretty particular about what software can hold passwords of mine so I've always typed them in to Filezilla on an as needed basis, seems as if that was a good idea.

Re:This stuff drives me nuts

[korgitser]

Shrek: Ogres are like onions.
Donkey: They stink?
Shrek: Yes. No.
Donkey: Oh, they make you cry.
Shrek: No.
Donkey: Oh, you leave em out in the sun, they get all brown, start sproutin’ little white hairs.
Shrek: No. Layers. Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers.
Donkey: Oh, you both have layers. Oh. You know, not everybody like onions.

Re:This stuff drives me nuts

[wolrahnaes]

When someone can read your passwords of your disk, the point of encryption is already moot.

No, encrypting the password database with a master password that's not saved means it can no longer be read directly, significantly raising the bar for capturing passwords.

A) FTP is typically plain text anyway so you could just wireshark it

Depending on user privileges this may not be possible, and would only gather one at a time.

B) you can replace the binaries and have them emailed any time they are entered

Depending on user privileges this may not be possible.

C) you can install a keylogger

See B

This "user" could've just as easy encrypted his entire hard drive or user directory. Still wouldn't have helped though.

No shit that wouldn't have helped, as long as the drive's mounted the file is plaintext as far as the malware is concerned.

I would seriously reconsider taking a "secure" anything from anyone that can't bother to think their own security through.

Clearly you're not capable of thinking through security yourself.

Let's say I'm shithoused and inadvertently run some kind of malware that wants to steal my FTP passwords. I realize what I've done almost immediately after and shut down to restore from backups. If they're stored unencrypted, that malware could have already sent my full stored password list to wherever. If they're encrypted with a master password, the malware gets absolutely nothing. Even if I don't catch it immediately the malware still can't get it no matter what until I actually go to use those passwords.

If you can't see how huge of a difference that is I don't know what to say.

Good deal

[JustAnotherOldGuy]

Now as long as those lazy bastards at FileZilla don't sue him, maybe this will be a nice step forward.

As for you fucking clowns at FileZilla storing passwords in plain text files, what the fuck? Did you just teleport in from 1992 or something??

Re:Good deal

[Megane]

They're just upholding the proud decades-long tradition of FTP putting everything in the clear.

OSS working as it should.

[0100010001010011]

How many OSS projects would benefit from:

User demands feature.
Devs refuse feature.
User forks and adds feature.

Re: OSS working as it should.

[tlambert]

The dev is a user; the users are devs.

And "users who are not devs can go fuck themselves"?

Because that's kind of what you are saying to non-dev users.

Re:Not "Secure"

[Dwedit]

Filezilla is a client for FTP, SFTP (SSH File Transfer Protocol), and FTP over TLS. Only one of those three uses cleartext passwords over the network.

IIS Server resume bug

[cjellibebi]

Apparently, there's a bug in Microsoft's IIS server that causes corruption when attempting to resume large downloads. FileZilla does not take this into account, and as a result, the download is corrupted. Clearly, this is Microsoft's fault, but the situation is that there are many buggy IIS servers out there, and Filezilla, by not having a workaround for this (other FTP clients do have a workaround), ends up corrupting the download. After looking at this ticket, it shows that the developer clearly does not live in the real world.

Personally, this issue hasn't affected me, but the exchange I linked to tells me a lot about the attitude of the developer. I only even discovered this issue when reading about FileZilla.

So is this fork going to address this issue?

Re: IIS Server resume bug

[lucm]

Thanks for posting that link, that ticket is pure gold. 7 years of arrogance make for a fascinating 5 minute read.

The amount of time that developer spent arguing and reclosing that ticket could have been spent solving the problem, but instead he was proud of "making a stand" against a mainstream server product (IIS) that doesn't follow the standard. All he did was alienate users, including potentially me - I don't use Filezilla but moving forward if the need arises I'll choose anything else, I don't want code written by that aspie on my machine.

It's always a red flag when someone starts using metaphors in a tech discussion, like this guy and his "bridge". Inevitably it leads to a metaphor contest ("no, the river is the protocol", "then the pillars are the implementation", "no, IIS is the truck crossing the river" etc etc). I have a policy of leaving meetings when the discussion gets to metaphors.

People like that guy are not representative of open source developers, they're representative of *bad* open source developers.

Re: IIS Server resume bug

[thegarbz]

Doesn't matter what open source application it is, if it wasn't my itch to scratch I doubt I'd bother to fix someone else's botched implementation of file formats, protocols and such.

So what you're saying is you're happy releasing and standing behind some software that is incompatible and useless for a large portion of popular servers on the internet? If this was some edge case I'd agree with you, as a developer, especially someone working for free/fun you can't fix everything. But if you can't talk to IIS then frankly your website should feature a warning about how poorly your program works.

It's not like people were asking for a perfect fix. Half of that thread was simply asking for some basic sanity checking on the received content and a warning if the result is expected to be corrupted, rather than waiting a long time only to be disappointed.

Could you imagine Firefox trying to mimic IE6's rendering?

You're talking about connecting to a server (bug is out of control of administrators and affects people all over the internet) to some received HTML (a very individual problem).

Anyway I can imagine it. There was a plugin provided that loaded IE6 in Firefox tabs which I used for many years. This isn't an example of WONTFIX it's an example of a simple workaround that didn't take a crap on user expectations.

It's not the kind of work you do for fun, it's just a pain in the butt because you're forced to deal with a poor product.

I'm not sure now if you're talking about Filezilla's developers or Filezilla's users.

Re:Filezilla dev...

[goarilla]

That dev is one dense motherfucker, his only reply is "Yes but how did you get infected in the first place", as if that mattered in any way.

It does ... would you trust crypto code commits from someone who got hacked from clicking a simple phishing email ?

Re:Filezilla dev...

[hey!]

Everybody can get hacked eventually. A moment of distraction, a zero day exploit, a trusted partner or source getting undermined...

If you think you are too smart to get hacked, you are a fool.

Security is the one place where your very best effort ought to be the norm.

Love Filezilla...

[matbury]

...but yes, not encrypting login credentials is a major concern for me too. Also, I prefer to use keys rather than passwords wherever possible but more often than not, Filezilla throws up a bunch of bugs that haven't been patched in a long time when I try to use them.

So yes, the Filezilla devs really need to get their acts together on security.

BTW, no Filezilla Secure available for Linux yet. Since Linux pretty well has encryption for all things web built in, it's tempting to give up on GUIs and simply do it all from the command line.

And they release a new version every week!

[Otis_INF]

FTP is such an old protocol, after a while you have implemented it properly, and nothing will really change. One would think FileZilla is then pretty stable and won't see new builds often. But they apparently find time to spend on new features almost weekly. Instead of spending the time on bugs in the core point of the tool, namely doing file transfer which actually transfers the file, they spend time on random features in the UI and tacked on crap not needed for transferring files.