Are you still using Unsecured FTP? - New To Web Development forum at WebmasterWorld - WebmasterWorld

Forum Moderators: mack

Message Too Old, No Replies

Are you still using Unsecured FTP?

FTP or SFTP or FTPS?

keyplyr

10:34 pm on Mar 22, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

- Then -
File Transfer Protocol (FTP) is a TCP/IP protocol which transfers files between FTP servers and clients (usually your computer.) This is what we all used for many years until the web became so malevolent. However FTP is highly vulnerable for eavesdropping, Man-in-the-Middle attacks & general hacking attempts. The biggest problem with FTP is that the server can only handle usernames and passwords in plain text.

- Now -
File Transfer Protocol Secure (FTPS) and Secure File Transfer Protocol (SFTP)* are interactive file transfer protocols similar in nature to FTP but secure. They encrypt all traffic between the client and the SFP server. In addition, most FTPS or SFTP clients support additional features such as root access, public key authentication and compression. This is what we all should be using now.

A couple free SFTP programs are:

• FileZilla SFTP [filezilla-project.org]

• WinSCP SFTP for Windows [winscp.net]

* Many prefer SFTP (over FTPS) because it compresses data into packets, using less bandwidth, making it much faster.

- - -

lucy24

1:38 am on Mar 23, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Fetch for Mac also supports SFTP. I think at one time it didn't, so for a while I used Fugu.

Memo to self: Change website access default to SFTP. Currently log files require SFTP but site files are still accessible by FTP. The more I think about this, the less sense it makes.

brotherhood of LAN

1:43 am on Mar 23, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

SFTP most of the time.

On shared hosts I see them slowly moving/insisting on FTPS or SFTP

If it's a server with root access I prefer to use rsync.

NickMNS

2:03 am on Mar 23, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

SSH
Mostly using GIT, to track changes and easily move code in increments (just the changed bits).

robzilla

5:08 pm on Mar 23, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

While we're at it, who's still using unsecured POP3, IMAP and SMTP?

lucy24

8:04 pm on Mar 23, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

My email program offers a choice between POP, which eats certain types of mail, and IMAP, which doesn't filter spam. Are you there, Hobson?

keyplyr

8:22 pm on Mar 23, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I used to run an email server, in fact 3 of them over the years. All the spam filter updates wore me out.

Now I forward all encrypted email from my web server to Gmail, where the handshake is HTTP Strict Transport Security (HSTS) with long duration. Gmail also handles all my aliases without a hiccup.

robzilla

10:13 pm on Mar 23, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

E-mail servers certainly are a pain to set up and maintain, and I was never particularly good at it, so I moved everything over to a great e-mail hosting service a few years back, offering secure protocols and spam filtering, and never looked back. Outgoing mail from the servers goes through SES, which is secure at least in so far as I can control it.

My experience is that many shared hosts do offer secure connections, but people and e-mail clients usually just default to the insecure ones.

Travis

10:21 am on Mar 25, 2018 (gmt 0)

Top Contributors Of The Month

Not using secure FTP, mail protocol, etc, ... is indirectly against the EU GDPR too. Since the GDPR and ePrivacy Directive involve the transmission of data in a secure way. In theory, hosting mails from European citizens on a mail server outside the EU is also against the GDPR / ePrivacy ...

graeme_p

9:41 am on Mar 30, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I prefer sftp as it works over ssh which I need anyway, so I do not need additional software or ports open on the server. Rsync (which also operates over ssh) where appropriate but most large transfers are through version control (git or mercurial) also over ssh. Finally scp (which also goes over ssh) for transferring single large files (e.g. backups) quickly between remote servers.

Most Linux file managers support sftp, as does most linux software like text editors, so that is what I use for transferring or managing single small files. There are some cross platform editors that support ssh and/or sftp (Komodo Edit) as well.

keyplyr

9:52 am on Mar 30, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

I agree. SFTP has many practical advantages over FTPS. FTPS came along first, but I now see SFTP as the choice at most services.

graeme_p

4:05 pm on Mar 30, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

One question: is anyone still using unencrypted FTP (or POP, SMTP, IMAP or anything else)?

This thread really should not be needed.

keyplyr

8:13 pm on Mar 30, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

There are luddites still using Windows 95 that refuse to upgrade.

Martin Potter

2:27 pm on Apr 19, 2018 (gmt 0)

Top Contributors Of The Month

I have been using "Require explicit FTP over TLS" (through Filezilla on a Linux distro). How does that rate wrt SFTP?
Thanks.

robzilla

10:27 pm on Apr 19, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

FTP over TLS = FTPS. It's different from SFTP, which is FTP over SSH, but both are secure.

Martin Potter

11:49 pm on Apr 19, 2018 (gmt 0)

Top Contributors Of The Month

Thanks, robzilla, that is good to know. My hosting company tells me I will have to upgrade my plan to have access to SFTP ... hmmm. At least what I have is not insecure! Thanks again.

graeme_p

8:19 am on Apr 30, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

My hosting company tells me I will have to upgrade my plan to have access to SFTP

Its OK if you can use FTPS instead. Both are secure.

It sounds to me as though an upgrade would let you have relatively unrestricted ssh access rather than just sftp (which IS ssh, but with a limited login shell that only lets you execute the commands you need for sftp). At least that is the only excuse I can think of for charging more.

keyplyr

11:32 am on Apr 30, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

@Martin - have you tried FileZilla SFTP? It's free (link in 1st post.)

Just download/install on your local machine and connect to your account. Use the same credentials as you have been.

Martin Potter

5:07 pm on May 1, 2018 (gmt 0)

Top Contributors Of The Month

@graeme_p : You're right, the upgrade does include "SSH access". Not sure what I would do with it all. (More ways to break my own site.)

@keyplyr : In fact, I have downloaded it but not used it yet as I am still trying to rationalize upgrading my account and paying for a *lot* of extras that I don't need just to get the few extras that I want. Life is like this!

keyplyr

7:34 pm on May 14, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Have the various site building software that include FTP upgraded to SFTP or FTPS?

Has Dreamweaver, Wix, Ethion, Weebly, B12, PageCloud, 1st Page?

How about the CMS like Drupal or Word Press?

dilipcybex

7:22 am on May 15, 2018 (gmt 0)

Can I simply use the SFTP version of Filezilla instead of a regular version of SFTP ? Will it work in securing the channel ? Or, do I need to talk to my host about installing SFTP at their end

keyplyr

8:50 am on May 15, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Answered above.

graeme_p

1:37 pm on May 15, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

@keyplyr CMSs and services that let you design in the browser would be using http or https rather than ftp or similar.

If any software does not support a secure alternative (ideally both sftp AND ftps) its simply insecure, the developers are clearly sloppy about security or its old, and you should stop using it.

keyplyr

2:45 am on May 16, 2018 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Ahhh, thanks graeme_p.

I had assumed CMS edits were done on local machine and uploaded to the server using FTP like other site builder programs.

With the associated backend, it makes sense for edits via HTTP.