Welcome to WebmasterWorld Guest from 54.198.170.159

Forum Moderators: keyplyr & mack

Are you still using Unsecured FTP?

FTP or SFTP or FTPS?

     
10:34 pm on Mar 22, 2018 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


- Then -
File Transfer Protocol (FTP) is a TCP/IP protocol which transfers files between FTP servers and clients (usually your computer.) This is what we all used for many years until the web became so malevolent. However FTP is highly vulnerable for eavesdropping, Man-in-the-Middle attacks & general hacking attempts. The biggest problem with FTP is that the server can only handle usernames and passwords in plain text.

- Now -
File Transfer Protocol Secure (FTPS) and Secure File Transfer Protocol (SFTP)* are interactive file transfer protocols similar in nature to FTP but secure. They encrypt all traffic between the client and the SFP server. In addition, most FTPS or SFTP clients support additional features such as root access, public key authentication and compression. This is what we all should be using now.

A couple free SFTP programs are:

FileZilla SFTP [filezilla-project.org]

WinSCP SFTP for Windows [winscp.net]

* Many prefer SFTP (over FTPS) because it compresses data into packets, using less bandwidth, making it much faster.

- - -
1:38 am on Mar 23, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14898
votes: 648


Fetch for Mac also supports SFTP. I think at one time it didn't, so for a while I used Fugu.

Memo to self: Change website access default to SFTP. Currently log files require SFTP but site files are still accessible by FTP. The more I think about this, the less sense it makes.
1:43 am on Mar 23, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4920
votes: 23


SFTP most of the time.

On shared hosts I see them slowly moving/insisting on FTPS or SFTP

If it's a server with root access I prefer to use rsync.
2:03 am on Mar 23, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 1, 2016
posts:1978
votes: 505


SSH
Mostly using GIT, to track changes and easily move code in increments (just the changed bits).
5:08 pm on Mar 23, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1852
votes: 275


While we're at it, who's still using unsecured POP3, IMAP and SMTP?
8:04 pm on Mar 23, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14898
votes: 648


My email program offers a choice between POP, which eats certain types of mail, and IMAP, which doesn't filter spam. Are you there, Hobson?
8:22 pm on Mar 23, 2018 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


I used to run an email server, in fact 3 of them over the years. All the spam filter updates wore me out.

Now I forward all encrypted email from my web server to Gmail, where the handshake is HTTP Strict Transport Security (HSTS) with long duration. Gmail also handles all my aliases without a hiccup.
10:13 pm on Mar 23, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1852
votes: 275


E-mail servers certainly are a pain to set up and maintain, and I was never particularly good at it, so I moved everything over to a great e-mail hosting service a few years back, offering secure protocols and spam filtering, and never looked back. Outgoing mail from the servers goes through SES, which is secure at least in so far as I can control it.

My experience is that many shared hosts do offer secure connections, but people and e-mail clients usually just default to the insecure ones.
10:21 am on Mar 25, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Mar 25, 2018
posts:500
votes: 100


Not using secure FTP, mail protocol, etc, ... is indirectly against the EU GDPR too. Since the GDPR and ePrivacy Directive involve the transmission of data in a secure way. In theory, hosting mails from European citizens on a mail server outside the EU is also against the GDPR / ePrivacy ...
9:41 am on Mar 30, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2773
votes: 112


I prefer sftp as it works over ssh which I need anyway, so I do not need additional software or ports open on the server. Rsync (which also operates over ssh) where appropriate but most large transfers are through version control (git or mercurial) also over ssh. Finally scp (which also goes over ssh) for transferring single large files (e.g. backups) quickly between remote servers.

Most Linux file managers support sftp, as does most linux software like text editors, so that is what I use for transferring or managing single small files. There are some cross platform editors that support ssh and/or sftp (Komodo Edit) as well.
9:52 am on Mar 30, 2018 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


I agree. SFTP has many practical advantages over FTPS. FTPS came along first, but I now see SFTP as the choice at most services.
4:05 pm on Mar 30, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2773
votes: 112


One question: is anyone still using unencrypted FTP (or POP, SMTP, IMAP or anything else)?

This thread really should not be needed.
8:13 pm on Mar 30, 2018 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


There are luddites still using Windows 95 that refuse to upgrade.
2:27 pm on Apr 19, 2018 (gmt 0)

New User from CA 

joined:July 9, 2017
posts:39
votes: 2


I have been using "Require explicit FTP over TLS" (through Filezilla on a Linux distro). How does that rate wrt SFTP?
Thanks.
10:27 pm on Apr 19, 2018 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1852
votes: 275


FTP over TLS = FTPS. It's different from SFTP, which is FTP over SSH, but both are secure.
11:49 pm on Apr 19, 2018 (gmt 0)

New User from CA 

joined:July 9, 2017
posts:39
votes: 2


Thanks, robzilla, that is good to know. My hosting company tells me I will have to upgrade my plan to have access to SFTP ... hmmm. At least what I have is not insecure! Thanks again.
8:19 am on Apr 30, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2773
votes: 112


My hosting company tells me I will have to upgrade my plan to have access to SFTP


Its OK if you can use FTPS instead. Both are secure.

It sounds to me as though an upgrade would let you have relatively unrestricted ssh access rather than just sftp (which IS ssh, but with a limited login shell that only lets you execute the commands you need for sftp). At least that is the only excuse I can think of for charging more.
11:32 am on Apr 30, 2018 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


@Martin - have you tried FileZilla SFTP? It's free (link in 1st post.)

Just download/install on your local machine and connect to your account. Use the same credentials as you have been.
5:07 pm on May 1, 2018 (gmt 0)

New User from CA 

joined:July 9, 2017
posts:39
votes: 2


@graeme_p : You're right, the upgrade does include "SSH access". Not sure what I would do with it all. (More ways to break my own site.)

@keyplyr : In fact, I have downloaded it but not used it yet as I am still trying to rationalize upgrading my account and paying for a *lot* of extras that I don't need just to get the few extras that I want. Life is like this!
7:34 pm on May 14, 2018 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


Have the various site building software that include FTP upgraded to SFTP or FTPS?

Has Dreamweaver, Wix, Ethion, Weebly, B12, PageCloud, 1st Page?

How about the CMS like Drupal or Word Press?
7:22 am on May 15, 2018 (gmt 0)

New User

joined:May 1, 2018
posts:2
votes: 0


Can I simply use the SFTP version of Filezilla instead of a regular version of SFTP ? Will it work in securing the channel ? Or, do I need to talk to my host about installing SFTP at their end
8:50 am on May 15, 2018 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


Answered above.
1:37 pm on May 15, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2773
votes: 112


@keyplyr CMSs and services that let you design in the browser would be using http or https rather than ftp or similar.

If any software does not support a secure alternative (ideally both sftp AND ftps) its simply insecure, the developers are clearly sloppy about security or its old, and you should stop using it.
2:45 am on May 16, 2018 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12068
votes: 766


Ahhh, thanks graeme_p.

I had assumed CMS edits were done on local machine and uploaded to the server using FTP like other site builder programs.

With the associated backend, it makes sense for edits via HTTP.