Re: [OT] Long threads, Was: Re: Filezilla a security risk
On Du, 08 iul 12, 19:31:48, rjc wrote: I had been on this list [0] on and off for quite a while now and have noticed that certain individuals find it hard to simply be wrong [1] and will argue their case just to have the final word. [0] in a minute I will be corrected that it is a Usenet news group ;^) Nope, it really is a mailing list that can be read via mail-to-news gateways (like gmane). You didn't expect that, did you? :p Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Filezilla a security risk
On Sun, 08 Jul 2012 19:48:44 +0200, Markus Schönhaber wrote: 08.07.2012 19:10, Camaleón: On Sun, 08 Jul 2012 18:51:59 +0200, Markus Schönhaber wrote: (...) For some definition of purpose, maybe [1] Stating that 587/tcp was smtps is simply wrong, because it implies encryption on the network layer. When you replace a standard with another it would be fair to say that both share the same essence and they are aimed to solve the same problem. That doesn't change the fact that one is encrypted on the network layer while the other is not. Which one, exactly? Especially - in contrast to what your statement implied - 587/tcp is not encrypted on the network layer. Yes, it is. Or better put, it can be. Which makes the new standard something very different. To my eyes, not that different in the end. Yeah. Your statement that 587/tcp was smtps is simply wrong. I just corrected your wrong statement - nothing more. Why you feel the need to go to a great length to convince someone (whoever that might be) that your wrong statement was somehow right is completely beyond me. If you are happy in thinking so I'm not going to try to change your mind. Sigh. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jtelt4$sc9$6...@dough.gmane.org
Re: [OT] IANA ports (was: Filezilla a security risk)
On Sun, 08 Jul 2012 20:09:41 +0200, Slavko wrote: Dňa Sun, 8 Jul 2012 16:10:27 + (UTC) Camaleón noela...@gmail.com napísal: (...) SMTPS (and SMTP over SSL/TLS) is standarized as always has been, what happens is that it was updated to use starttls extension and the older RFC was deprecated (but still used in some hosts). As i wrote early, i know difference and major for me is, that SMTP + STARTTLS starts as unencrypted, but SMTP over SSL is encrypted from start. Then STARTTLS s not exactly the same as SMTP over SSL. But credentials and message transfers are encrypted in both circumstances. The thing is that there are no other replacements... yet. So what we have now for sending e-mails is the plain, unencrypted port (tcp/25) and smtps (or whatever you prefer to call it, smtp over tls?), that is, tcp/587 that can take the role of the deprecated tcp/465 (encryption using a dedicated port). And if i proper understand (quick look into) RFC 6409, then mentioned port 587 is not exactly for SMTP over SSL. It is intended to sending mails from MUAs and only allows usage of the IPSEC and other encrypted and authenticated tunneling techniques (section 3.3) and in real, one can select which will be used. Then it is the site/server depended solution. I am right? It's section 7 (Extensions) what makes the difference and, in any case, you always depend on the server exposed capabilities for this. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jteml6$sc9$7...@dough.gmane.org
Re: Filezilla a security risk
Hi, Dňa Sun, 8 Jul 2012 00:04:33 -0400 Celejar cele...@gmail.com napísal: I use POP3, smtp *and* SSL. They are not mutually exclusive!! Of course not - SSL just encapsulates the POP3 and SMTP protocols. on this point i have one question. What about standards in SMTP SSL? By mi search, the standard is SMTP + STARTTLS and not SSL + SMTP. Can someone explain me this, please? regards -- Slavko http://slavino.sk signature.asc Description: PGP signature
Re: Filezilla a security risk
On Sun, 08 Jul 2012 08:55:15 +0200, Slavko wrote: Dňa Sun, 8 Jul 2012 00:04:33 -0400 Celejar cele...@gmail.com napísal: I use POP3, smtp *and* SSL. They are not mutually exclusive!! Of course not - SSL just encapsulates the POP3 and SMTP protocols. on this point i have one question. What about standards in SMTP SSL? By mi search, the standard is SMTP + STARTTLS and not SSL + SMTP. Can someone explain me this, please? There are different implementations, all of them standarized: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of specific computer ports, imap, pop3 and smtp using STARTTLS keep the same ports that their non-encrypted counterparts (143/110/25) to transmit clear text credentials protected. When/why using one or another? Well, when opening ports is not possible (consider a restricted environment) or as Wikipedia¹ explains, independency and transparency seen as a plus when using this extension. ¹http://en.wikipedia.org/wiki/STARTTLS Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jtbsnm$s8h$7...@dough.gmane.org
Re: Filezilla a security risk
Ahoj, Dňa Sun, 8 Jul 2012 11:59:50 + (UTC) Camaleón noela...@gmail.com napísal: By mi search, the standard is SMTP + STARTTLS and not SSL + SMTP. There are different implementations, all of them standarized: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of specific computer ports, imap, pop3 and smtp using STARTTLS keep the same ports that their non-encrypted counterparts (143/110/25) to transmit clear text credentials protected. if smtps is standardized, then why i see this: grep 587 /etc/services submission 587/tcp # Submission [RFC4409] submission 587/udp but: grep smtps /etc/services ssmtp 465/tcp smtps # SMTP over SSL can you please tell me the RFC about SMTPS? Well, when opening ports is not possible (consider a restricted environment) or as Wikipedia¹ explains, independency and transparency seen as a plus when using this extension. i know about differences both of the implementations. regards -- Slavko http://slavino.sk signature.asc Description: PGP signature
Re: Filezilla a security risk
08.07.2012 13:59, Camaleón: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of smtps was defined as 465/tcp. 587/tcp is message submission which does not provide encryption on the transport layer. -- Regards mks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff99c27.5050...@list-post.mks-mail.de
[OT] IANA ports (was: Filezilla a security risk)
On Sun, 08 Jul 2012 16:36:20 +0200, Slavko wrote: Dňa Sun, 8 Jul 2012 11:59:50 + (UTC) Camaleón noela...@gmail.com napísal: By mi search, the standard is SMTP + STARTTLS and not SSL + SMTP. There are different implementations, all of them standarized: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of specific computer ports, imap, pop3 and smtp using STARTTLS keep the same ports that their non-encrypted counterparts (143/110/25) to transmit clear text credentials protected. if smtps is standardized, then why i see this: grep 587 /etc/services submission587/tcp # Submission [RFC4409] submission587/udp but: grep smtps /etc/services ssmtp 465/tcp smtps # SMTP over SSL You can query for both in one line: sm01@stt008:~$ grep -e 587 -e 465 /etc/services submission 587/tcp # Submission [RFC4409] submission 587/udp ssmtp 465/tcp smtps # SMTP over SSL What's what you don't like here? The old port could be still there for legacy/backward compatibility issues. can you please tell me the RFC about SMTPS? http://en.wikipedia.org/wiki/SMTPS Well, when opening ports is not possible (consider a restricted environment) or as Wikipedia¹ explains, independency and transparency seen as a plus when using this extension. i know about differences both of the implementations. Fine, but you asked. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jtc7dj$s8h$9...@dough.gmane.org
Re: Filezilla a security risk
On Sun, 08 Jul 2012 16:41:43 +0200, Markus Schönhaber wrote: 08.07.2012 13:59, Camaleón: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of smtps was defined as 465/tcp. 587/tcp is message submission which does not provide encryption on the transport layer. They are used for the same purpose (secure smtp) but the former is now depretacted. What I did not know is that the new standard can be used with or without security (starttls) in the same port. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jtc84a$s8h$1...@dough.gmane.org
Re: Filezilla a security risk
On 08/07/12 17:14, Camaleón wrote: On Sun, 08 Jul 2012 16:41:43 +0200, Markus Schönhaber wrote: 08.07.2012 13:59, Camaleón: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of smtps was defined as 465/tcp. 587/tcp is message submission which does not provide encryption on the transport layer. They are used for the same purpose (secure smtp) but the former is now depretacted. What I did not know is that the new standard can be used with or without security (starttls) in the same port. Greetings, The ISP Free in France uses smtp-submission, without SSL but with only CRAM-MD5 and DIGEST-MD5 authentication methods, or smtps with PLAIN/LOGIN It is another solution (they explained that their architecture was not well adapted to starttls, since the smtp sessions and the SSL crypto are not done by the same servers). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff9a597.1010...@rail.eu.org
Re: [OT] IANA ports (was: Filezilla a security risk)
Ahoj, Dňa Sun, 8 Jul 2012 15:02:11 + (UTC) Camaleón noela...@gmail.com napísal: can you please tell me the RFC about SMTPS? http://en.wikipedia.org/wiki/SMTPS I never know, that internet standards are controlled by wikipedia. It is great, now anybody can create the own standard and nobody need the IANA or another international organization! regards -- Slavko http://slavino.sk signature.asc Description: PGP signature
Re: [OT] IANA ports (was: Filezilla a security risk)
On Sun, 08 Jul 2012 17:22:35 +0200, Slavko wrote: Dňa Sun, 8 Jul 2012 15:02:11 + (UTC) Camaleón noela...@gmail.com napísal: can you please tell me the RFC about SMTPS? http://en.wikipedia.org/wiki/SMTPS I never know, that internet standards are controlled by wikipedia. It is great, now anybody can create the own standard and nobody need the IANA or another international organization! ? What Wikipedia explains (and you asked why) about the smtps standard is not detailed in the RFC (because RFCs are not the place for long dissertations...) but feel free to read the article or to ignore it. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jtc97t$s8h$1...@dough.gmane.org
Re: [OT] IANA ports (was: Filezilla a security risk)
Hi, Dňa Sun, 8 Jul 2012 15:33:17 + (UTC) Camaleón noela...@gmail.com napísal: What Wikipedia explains (and you asked why) about the smtps standard Reread my initial mail, please. I don't ask why in it, but my english is poor, then perhaps i wrote it in wrong manner. is not detailed in the RFC (because RFCs are not the place for long dissertations...) but feel free to read the article or to ignore it. For me is enough to know that SMTP over SLL was not standardized yet (or still?). Why and when this happens is not my problem in these days. regards -- Slavko http://slavino.sk signature.asc Description: PGP signature
Re: [OT] IANA ports (was: Filezilla a security risk)
On Sun, 08 Jul 2012 17:56:21 +0200, Slavko wrote: Dňa Sun, 8 Jul 2012 15:33:17 + (UTC) Camaleón noela...@gmail.com napísal: What Wikipedia explains (and you asked why) about the smtps standard Reread my initial mail, please. I don't ask why in it, but my english is poor, then perhaps i wrote it in wrong manner. The why is not in your first message but in your second post: if smtps is standardized, then why i see this: ^^^ is not detailed in the RFC (because RFCs are not the place for long dissertations...) but feel free to read the article or to ignore it. For me is enough to know that SMTP over SLL was not standardized yet (or still?). Why and when this happens is not my problem in these days. SMTPS (and SMTP over SSL/TLS) is standarized as always has been, what happens is that it was updated to use starttls extension and the older RFC was deprecated (but still used in some hosts). Should you had read the Wikipedia article... Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jtcbdj$s8h$1...@dough.gmane.org
Re: Filezilla a security risk
On Sun, 08 Jul 2012, Markus Schönhaber wrote: 08.07.2012 13:59, Camaleón: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of smtps was defined as 465/tcp. 587/tcp is message submission which does not provide encryption on the transport layer. Yeah, and 465/tcp use for SMTP over SSL was dropped in ~1998[1], and IANA eventually assigned 465/tcp and 465/udp to other services. 465/tcp is assigned to URD SSM, and 465/udp to igmpv3lite over UDP. As usual in things like this, it was a bad move in hindsight: giving up on port 465 became a drawback about five years later, when the world started moving past the SSL crap and single-domain-constrained X.509 that existed in 1998 [2], to (still broken) TLSv1.0 and RFC3546, and later to TLS v1.1+ and RFC 4366. The same reasoning works for imap and imaps. Fortunately, nobody gave up on the 993/tcp imaps port, so it remains assigned to imaps by IANA. pop3s never had any starttls alternative, and 995/tcp remains assigned to pop3s. Now, if ops people were more active on the relevant IETF workgroups, we might have a TLS port for the submission service, which would help deployments of hardware TLS endpoints (which is probably the only good reason to still support port 465 for smtps, actually). [1] http://www.imc.org/ietf-apps-tls/mail-archive/msg00204.html [2] http://www.carbonwind.net/blog/post/A-quickie-for-a-Friday-e28093-a-SSLTLS-timeline.aspx -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120708162646.gb15...@khazad-dum.debian.net
Re: Filezilla a security risk
Le Sun 8/07/2012, Henrique de Moraes Holschuh disait The same reasoning works for imap and imaps. Fortunately, nobody gave up on the 993/tcp imaps port, so it remains assigned to imaps by IANA. pop3s never had any starttls alternative, and 995/tcp remains assigned to pop3s. STLS extension for pop3 is defined by RFC 2595. (I do not know why pop3 commands always have 4 characters...) -- Erwan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120708163336.ga5...@rail.eu.org
Re: [OT] IANA ports (was: Filezilla a security risk)
On Sun, 08 Jul 2012, Camaleón wrote: SMTPS (and SMTP over SSL/TLS) is standarized as always has been, what Actually, at least on port 465, it is deprecated with prejudice as it has been assigned to something else. happens is that it was updated to use starttls extension and the older RFC was deprecated (but still used in some hosts). It is widely used because of some übercrappy MUAs[1] that screw up when told to do STARTTLS over port 587, AND because something-over-SSL is friendly to dumb[2] hardware TLS endpoint gateways, while STARTTLS is not (requires an application-level proxy running on the TLS gateway). [1] this mostly includes old versions of certain extremely widely used MS Windows MUAs. [2] as in cheaper and much faster, dumb isn't a bad thing in this context -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120708163632.gc15...@khazad-dum.debian.net
Re: [OT] IANA ports (was: Filezilla a security risk)
On Sun, 08 Jul 2012 13:36:32 -0300, Henrique de Moraes Holschuh wrote: On Sun, 08 Jul 2012, Camaleón wrote: SMTPS (and SMTP over SSL/TLS) is standarized as always has been, what Actually, at least on port 465, it is deprecated with prejudice as it has been assigned to something else. Yes, but still needed under to cope with some corner circumstances (e.g., to support old MUAs). happens is that it was updated to use starttls extension and the older RFC was deprecated (but still used in some hosts). It is widely used because of some übercrappy MUAs[1] that screw up when told to do STARTTLS over port 587, AND because something-over-SSL is friendly to dumb[2] hardware TLS endpoint gateways, while STARTTLS is not (requires an application-level proxy running on the TLS gateway). Yup, exactly ;-( Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jtcdc9$s8h$1...@dough.gmane.org
Re: Filezilla a security risk
08.07.2012 17:14, Camaleón: On Sun, 08 Jul 2012 16:41:43 +0200, Markus Schönhaber wrote: 08.07.2012 13:59, Camaleón: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of smtps was defined as 465/tcp. 587/tcp is message submission which does not provide encryption on the transport layer. They are used for the same purpose (secure smtp) but the former is now depretacted. For some definition of purpose, maybe [1] Stating that 587/tcp was smtps is simply wrong, because it implies encryption on the network layer. What I did not know is that the new standard can be used with or without security (starttls) in the same port. Which makes the new standard something very different. [1] For example: MUAs should connect to this port to send outgoing mail. -- Regards mks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff9baaf.5060...@list-post.mks-mail.de
Re: Filezilla a security risk
On Sun, 08 Jul 2012 18:51:59 +0200, Markus Schönhaber wrote: 08.07.2012 17:14, Camaleón: On Sun, 08 Jul 2012 16:41:43 +0200, Markus Schönhaber wrote: 08.07.2012 13:59, Camaleón: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of smtps was defined as 465/tcp. 587/tcp is message submission which does not provide encryption on the transport layer. They are used for the same purpose (secure smtp) but the former is now depretacted. For some definition of purpose, maybe [1] Stating that 587/tcp was smtps is simply wrong, because it implies encryption on the network layer. When you replace a standard with another it would be fair to say that both share the same essence and they are aimed to solve the same problem. Moreover, the fact it can also use encryption is what makes it interesting because for non-encrypted communication there's already smtp (tcp/25) so the new standard (RFC 6409) can be seen as the succesor of the old smtps. What I did not know is that the new standard can be used with or without security (starttls) in the same port. Which makes the new standard something very different. To my eyes, not that different in the end. [1] For example: MUAs should connect to this port to send outgoing mail. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jtcetj$s8h$1...@dough.gmane.org
Re: Filezilla a security risk
08.07.2012 19:10, Camaleón: On Sun, 08 Jul 2012 18:51:59 +0200, Markus Schönhaber wrote: 08.07.2012 17:14, Camaleón: On Sun, 08 Jul 2012 16:41:43 +0200, Markus Schönhaber wrote: 08.07.2012 13:59, Camaleón: While imaps (tcp/993), pop3s (tcp/995) and smtps (tcp/587) make use of smtps was defined as 465/tcp. 587/tcp is message submission which does not provide encryption on the transport layer. They are used for the same purpose (secure smtp) but the former is now depretacted. For some definition of purpose, maybe [1] Stating that 587/tcp was smtps is simply wrong, because it implies encryption on the network layer. When you replace a standard with another it would be fair to say that both share the same essence and they are aimed to solve the same problem. That doesn't change the fact that one is encrypted on the network layer while the other is not. Especially - in contrast to what your statement implied - 587/tcp is not encrypted on the network layer. Which makes the new standard something very different. To my eyes, not that different in the end. Yeah. Your statement that 587/tcp was smtps is simply wrong. I just corrected your wrong statement - nothing more. Why you feel the need to go to a great length to convince someone (whoever that might be) that your wrong statement was somehow right is completely beyond me. -- Regards mks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff9c7fc.1000...@list-post.mks-mail.de
Re: [OT] IANA ports (was: Filezilla a security risk)
Ahoj, Dňa Sun, 8 Jul 2012 16:10:27 + (UTC) Camaleón noela...@gmail.com napísal: The why is not in your first message but in your second post: if smtps is standardized, then why i see this: Oh, yes. My misunderstand, i am sorry. is not detailed in the RFC (because RFCs are not the place for long dissertations...) but feel free to read the article or to ignore it. For me is enough to know that SMTP over SLL was not standardized yet (or still?). Why and when this happens is not my problem in these days. SMTPS (and SMTP over SSL/TLS) is standarized as always has been, what happens is that it was updated to use starttls extension and the older RFC was deprecated (but still used in some hosts). As i wrote early, i know difference and major for me is, that SMTP + STARTTLS starts as unencrypted, but SMTP over SSL is encrypted from start. Then STARTTLS s not exactly the same as SMTP over SSL. But credentials and message transfers are encrypted in both circumstances. And if i proper understand (quick look into) RFC 6409, then mentioned port 587 is not exactly for SMTP over SSL. It is intended to sending mails from MUAs and only allows usage of the IPSEC and other encrypted and authenticated tunneling techniques (section 3.3) and in real, one can select which will be used. Then it is the site/server depended solution. I am right? regards -- Slavko http://slavino.sk signature.asc Description: PGP signature
[OT] Long threads, Was: Re: Filezilla a security risk
On Sun, Jul 08, 2012 at 06:48:44PM BST, Markus Schönhaber wrote: Yeah. Your statement that 587/tcp was smtps is simply wrong. I just corrected your wrong statement - nothing more. Why you feel the need to go to a great length to convince someone (whoever that might be) that your wrong statement was somehow right is completely beyond me. I had been on this list [0] on and off for quite a while now and have noticed that certain individuals find it hard to simply be wrong [1] and will argue their case just to have the final word. [0] in a minute I will be corrected that it is a Usenet news group ;^) [1] or not always be 100% right Regards, -- rjc -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120708183148.ga2...@linuxstuff.pl
Re: Filezilla a security risk
On Monday 02 July 2012 00:08:52 Celejar wrote: On Fri, 29 Jun 2012 15:13:13 + (UTC) Camaleón noela...@gmail.com wrote: Anyway, aren't most of us still using plain pop3 and smtp connections with no message encryption at all? Who are we blaming? ;-) We are? I can't speak for anyone else, but all my mail accounts (I use Gmail and Lavabit) use SSL (ports 995 / 465) for incoming and outgoing mail. I use POP3, smtp *and* SSL. They are not mutually exclusive!! Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201207072127.38523.lisi.re...@gmail.com
Re: Filezilla a security risk
On Sat, 7 Jul 2012 21:27:38 +0100 Lisi lisi.re...@gmail.com wrote: On Monday 02 July 2012 00:08:52 Celejar wrote: On Fri, 29 Jun 2012 15:13:13 + (UTC) Camaleón noela...@gmail.com wrote: Anyway, aren't most of us still using plain pop3 and smtp connections with no message encryption at all? Who are we blaming? ;-) We are? I can't speak for anyone else, but all my mail accounts (I use Gmail and Lavabit) use SSL (ports 995 / 465) for incoming and outgoing mail. I use POP3, smtp *and* SSL. They are not mutually exclusive!! Of course not - SSL just encapsulates the POP3 and SMTP protocols. Lisi Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120708000433.372b2be0.cele...@gmail.com
Re: Filezilla a security risk
On Sun, 01 Jul 2012 19:08:52 -0400, Celejar wrote: On Fri, 29 Jun 2012 15:13:13 + (UTC) Camaleón noela...@gmail.com wrote: Anyway, aren't most of us still using plain pop3 and smtp connections with no message encryption at all? Who are we blaming? ;-) We are? I can't speak for anyone else, but all my mail accounts (I use Gmail and Lavabit) use SSL (ports 995 / 465) for incoming and outgoing mail. Good boy :-) I'm also using Gmail (still, yes...) with pop3s/smtps but Gmail is only one of the mailboxes I have to command. For the rest of them (99%) there's a mix of non-secured/secured in a 3/1 rate. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jssbgo$4gd$4...@dough.gmane.org
Re: Filezilla a security risk
On Fri, 29 Jun 2012 15:13:13 + (UTC) Camaleón noela...@gmail.com wrote: Anyway, aren't most of us still using plain pop3 and smtp connections with no message encryption at all? Who are we blaming? ;-) We are? I can't speak for anyone else, but all my mail accounts (I use Gmail and Lavabit) use SSL (ports 995 / 465) for incoming and outgoing mail. Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120701190852.6ac28c32.cele...@gmail.com
Re: Filezilla a security risk
I am one of those guilty parties still using the no encryption setting. Celejar cele...@gmail.com wrote: On Fri, 29 Jun 2012 15:13:13 + (UTC) Camaleón noela...@gmail.com wrote: Anyway, aren't most of us still using plain pop3 and smtp connections with no message encryption at all? Who are we blaming? ;-) We are? I can't speak for anyone else, but all my mail accounts (I use Gmail and Lavabit) use SSL (ports 995 / 465) for incoming and outgoing mail. Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120701190852.6ac28c32.cele...@gmail.com
Re: Filezilla a security risk
On Fri, 29 Jun 2012 21:03:58 +0200, Denis Witt wrote: (...) and hey, it's open source! You can hire a programmer, make a fork (FileZilla-S for secure) and add all the enhancements you want ;- Forking a program for a single little feature doesn't make a lot of sense to me. If you value so much that feature and you really like the application, why not? Either you will have to patch the upstream version every now and then or you end up with a Fork that doesn't get any new features, also it might confuses some users. Then move on :-) But remmember this is very common for another programs. In Windows systems, for instance, the login credentials of many applications remain stored accessible from the registry so no gain here. In the linux ecosphere, as I already mentioned (i.e., mutt, the ssl keys and another one I remember is phpmyadmin when using a determined auth type), it happens the same. I wonder if a feasible approach to store credentials in clear text for FileZilla would be using something like the gnome-keyring or a similar implementation for the different OSes or linux boxes, although of course, this would add additional drawbacks. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jsmga9$djv$3...@dough.gmane.org
Re: Filezilla a security risk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Camaleón schrieb: and hey, it's open source! You can hire a programmer, make a fork (FileZilla-S for secure) and add all the enhancements you want ;- Forking a program for a single little feature doesn't make a lot of sense to me. If you value so much that feature and you really like the application, why not? I didn't. It's more that I dislike the attitude of some developers (in general) saying that they don't have to care about uninformed users who misconfigure their systems or even don't know how to protect themselves. At least they should inform the user that saving passwords is insecure. I wonder if a feasible approach to store credentials in clear text for FileZilla would be using something like the gnome-keyring or a similar implementation for the different OSes or linux boxes, although of course, this would add additional drawbacks. I like how MacOS handle this, nearly every application designed for MacOS is using the built in Keychain. Of course, if the keychain tool isn't secure this is a big problem. Bye. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP7tiwAAoJEGqblLUjc3f4Hk8H/17B60KAn5m5f7kzAKPLKUBb ke9h/lYtoxMtDOUlmebDGc/S2QMI0eX88fV/kI8cpSfqVJrVtM8B0iLikvCThkhe aO0MWVSIxdZw0cDdNr4hEwqseBYrSTAN1msgDkPWp9CBAv8W4+9eL1/nQTlqipUA GoD4fZ7a+IxMuJfSKujfKFVo/8huQSpW3XXDvxXg8W6sW6KsaSOaMfQrZIKRMs8K /5ZWG9iqyjSbpo17ZhFVTsg9IkpPRVcijYEoAG1qZg17CbupieIEHDou2FzITA5M pncWwIgwzdfoOL0nb9TuhJYXNjtGxMAdjDQBGRqPyQ3ogD1fMHnHThlcfF4CInQ= =ZzgY -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4feed8b4.6000...@concepts-and-training.de
Re: Filezilla a security risk
On Sat, 30 Jun 2012 12:45:08 +0200, Denis Witt wrote: Camaleón schrieb: and hey, it's open source! You can hire a programmer, make a fork (FileZilla-S for secure) and add all the enhancements you want ;- Forking a program for a single little feature doesn't make a lot of sense to me. If you value so much that feature and you really like the application, why not? I didn't. It's more that I dislike the attitude of some developers (in general) saying that they don't have to care about uninformed users who misconfigure their systems or even don't know how to protect themselves. At least they should inform the user that saving passwords is insecure. If currently there's no indication in their docs about the settings are being stored in clear text (login and passsword) you can open a wishlist bug report at FileZilla site for that. It's easy to blame devels (and forget the next day) but users can also contribute with this little things. I wonder if a feasible approach to store credentials in clear text for FileZilla would be using something like the gnome-keyring or a similar implementation for the different OSes or linux boxes, although of course, this would add additional drawbacks. I like how MacOS handle this, nearly every application designed for MacOS is using the built in Keychain. Of course, if the keychain tool isn't secure this is a big problem. That's similar to what GNOME keyring does and you can also use an unsecure keyring by removing the passsord and exposing the stored credentials as plain text but of course, that's up to the user and how he/ she wants to manage the login information. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jsmnpc$djv$8...@dough.gmane.org
Re: Filezilla a security risk
Hello Camaleón, Camaleón noela...@gmail.com wrote: On Sat, 30 Jun 2012 12:45:08 +0200, Denis Witt wrote: I like how MacOS handle this, nearly every application designed for MacOS is using the built in Keychain. Of course, if the keychain tool isn't secure this is a big problem. That's similar to what GNOME keyring does and you can also use an unsecure keyring by removing the passsord and exposing the stored credentials as plain text but of course, that's up to the user and how he/ she wants to manage the login information. And if FileZilla wanted to make use of this possibility, they had to (let me check the list of supported platforms): - Support the Gnome keyring - Support KWallet (KDE) - Support this MacOS thingy - Think about something for Windows and someone would still decide that their favourite environment™ is missing and complain about FileZilla being a security problem. Sure, all that can be done, but it is certainly not the job of an application to secure user data, that’s the job of the OS. Best regards, Claudius -- You should go home. http://chubig.net telnet nightfall.org 4242 signature.asc Description: PGP signature
Re: Filezilla a security risk
On Sat, 30 Jun 2012 13:46:30 +0200, Claudius Hubig wrote: Hello Camaleón, Camaleón noela...@gmail.com wrote: On Sat, 30 Jun 2012 12:45:08 +0200, Denis Witt wrote: I like how MacOS handle this, nearly every application designed for MacOS is using the built in Keychain. Of course, if the keychain tool isn't secure this is a big problem. That's similar to what GNOME keyring does and you can also use an unsecure keyring by removing the passsord and exposing the stored credentials as plain text but of course, that's up to the user and how he/ she wants to manage the login information. And if FileZilla wanted to make use of this possibility, they had to (let me check the list of supported platforms): - Support the Gnome keyring - Support KWallet (KDE) - Support this MacOS thingy - Think about something for Windows and someone would still decide that their favourite environment™ is missing and complain about FileZilla being a security problem. Even more, should FileZilla credentials finally benefit from any of those methods, there will be still users that complain because they want to run Filezilla client from external USB drive in stand-alone mode. As I said, the worst computer's enemy is the user :-) Sure, all that can be done, but it is certainly not the job of an application to secure user data, that’s the job of the OS. Sure, and when there is no OS in place (e.g., when you remove the hard disk and connect it into another system) you have to ensure your data is protected and only hard disk encryption can prevent this scenario because even the passwords are encrypted can be still cracked. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jsn3cj$djv$1...@dough.gmane.org
Re: Filezilla a security risk
On Vi, 29 iun 12, 13:16:25, Richard Hector wrote: On 29/06/12 11:26, Denis Witt wrote: If your account is hosed, well, go to their second argument: 2. don't get the malware in the first place ;-) Great Argument, btw. Oh, I got an Airbag on my car, get rid of the brakes please. I don't need them anymore. That's the wrong way round. I have brakes and drive safely, so an airbag isn't essential. Which isn't to say I'd get it removed if I had one. +1 Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Filezilla a security risk
On 29.06.2012 03:16, Richard Hector wrote: If your account is hosed, well, go to their second argument: 2. don't get the malware in the first place ;-) Great Argument, btw. Oh, I got an Airbag on my car, get rid of the brakes please. I don't need them anymore. That's the wrong way round. I have brakes and drive safely, so an airbag isn't essential. Which isn't to say I'd get it removed if I had one. Maybe, seat belts are also not essential, but in many countries the usage is mandatory, for a good reason. So my argument is still valid. It is good to have as many security as you can get as long as performance and comfort is still fine. Bye. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fed752b.20...@concepts-and-training.de
Re: Filezilla a security risk
On 06/27/2012 09:26 PM, francis picabia wrote: I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. Malware commonly scoops up this info and hacks web sites or shell accounts. The developer refuses to incorporate a solution such as master password and encryption into filezilla. His responses in numerous bug reports and feature requests are: 1. encryption: that's the file system's job 2. don't get the malware in the first place In my opinion, people should avoid filezilla. Thank you for your warning. I immediately switched to gftp because storing passwords unencrypted violates my security standards. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fedab92.8080...@web.de
Re: Filezilla a security risk
The posts about how there are other risks from malware and keyloggers is true enough. I never claimed that avoiding filezilla would make the Windows system secure. But if you have your doors and windows open, and want to reduce the chance of theft, then I'd say filezilla is like a patio door wide open on the scale of opportunities and the prevalence of the exploit. The prevalence of a risk and the ease of executing the exploit is what matters first. Whether it is possible to do something else matters, but less. The greatest risk is with what is currently happening in high frequency and has a high likelihood of reoccurring. Debian Security Advisory doesn't have this, but Redhat and Malware advisories rank threats in terms of ease of execution, popularity in the wild and severity of the damage which could result. In my work place, people have thanked me for this warning. Even IT people who work Information Systems are glad to know of this risk and did not know of it before. In the workplace, people use Windows and Unix. They do not have the luxury of being as dogmatic as some Linux users. They are mostly interested in working practically. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CA+AKB6HRWca7xrB7YRD3i4=fvyhusg74hmcj7ckgtx2wxek...@mail.gmail.com
Re: Filezilla a security risk
On Fri, 29 Jun 2012 01:26:08 +0200, Denis Witt wrote: If your account is hosed, well, go to their second argument: 2. don't get the malware in the first place ;-) Great Argument, btw. Oh, I got an Airbag on my car, get rid of the brakes please. I don't need them anymore. - The engineer has to decide *what* to add and *what* to remove. - The manufacturer has to decide is it wants to sell *that kind* of car. - The customer has to decide if he/she wants to buy *that* car. There are many things to watch in the chain. And yes, brakes -as we know today- do become obsolete sooner or later, such is life. The ONLY reason why Linux based systems hasn't got such a problem with malware is that there are not enough Desktop machines to make this a good target. Often enough there are security holes which allow you to take control over the entire machine. And that's fine as it is complex software. True, but what's your point here? Should my Debian system becomes cracked or infected by any kind of treat I would worry more about my usual files and not the settings for Filezilla. I mean, nothing new here, security is a multi-edged sword. But if you can easily add some more security layers without loosing too much performance and/or usability you should always do that. Maybe... but you'll get a false impression of protection that can be even more nocive as you'll relax your security notion. Storing unhashed and unsalted or unencrypted passwords is simply stupid. Ask the guys at last.fm. ;) Again, there are files in my servers (e.g., ssl keys) and also my Mutt configuration file (that holds my e-mail account password) which are stored in cleartext. So...? Do you want us to remove the ethernet cord? ;-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jskc6a$68h$4...@dough.gmane.org
Re: Filezilla a security risk
On 6/29/12 6:56 AM, Camaleón wrote: Should my Debian system becomes cracked or infected by any kind of treat I would worry more about my usual files and not the settings for Filezilla. I mean, nothing new here, security is a multi-edged sword. Really? I'm far more concerned about my credentials for foreign sites than I am for any other information I store locally. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fedb501.1080...@queernet.org
Re: Filezilla a security risk
On Friday 29 June 2012 10:28:11 Denis Witt wrote: I have brakes and drive safely, so an airbag isn't essential. And do all the speed louts see you coming and say: We mustn't overtake on this blind corner. The driver coming towards me on what is now the same side of the road as I am on is a good driver. I must backtrack in time and not overtake because good drivers don't have accidents.? I consider all the modern improvements in safety essential, and with each of them have been an early adopter. Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201206291502.53486.lisi.re...@gmail.com
Re: Filezilla a security risk
On Fri, 29 Jun 2012 07:00:33 -0700, Roger B.A. Klorese wrote: On 6/29/12 6:56 AM, Camaleón wrote: Should my Debian system becomes cracked or infected by any kind of treat I would worry more about my usual files and not the settings for Filezilla. I mean, nothing new here, security is a multi-edged sword. Really? I'm far more concerned about my credentials for foreign sites than I am for any other information I store locally. Yes, really. The information I can store in my systems are by far more important than the passwords for my FTP sites. In the end, it only affects the FTP credentials, nor databases, nor root accounts... because you aren't login as root for your FTP sessions, right? ;-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jskdhm$68h$7...@dough.gmane.org
Re: Filezilla a security risk
My root credentials for my local machine aren't stored in plaintext. And if the local machine is compromised, the critical threat is its use as a zombie, not any info that's on it. There simply isn't any confidential data. Sent from my iPhone On Jun 29, 2012, at 3:19 PM, Camaleón noela...@gmail.com wrote: On Fri, 29 Jun 2012 07:00:33 -0700, Roger B.A. Klorese wrote: On 6/29/12 6:56 AM, Camaleón wrote: Should my Debian system becomes cracked or infected by any kind of treat I would worry more about my usual files and not the settings for Filezilla. I mean, nothing new here, security is a multi-edged sword. Really? I'm far more concerned about my credentials for foreign sites than I am for any other information I store locally. Yes, really. The information I can store in my systems are by far more important than the passwords for my FTP sites. In the end, it only affects the FTP credentials, nor databases, nor root accounts... because you aren't login as root for your FTP sessions, right? ;-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jskdhm$68h$7...@dough.gmane.org -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/92fd3e54-d65f-4d68-8d7b-793e6008c...@queernet.org
Re: Filezilla a security risk
On 29.06.2012 15:56, Camaleón wrote: The ONLY reason why Linux based systems hasn't got such a problem with malware is that there are not enough Desktop machines to make this a good target. Often enough there are security holes which allow you to take control over the entire machine. And that's fine as it is complex software. True, but what's your point here? The point is that software can't be 100% secure. So when possible it is a good idea to have more than one security layer. A bug in Apache my cause someone to get access to you FileZilla-Settings. At the moment this would be a big problem, if the file is encrypted the problem is still there but you have some additional time to change your passwords. Good thing. Should my Debian system becomes cracked or infected by any kind of treat I would worry more about my usual files and not the settings for Filezilla. I mean, nothing new here, security is a multi-edged sword. Really? I would more worry about the remote servers listed in my FileZilla-Config (if there are any), because they might belong to customers, friends, etc. I might get worried about my Backups as I want to restore my compromised system. But if you can easily add some more security layers without loosing too much performance and/or usability you should always do that. Maybe... but you'll get a false impression of protection that can be even more nocive as you'll relax your security notion. Humans are making mistakes, a false impression of protection may lend you to such mistakes, this is true. That's one reason why we don't run background Virus-Checks on our machines (mails are being scanned and you can do on demand checks for USB media, etc.). But it is easy to tell users that all files from those medias may be evil. It's much harder to tell them that their programs might store sensible data in a way that isn't secure. At least this is much harder than for the FileZilla guys to store passwords encrypted. Storing unhashed and unsalted or unencrypted passwords is simply stupid. Ask the guys at last.fm. ;) Again, there are files in my servers (e.g., ssl keys) and also my Mutt SSL/SSH Keys should have a password or should be stored in some kind of encrypted container. configuration file (that holds my e-mail account password) which are stored in cleartext. So...? Pretty stupid isn't it? ;) An encrypted container wouldn't help a lot here, because I assume your MUA is running most of the day, right? So the container has to be open all the time and any malware could read the file. Do you want us to remove the ethernet cord? ;-) Would be a nice thing from a security point of view, that's why I mentioned comfort and performance. :) Bye. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fedbf4d.6040...@concepts-and-training.de
Re: Filezilla a security risk
On Fri, 29 Jun 2012 15:36:16 +0100, Roger B.A. Klorese wrote: On Jun 29, 2012, at 3:19 PM, Camaleón noela...@gmail.com wrote: On Fri, 29 Jun 2012 07:00:33 -0700, Roger B.A. Klorese wrote: On 6/29/12 6:56 AM, Camaleón wrote: Should my Debian system becomes cracked or infected by any kind of treat I would worry more about my usual files and not the settings for Filezilla. I mean, nothing new here, security is a multi-edged sword. Really? I'm far more concerned about my credentials for foreign sites than I am for any other information I store locally. Yes, really. The information I can store in my systems are by far more important than the passwords for my FTP sites. In the end, it only affects the FTP credentials, nor databases, nor root accounts... because you aren't login as root for your FTP sessions, right? ;-) My root credentials for my local machine aren't stored in plaintext. I did not mean that. I mean login to your FTP server as root (and not as plain user) which is different thing and of course should be avoided. And if the local machine is compromised, the critical threat is its use as a zombie, not any info that's on it. You sure? Being a zombie could be even funny, sending spam and infected e- mails to windows users, kinda justice and divine revenge, he, he... :-) There simply isn't any confidential data. Lucky you that don't have to worry for that. Sent from my iPhone ^^^ I hope you also care for the data stored in your cell phone :-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jskf56$68h$9...@dough.gmane.org
Re: Filezilla a security risk
On Fri, 29 Jun 2012 16:44:29 +0200, Denis Witt wrote: On 29.06.2012 15:56, Camaleón wrote: The ONLY reason why Linux based systems hasn't got such a problem with malware is that there are not enough Desktop machines to make this a good target. Often enough there are security holes which allow you to take control over the entire machine. And that's fine as it is complex software. True, but what's your point here? The point is that software can't be 100% secure. So when possible it is a good idea to have more than one security layer. Even if that extra layer is of no help because you leave your computer open and accessible to anyone? Then you're wasting your time and your computer resources, security has to sit between useful and effectiveness, otherwise you're losing the battle. A bug in Apache my cause someone to get access to you FileZilla -Settings. I wonder how that can happen... At the moment this would be a big problem, if the file is encrypted the problem is still there but you have some additional time to change your passwords. Good thing. Good thing for a corner case. But the bad thing here is that someone can access your Filezilla settings from you Apache, though. Should my Debian system becomes cracked or infected by any kind of treat I would worry more about my usual files and not the settings for Filezilla. I mean, nothing new here, security is a multi-edged sword. Really? I would more worry about the remote servers listed in my FileZilla-Config (if there are any), because they might belong to customers, friends, etc. I might get worried about my Backups as I want to restore my compromised system. You change the password for your FTP user accounts and that's all. Gee, I wonder in what way users are using their linux systems that don't store any important data on them, only for multimedia playing? :-P But if you can easily add some more security layers without loosing too much performance and/or usability you should always do that. Maybe... but you'll get a false impression of protection that can be even more nocive as you'll relax your security notion. Humans are making mistakes, a false impression of protection may lend you to such mistakes, this is true. That's one reason why we don't run background Virus-Checks on our machines (mails are being scanned and you can do on demand checks for USB media, etc.). I do check the files I donwload from the web, regardless they are going to be opened from windows or linux, e-mails are also scanned by means of ClamAV and USB keys are not anutomatically mounted thus can be also easily analyzed first. And I do all of the above because I came from Windows first, I have the steps burned in fire in my brain :-) But it is easy to tell users that all files from those medias may be evil. It's much harder to tell them that their programs might store sensible data in a way that isn't secure. At least this is much harder than for the FileZilla guys to store passwords encrypted. Curiously enough is not only Filezilla who takes the path for not encrypting the user credentials so there has to be a reason in behind for that to happen so often... Anyway, aren't most of us still using plain pop3 and smtp connections with no message encryption at all? Who are we blaming? ;-) Storing unhashed and unsalted or unencrypted passwords is simply stupid. Ask the guys at last.fm. ;) Again, there are files in my servers (e.g., ssl keys) and also my Mutt SSL/SSH Keys should have a password or should be stored in some kind of encrypted container. IIRC you have to remove the password so Apache can make use of it so finally the security relies on the file perms (only root can read it). configuration file (that holds my e-mail account password) which are stored in cleartext. So...? Pretty stupid isn't it? ;) You tell me :-) An encrypted container wouldn't help a lot here, because I assume your MUA is running most of the day, right? So the container has to be open all the time and any malware could read the file. In my case it is launched on demand. My main MUA is Thunderbird. Do you want us to remove the ethernet cord? ;-) Would be a nice thing from a security point of view, that's why I mentioned comfort and performance. :) There's still dangerous USB flash drives and the always evil CD/DVD and floppy disks... you never know. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jskgm9$68h$1...@dough.gmane.org
Re: Filezilla a security risk
On 29/06/12 15:36, Roger B.A. Klorese wrote: My root credentials for my local machine aren't stored in plaintext. And if the local machine is compromised, the critical threat is its use as a zombie, not any info that's on it. There simply isn't any confidential data. But the reason for that is that your root password is encrypted using one-way encryption. It cannot be decrypted. But, the result of it being encrypted is compared to the result of the password you log in with (as root) being encrypted ... if the two match, that's good enough for PAM, etc. Obviously, for FZ, you need two-way encryption/decryption. I know I'm stating the obvious, but I've been told I'm good at that ;) -- Steve Dowe Warp Universal Limited http://warp2.me/sd -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fedc60e.8080...@warpuniversal.co.uk
Re: Filezilla a security risk
On 29.06.2012 17:13, Steve Dowe wrote: Obviously, for FZ, you need two-way encryption/decryption. But this is also no problem, just create a Master-Password and use encryption based on that. If you start FileZilla you have to enter the Master-Password and then you can connect to all available accounts. This might not be bulletproof but it gave you some time to detect that your machine was compromised and change your passwords. Bye. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fedc8fc.8000...@concepts-and-training.de
Re: Filezilla a security risk
On 29/06/12 16:25, Denis Witt wrote: This might not be bulletproof but it gave you some time to detect that your machine was compromised and change your passwords. Maybe not, but what is? :) At the same time, with all this talk of passwords stored as plain text etc, it's not a great hurdle to set up a local, encrypted loopback device that mounts in your local file system. You could even mount it at ~/.filezilla, and then run up FZ for the first time. Such a device would require a password to unlock/mount, so the window where unencrypted data is vulnerable could be minimised... http://www.howtoforge.com/encrypt-your-data-with-encfs-debian-squeeze-ubuntu-11.10 -- Steve Dowe Warp Universal Limited http://warp2.me/sd -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fedcbde.8010...@warpuniversal.co.uk
Re: Filezilla a security risk
On 29.06.2012 17:13, Camaleón wrote: The point is that software can't be 100% secure. So when possible it is a good idea to have more than one security layer. Even if that extra layer is of no help because you leave your computer open and accessible to anyone? Then you're wasting your time and your computer resources, security has to sit between useful and effectiveness, otherwise you're losing the battle. FileZilla could use a Master-Password to encrypt the Account-Passwords. So if you start FZ you enter the Master-Password (and may define a time so that FZ will forgot the Master-PW after some time, when it's still open). A bug in Apache my cause someone to get access to you FileZilla -Settings. I wonder how that can happen... It was just an example. Another example, a colleague of yours have SSH-Access on your machine. Also you allow some commands he can run with sudo. Did you know that chmod is enough so he could start a shell with root credentials? And I don't talk about suid. What I'm trying to say is that our machines are pretty much very complex and it is very easy to overlook things. At the moment this would be a big problem, if the file is encrypted the problem is still there but you have some additional time to change your passwords. Good thing. Good thing for a corner case. But the bad thing here is that someone can access your Filezilla settings from you Apache, though. Sure. But if there is a bug (or misconfiguration) it might be possible to do so. If it was a misconfiguration it is your own fault, of course. Really? I would more worry about the remote servers listed in my FileZilla-Config (if there are any), because they might belong to customers, friends, etc. I might get worried about my Backups as I want to restore my compromised system. You change the password for your FTP user accounts and that's all. Gee, I wonder in what way users are using their linux systems that don't store any important data on them, only for multimedia playing? :-P No, but the really important data is encrypted in a way so even if my machine is running all the time the container isn't accessible all the time. Humans are making mistakes, a false impression of protection may lend you to such mistakes, this is true. That's one reason why we don't run background Virus-Checks on our machines (mails are being scanned and you can do on demand checks for USB media, etc.). I do check the files I donwload from the web, regardless they are going to be opened from windows or linux, e-mails are also scanned by means of ClamAV and USB keys are not anutomatically mounted thus can be also easily analyzed first. That's the scenario I tried to point out above. But it is easy to tell users that all files from those medias may be evil. It's much harder to tell them that their programs might store sensible data in a way that isn't secure. At least this is much harder than for the FileZilla guys to store passwords encrypted. Curiously enough is not only Filezilla who takes the path for not encrypting the user credentials so there has to be a reason in behind for that to happen so often... Laziness? Why did last.fm stores the passwords of their users as MD5-Hash without salting them? Anyway, aren't most of us still using plain pop3 and smtp connections with no message encryption at all? Who are we blaming? ;-) Most of my messages are not encrypted because the receiving end isn't capable of that. But my Credentials will only be transmitted when the connection is secure (even if the MTA is in the same network). Again, there are files in my servers (e.g., ssl keys) and also my Mutt SSL/SSH Keys should have a password or should be stored in some kind of encrypted container. IIRC you have to remove the password so Apache can make use of it so finally the security relies on the file perms (only root can read it). This is true for Apache SSL but in fact I don't care a lot about my HTTPS keyfiles, if they got compromised I revoke them. And if you really want to fake a certificate you might can have this easier through companies like DigiNotar. SSL is pretty much snakeoil nowadays, but it's better than nothing. An encrypted container wouldn't help a lot here, because I assume your MUA is running most of the day, right? So the container has to be open all the time and any malware could read the file. In my case it is launched on demand. My main MUA is Thunderbird. Do you use a Master-Password? If so, then guess what? All your passwords stored in TB are saved encrypted. Nice feature, isn't it? ;) Do you want us to remove the ethernet cord? ;-) Would be a nice thing from a security point of view, that's why I mentioned comfort and performance. :) There's still dangerous USB flash drives and the always evil CD/DVD and floppy disks... you never know. Of course you have to get rid of those drives as well. Also your USB, Firewire and Thunderbolt
Re: Filezilla a security risk
On 29.06.2012 17:38, Steve Dowe wrote: At the same time, with all this talk of passwords stored as plain text etc, it's not a great hurdle to set up a local, encrypted loopback device that mounts in your local file system. You could even mount it at ~/.filezilla, and then run up FZ for the first time. And afterwards I have to unmount the device. This might work rather fine on a Linux system but on Windows (and FZ is available for Windows)... Also you have to know that FZ stores PW unencrypted and you need to know where this information has been stored. It would be nicer if the application does this stuff automatically. And I don't care if they encrypt the passwords on their own or using some kind of Keychain-Tool like most of the Tools for MacOS do. But storing plain text passwords is bad behaviour and anyone who do this have to be blamed for that. Bye. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fedd652.8070...@concepts-and-training.de
Re: Filezilla a security risk
On 29/06/12 17:22, Denis Witt wrote: And afterwards I have to unmount the device. This might work rather fine on a Linux system but on Windows (and FZ is available for Windows)... I believe the same thing might be achieved on Windows, using TrueCrypt. -- Steve Dowe Warp Universal Limited http://warp2.me/sd -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fedd9f9.9050...@warpuniversal.co.uk
Re: Filezilla a security risk
On Fri, 29 Jun 2012 18:13:11 +0200, Denis Witt wrote: On 29.06.2012 17:13, Camaleón wrote: The point is that software can't be 100% secure. So when possible it is a good idea to have more than one security layer. Even if that extra layer is of no help because you leave your computer open and accessible to anyone? Then you're wasting your time and your computer resources, security has to sit between useful and effectiveness, otherwise you're losing the battle. FileZilla could use a Master-Password to encrypt the Account-Passwords. So if you start FZ you enter the Master-Password (and may define a time so that FZ will forgot the Master-PW after some time, when it's still open). Yes, they can as well as they can also encrypt the current user settings from the XML file but they don't want to. Period and full stop. There are another solutions out there you can go with if you don't feel confident enough on the Filezilla approach :-) (...) What I'm trying to say is that our machines are pretty much very complex and it is very easy to overlook things. It has been always so, Filezilla is not inventing nothing anew. Good thing for a corner case. But the bad thing here is that someone can access your Filezilla settings from you Apache, though. Sure. But if there is a bug (or misconfiguration) it might be possible to do so. If it was a misconfiguration it is your own fault, of course. What if... or what if...? We can spend the remaining day elucubrating about possible case scenarios but we all know about them. This is nothing more than a developer and user election. You change the password for your FTP user accounts and that's all. Gee, I wonder in what way users are using their linux systems that don't store any important data on them, only for multimedia playing? :-P No, but the really important data is encrypted in a way so even if my machine is running all the time the container isn't accessible all the time. Well done but I'm afraid you fit the 1% of the users that do so. I, by the way, store thousand of plain text based e-mail messages (mbox) containing passwords for many Internet services. If I were paranoid enough, I'd only use hard disk encryption but this is still not in my to- do list. I do check the files I donwload from the web, regardless they are going to be opened from windows or linux, e-mails are also scanned by means of ClamAV and USB keys are not anutomatically mounted thus can be also easily analyzed first. That's the scenario I tried to point out above. And despite all the precautions I take, I have no problems with having a password stored in clear text ;-) Curiously enough is not only Filezilla who takes the path for not encrypting the user credentials so there has to be a reason in behind for that to happen so often... Laziness? Why did last.fm stores the passwords of their users as MD5-Hash without salting them? No, developers are not lazy but practical: they simply don't want to use weak methods to handle this. Anyway, aren't most of us still using plain pop3 and smtp connections with no message encryption at all? Who are we blaming? ;-) Most of my messages are not encrypted because the receiving end isn't capable of that. But my Credentials will only be transmitted when the connection is secure (even if the MTA is in the same network). Again, you must pertain to the 1% of the users that do that ;-) Anyway, if the recipient does not use a secure protocol to download the data (pop3s/imaps), the security chain is broken and thus useless, you see now why devels are not lazy? Because you can't just take control of all ;-) SSL/SSH Keys should have a password or should be stored in some kind of encrypted container. IIRC you have to remove the password so Apache can make use of it so finally the security relies on the file perms (only root can read it). This is true for Apache SSL but in fact I don't care a lot about my HTTPS keyfiles, if they got compromised I revoke them. And if you really want to fake a certificate you might can have this easier through companies like DigiNotar. SSL is pretty much snakeoil nowadays, but it's better than nothing. That's the kind of reasoning software developers do: if there's no 100% secure system, why should *I* bother? An encrypted container wouldn't help a lot here, because I assume your MUA is running most of the day, right? So the container has to be open all the time and any malware could read the file. In my case it is launched on demand. My main MUA is Thunderbird. Do you use a Master-Password? Nope. How annoying... If so, then guess what? All your passwords stored in TB are saved encrypted. Nice feature, isn't it? ;) I really don't care. If I were in a windows machine, I'd be a bit worried ;-) There's still dangerous USB flash drives and the always evil CD/DVD and floppy disks... you never know. Of course you have to get rid
Re: Filezilla a security risk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 damn, why can't postbox answer to the list instead of the posters email? Camaleón schrieb: Yes, they can as well as they can also encrypt the current user settings from the XML file but they don't want to. Period and full stop. True. Sad, but true. What I'm trying to say is that our machines are pretty much very complex and it is very easy to overlook things. It has been always so, Filezilla is not inventing nothing anew. Jep, but they could respect this and give the user a little bit of extra security. (...) No, but the really important data is encrypted in a way so even if my machine is running all the time the container isn't accessible all the time. Well done but I'm afraid you fit the 1% of the users that do so. I, by True. Another reason for FZ to help those 99%. (Hey, cool, I'm the 1%, where is my money? ;)) the way, store thousand of plain text based e-mail messages (mbox) containing passwords for many Internet services. If I were paranoid And so do I, at least on my Phone which I can't encrypt. enough, I'd only use hard disk encryption but this is still not in my to- do list. I use HDD encryption for everything that I could loose or what might get stolen, like our RDX-Backup-Drives I have in my bag anytime. Also all Notebooks, some USB-Sticks and USB-Drives. I do check the files I donwload from the web, regardless they are going to be opened from windows or linux, e-mails are also scanned by means of ClamAV and USB keys are not anutomatically mounted thus can be also easily analyzed first. That's the scenario I tried to point out above. And despite all the precautions I take, I have no problems with having a password stored in clear text ;-) Just because you are NOT paranoid that doesn't mean that they are not after you. ;) Curiously enough is not only Filezilla who takes the path for not encrypting the user credentials so there has to be a reason in behind for that to happen so often... Laziness? Why did last.fm stores the passwords of their users as MD5-Hash without salting them? No, developers are not lazy but practical: they simply don't want to use weak methods to handle this. What's weaker, password encryption, file access rights or both of it together? For little effort. But, you're right. Developers are usually not lazy, at least our aren't. Sometimes they might didn't have enough time to implement the next security layer, but I don't know if this apply to FZ as well. Anyway, aren't most of us still using plain pop3 and smtp connections with no message encryption at all? Who are we blaming? ;-) Most of my messages are not encrypted because the receiving end isn't capable of that. But my Credentials will only be transmitted when the connection is secure (even if the MTA is in the same network). Again, you must pertain to the 1% of the users that do that ;-) Anyway, if the recipient does not use a secure protocol to download the data (pop3s/imaps), the security chain is broken and thus useless, you see now why devels are not lazy? Because you can't just take control of all ;-) I don't care about the transport of the content. It's like sending postcards. But I care about my password. We're using LDAP and my Mail-Password is also my System-Login. ;) SSL is pretty much snakeoil nowadays, but it's better than nothing. That's the kind of reasoning software developers do: if there's no 100% secure system, why should *I* bother? Why are they developing *BSD? Why should I bind some of my Services to localhost if I have a firewall? (...) Okay... I better return back to my cave, dust my typewritting machine and problem solved. You got a cave? How comfortable. :) When you work in a corporate environment, disabling the external devices is a must. The biggest hole in a computer system is always the user. Always. I think it depends on the company size and the company culture. We are 23 people at the moment and everybody can bring in his own devices and connect them to our network and machines (WLAN is separated from the LAN, only Internet-Access, it's not encrypted but you have to use a captive portal to log in). The deal is that if you for example has VPN access within you device you have to inform me in case of loss, so I could disable the accounts for that device. Also your device should have a remote delete function and a password protection is mandatory. My users understand those rules and take care of them. But yes, I guess I'm lucky. Anyway I think we're going pretty much offtopic. My point is that it would be a nice feature for FZ (and other tools) to store passwords more secure. And I don't like the attitude of the developers saying that it's not their problem if someone could read the file who isn't allowed to. At least as such a feature is rather easy to implement and won't affect the user experience in a bad way. Nah, developers are made of different
Re: Filezilla a security risk
On Vi, 29 iun 12, 18:13:11, Denis Witt wrote: Anyway I think we're going pretty much offtopic. My point is that it would be a nice feature for FZ (and other tools) to store passwords more secure. And I don't like the attitude of the developers saying that it's not their problem if someone could read the file who isn't allowed to. At least as such a feature is rather easy to implement and won't affect the user experience in a bad way. What happened to do one thing and do it well? As far as I understand FileZilla is good FTP client, why should it re-implement a keychain? Kind regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Filezilla a security risk
On 30/06/12 02:02, Lisi wrote: On Friday 29 June 2012 10:28:11 Denis Witt wrote: I have brakes and drive safely, so an airbag isn't essential. And do all the speed louts see you coming and say: We mustn't overtake on this blind corner. The driver coming towards me on what is now the same side of the road as I am on is a good driver. I must backtrack in time and not overtake because good drivers don't have accidents.? I consider all the modern improvements in safety essential, and with each of them have been an early adopter. Please get your attributions correct - that was my statement. I don't have an airbag, and I'm still here, so I stand by it. We haven't had airbags for most of the 100ish year history of the car, but we have had brakes, and they've generally been regarded as essential. The safety record hasn't been perfect, of course, but the tradeoff has been considered acceptable, or cars would have been banned. I also stand by the bit that says I'd keep an airbag if I had one, for the reasons you give. Richard -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fee4a4a.7070...@walnut.gen.nz
Re: Filezilla a security risk
On 29/06/12 21:28, Denis Witt wrote: On 29.06.2012 03:16, Richard Hector wrote: If your account is hosed, well, go to their second argument: 2. don't get the malware in the first place ;-) Great Argument, btw. Oh, I got an Airbag on my car, get rid of the brakes please. I don't need them anymore. That's the wrong way round. I have brakes and drive safely, so an airbag isn't essential. Which isn't to say I'd get it removed if I had one. Maybe, seat belts are also not essential, but in many countries the usage is mandatory, for a good reason. Agreed. And airbags may become compulsory too. As long as they're well engineered, of course; having explosives go off during a crash needs to be managed carefully. But the question is one of priority. Avoiding crashing (good/adequate brakes, tyres, suspension, roads etc etc) should come before saving you if you do (seatbelts, airbags, ambulances etc etc). It's always a good idea to have both types, of course, because preventative measures are unlikely to ever be perfect. Richard -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fee4cc8.4000...@walnut.gen.nz
Re: Filezilla a security risk
Hello francis, francis picabia fpica...@gmail.com wrote: On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU andreimpope...@gmail.com wrote: On Mi, 27 iun 12, 16:26:48, francis picabia wrote: I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. As do many other programs. Huh. None that I run. Perhaps your standards are, uh, different. Pidgin OpenSSH if used without passphrases, just to name two examples. Claws-Mail applies some weird obfuscation that doesn't really help, except for that I have to store my passwords somewhere else in plaintext, too. the hacker. In this case we advise users to uninstall Filezilla and use something else. Not all Windows users of FTP tools are IT savvy. ^^^ They need warnings and guidance frequently. I passed this on so others can reduce their threat potential. Your users, your _Windows_ users, are certainly your problem and not one that should be discussed on the debian-user ML. However, if you find it a problem that programmes tend to leave unencrypted, sensible data in /home rather than employing some more-or-less fake encryption/obfuscation, feel free to suggest better ways to reach the following target: - It is not necessary to enter all passwords of every account upon start of the programme. - There is some sort of authentication, i.e. not every single computer on this planet can log in. - It works even if there is nobody around to enter passphrases/master passwords (e.g., rsync over SSH to remote hosts). Best regards, Claudius -- Adding sound to movies would be like putting lipstick on the Venus de Milo. -- actress Mary Pickford, 1925 http://chubig.net telnet nightfall.org 4242 signature.asc Description: PGP signature
Re: Filezilla a security risk
On Mi, 27 iun 12, 20:58:39, francis picabia wrote: We have to do what ever possible to reduce the size of the target to the hacker. In this case we advise users to uninstall Filezilla and use something else. Not all Windows users of FTP tools are IT savvy. They need warnings and guidance frequently. I passed this on so others can reduce their threat potential. You are missing the point :) In a situation where the doors (here Windows :p) are left wide open, instead of closing and securing them you are trying to hide the valuables under the carpet. Even if you put them in a safe (encrypt with some master password) the villains have it easy to walk into the house and install spy cameras everywhere so they can peak at your combination or simply just steal the entire safe and brute-force it later. Kind regards, Andrei P.S. this discussion if off-topic on debian-user, kindly follow-up on the offtopic list in my sig (Reply-To: set accordingly) -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Filezilla a security risk
On Wed, 27 Jun 2012 16:26:48 -0300, francis picabia wrote: I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. In Mutt, for instance, you can face the same situation. Malware commonly scoops up this info and hacks web sites or shell accounts. The developer refuses to incorporate a solution such as master password and encryption into filezilla. Yes, it's a well-known feature of the Filezilla FTP client. His responses in numerous bug reports and feature requests are: 1. encryption: that's the file system's job True. 2. don't get the malware in the first place Also true. In my opinion, people should avoid filezilla. I use it in my windows box (a plain FTP login sesion is transmitted in clear text but despite that, true is that it poses a risk if your computer gets infected and your login credentials are stored in clear text) but I don't use Filezilla in Debian. For windows there's another nice application (WinSCP) and for linux you're plenty of options :-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jshqlo$no$5...@dough.gmane.org
Re: Filezilla a security risk
On Thu, Jun 28, 2012 at 5:03 AM, Claudius Hubig debian_1...@chubig.net wrote: Your users, your _Windows_ users, are certainly your problem and not one that should be discussed on the debian-user ML. I have a Debian system I administer that was compromised this way. If the hacker uses two mirrors and shaving cream to attack a system, and it is happening frequently, it should be of interest to system administrators. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CA+AKB6G=xr2_gbccvj2ktfeupeegd9tyy7fzbtijhw1f0ny...@mail.gmail.com
Re: Filezilla a security risk
On 2012-06-27, francis picabia fpica...@gmail.com wrote: I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. There's an interesting (well, for arbitrary definitions of the word interesting) discussion of the problem here: http://unsharptech.com/2008/05/20/filezilla-ftp-passwords-stored-in-plaintext/ (From May, _2008_!, so you're a little _en retard_). I personally use ncftp, but I suppose it lacks many bells and whistles. It doesn't save passwords by default, though, and has a responsible man page: save-passwords If you set this variable to yes, the program will save passwords along with the bookmarks you save. While this makes non-anonymous logins more convenient, this can be very dangerous since your account information is now sitting in the $HOME/.ncftp/bookmarks file. The passwords aren't in clear text, but it is still trivial to decode them if someone wants to make a modest effort. Un homme averti en vaut deux. If the filezilla man page isn't clear on this point, I think that is a form negligence (although I don't know who's responsible for thei man page in the end--maybe it's me!). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjuot1t.38n.cu...@einstein.electron.org
Re: Filezilla a security risk
On Thu, Jun 28, 2012 at 5:37 AM, Andrei POPESCU andreimpope...@gmail.com wrote: On Mi, 27 iun 12, 20:58:39, francis picabia wrote: We have to do what ever possible to reduce the size of the target to the hacker. In this case we advise users to uninstall Filezilla and use something else. Not all Windows users of FTP tools are IT savvy. They need warnings and guidance frequently. I passed this on so others can reduce their threat potential. You are missing the point :) In a situation where the doors (here Windows :p) are left wide open, instead of closing and securing them you are trying to hide the valuables under the carpet. Even if you put them in a safe (encrypt with some master password) the villains have it easy to walk into the house and install spy cameras everywhere so they can peak at your combination or simply just steal the entire safe and brute-force it later. For you, there is special advice. Never communicate with your Windows users. It can't possibly impact Linux. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca+akb6gsmjpxkyscofk7pn3c7ogpyrpyybrykwpsnqlygdd...@mail.gmail.com
Re: Filezilla a security risk
On Thu, Jun 28, 2012 at 9:13 AM, francis picabia fpica...@gmail.com wrote: On Thu, Jun 28, 2012 at 5:37 AM, Andrei POPESCU andreimpope...@gmail.com wrote: On Mi, 27 iun 12, 20:58:39, francis picabia wrote: We have to do what ever possible to reduce the size of the target to the hacker. In this case we advise users to uninstall Filezilla and use something else. Not all Windows users of FTP tools are IT savvy. They need warnings and guidance frequently. I passed this on so others can reduce their threat potential. You are missing the point :) In a situation where the doors (here Windows :p) are left wide open, instead of closing and securing them you are trying to hide the valuables under the carpet. Even if you put them in a safe (encrypt with some master password) the villains have it easy to walk into the house and install spy cameras everywhere so they can peak at your combination or simply just steal the entire safe and brute-force it later. For you, there is special advice. Never communicate with your Windows users. It can't possibly impact Linux. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca+akb6gsmjpxkyscofk7pn3c7ogpyrpyybrykwpsnqlygdd...@mail.gmail.com Please remember that FTP by nature is insecure. All it would take is for someone to packet sniff the connection and they would have the user name and password to the account as they are transmitted in plain text. -- Shane D. Johnson IT Administrator Rasmussen Equipment -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caplo1l5ckwxe2ucqm43vdhsvssmmorpxf4_fuskbzmfj2tc...@mail.gmail.com
Re: Filezilla a security risk
On Wed, Jun 27, 2012 at 08:58:39PM -0300, francis picabia wrote: On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU andreimpope...@gmail.com wrote: On Mi, 27 iun 12, 16:26:48, francis picabia wrote: I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. As do many other programs. Huh. None that I run. Perhaps your standards are, uh, different. No need to get ad-hominem. Andrei is correct, there *are* many that do that, and many *in Debian* that do that. What Andrei runs or does not run is irrelevant. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120628161707.GD11366@debian
Re: Filezilla a security risk
On 2012-06-28 16:45, Camaleón wrote: 1. encryption: that's the file system's job True. Hm? You mean partition encryption? It won't help much if the malware is running with file owner's uid... or even if the system is booted at all (if you e.g. encrypt just /home). -- http://people.eisenbits.com/~stf/ http://www.eisenbits.com/ OpenPGP: E3D9 C030 88F5 D254 434C 6683 17DD 22A0 8A3B 5CC0 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4feca6fb.7090...@eisenbits.com
Re: Filezilla a security risk
On Thu, Jun 28, 2012 at 12:35 PM, Shane Johnson s...@rasmussenequipment.com wrote: Please remember that FTP by nature is insecure. All it would take is for someone to packet sniff the connection and they would have the user name and password to the account as they are transmitted in plain text. Yes, this is all correct. However filezilla does sftp as well and SFTP session passwords are also saved in this plain text file as a human readable password. That typically translates to SSH access. In case this is lost on anyone, we are NOT talking about sniffing, but drive by malware reading a plain text file on the client OS containing the password. Even if you do not check the box for saving the password, the most recent entered password is saved there. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CA+AKB6ExyFTWPjq=jmqkjsqjxhxqqwcb-naikn9u10h0jt0...@mail.gmail.com
Re: Filezilla a security risk
On Thu, 28 Jun 2012 20:48:27 +0200, Stanisław Findeisen wrote: On 2012-06-28 16:45, Camaleón wrote: 1. encryption: that's the file system's job True. Hm? You mean partition encryption? What? :-? It won't help much if the malware is running with file owner's uid... or even if the system is booted at all (if you e.g. encrypt just /home). I don't know what you mean... Encryption (of the user credentials, I understand) is what Filezilla developers think is something that has to come from the OS and the file system capabilities. And that's true, in linux systems there are POSIX permissions you can use to prevent your files being accessed by others. If your account is hosed, well, go to their second argument: 2. don't get the malware in the first place ;-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jsie79$no$1...@dough.gmane.org
Re: Filezilla a security risk
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If your account is hosed, well, go to their second argument: 2. don't get the malware in the first place ;-) Great Argument, btw. Oh, I got an Airbag on my car, get rid of the brakes please. I don't need them anymore. The ONLY reason why Linux based systems hasn't got such a problem with malware is that there are not enough Desktop machines to make this a good target. Often enough there are security holes which allow you to take control over the entire machine. And that's fine as it is complex software. But if you can easily add some more security layers without loosing too much performance and/or usability you should always do that. Storing unhashed and unsalted or unencrypted passwords is simply stupid. Ask the guys at last.fm. ;) Bye. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP7OgLAAoJEGqblLUjc3f4HRAH/2aWgEbKgpfIFivQ+gEI5mrA BBzLSjjArrpuPWdqeXHFpNCNXRQC9zaS/UqCyWopKMCDfg9xajJQT7Ebsl3QcdeJ TZJasrH5STZJokSOqXBM4VaTMGWfObTWeKytAKc8+6XjKI//zm4zWQbeFBLalBex 5Qpn/HeSKptb7ZYD763aZ6cHanq97HrfzO0eleM9wDRnksvvSj4yxkZRUTqq9aQL ON1lfR14lA2rQieFiNHP1OJLEYKR1uQl7NofoOwCOUjoGpRlL9eF4VvDZMm5Z/Sz ef/FZbVMoBF7NmQSEbtM+rpanPDOjeAtz68UQ6NKAHWYiut3XRgBDjw466/qUgU= =q/jt -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fece810.4030...@concepts-and-training.de
Re: Filezilla a security risk
On 29/06/12 11:26, Denis Witt wrote: If your account is hosed, well, go to their second argument: 2. don't get the malware in the first place ;-) Great Argument, btw. Oh, I got an Airbag on my car, get rid of the brakes please. I don't need them anymore. That's the wrong way round. I have brakes and drive safely, so an airbag isn't essential. Which isn't to say I'd get it removed if I had one. Richard -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4fed01e9.3040...@walnut.gen.nz
Re: Filezilla a security risk
On Thu, Jun 28, 2012 at 10:03:19AM +0200, Claudius Hubig wrote: Hello francis, francis picabia fpica...@gmail.com wrote: On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU andreimpope...@gmail.com wrote: On Mi, 27 iun 12, 16:26:48, francis picabia wrote: I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. As do many other programs. Huh. None that I run. Perhaps your standards are, uh, different. Pidgin OpenSSH if used without passphrases, just to name two examples. Claws-Mail applies some weird obfuscation that doesn't really help, except for that I have to store my passwords somewhere else in plaintext, too. Where does OpenSSH store a password? Or are you referring to a passphrase-less private key? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120629014827.gb5...@aurora.owens.net
Re: Filezilla a security risk
On Thu, Jun 28, 2012 at 04:24:43PM -0300, francis picabia wrote: On Thu, Jun 28, 2012 at 12:35 PM, Shane Johnson s...@rasmussenequipment.com wrote: Please remember that FTP by nature is insecure. All it would take is for someone to packet sniff the connection and they would have the user name and password to the account as they are transmitted in plain text. Yes, this is all correct. However filezilla does sftp as well and SFTP session passwords are also saved in this plain text file as a human readable password. That typically translates to SSH access. True, but you can restrict certain users to SFTP access only. I do that, and I only allow SSH access with public key authentication. In case this is lost on anyone, we are NOT talking about sniffing, but drive by malware reading a plain text file on the client OS containing the password. Even if you do not check the box for saving the password, the most recent entered password is saved there. I notice that GFTP, for example, does not seem to save any passwords unless you 1) create a bookmark for the connection, and 2) check the Remember Password box. That seems like a sensible way to do it, but you will still be at risk with an unsavy user and/or malware on the machine. Malware can be in the form of a key logger, which will get anything you type. Unsavy users will typically check a box in the name of convenience, and give little thought to the security implications. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120629020026.gc5...@aurora.owens.net
Filezilla a security risk
I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. Malware commonly scoops up this info and hacks web sites or shell accounts. The developer refuses to incorporate a solution such as master password and encryption into filezilla. His responses in numerous bug reports and feature requests are: 1. encryption: that's the file system's job 2. don't get the malware in the first place In my opinion, people should avoid filezilla. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca+akb6e1ffrcnbv6pimavdvufobkuo7rglsbacr_7tgtuzd...@mail.gmail.com
Re: Filezilla a security risk
On Mi, 27 iun 12, 16:26:48, francis picabia wrote: I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. As do many other programs. Malware commonly scoops up this info and hacks web sites or shell accounts. Sure. The developer refuses to incorporate a solution such as master password and encryption into filezilla. It's his prerogative to decide what to do with his spare time :) His responses in numerous bug reports and feature requests are: 1. encryption: that's the file system's job 2. don't get the malware in the first place In my opinion, people should avoid filezilla. Once your account has been compromised you must assume that any sensitive or confidential information accessible through that account has been compromised as well. Even if the passwords are stored encrypted on disc, at some point they have to be decrypted anyway, at which point they become vulnerable. Hope this explains, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Filezilla a security risk
On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU andreimpope...@gmail.com wrote: On Mi, 27 iun 12, 16:26:48, francis picabia wrote: I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. As do many other programs. Huh. None that I run. Perhaps your standards are, uh, different. Malware commonly scoops up this info and hacks web sites or shell accounts. Sure. The developer refuses to incorporate a solution such as master password and encryption into filezilla. It's his prerogative to decide what to do with his spare time :) That, wasn't the point. The point is, waiting for a solution upstream isn't what we should do next. His responses in numerous bug reports and feature requests are: 1. encryption: that's the file system's job 2. don't get the malware in the first place In my opinion, people should avoid filezilla. Once your account has been compromised you must assume that any sensitive or confidential information accessible through that account has been compromised as well. Even if the passwords are stored encrypted on disc, at some point they have to be decrypted anyway, at which point they become vulnerable. Hope this explains, If you read some of the discussions about this vulnerability, there are many stories of accounts being compromised. I'm not talking theory, but something happening right now on many systems. The Filezilla application is popular, and therefore a common target of malware. As some of us have to guard systems which have many users on them, this is of interest. It isn't my account I'm worried about. We have to do what ever possible to reduce the size of the target to the hacker. In this case we advise users to uninstall Filezilla and use something else. Not all Windows users of FTP tools are IT savvy. They need warnings and guidance frequently. I passed this on so others can reduce their threat potential. Hope this explains... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca+akb6fcyz2cv+ve4wqla_iz65kdxj+qtc4jmei5ufdphf6...@mail.gmail.com
Re: Filezilla a security risk
On 06/27/2012 04:58 PM, francis picabia wrote: On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU andreimpope...@gmail.com wrote: On Mi, 27 iun 12, 16:26:48, francis picabia wrote: I've just learned Filezilla is a security risk. It stores saved passwords and the last used password in a plain text file. As do many other programs. Huh. None that I run. Perhaps your standards are, uh, different. Malware commonly scoops up this info and hacks web sites or shell accounts. Sure. The developer refuses to incorporate a solution such as master password and encryption into filezilla. It's his prerogative to decide what to do with his spare time :) That, wasn't the point. The point is, waiting for a solution upstream isn't what we should do next. His responses in numerous bug reports and feature requests are: 1. encryption: that's the file system's job 2. don't get the malware in the first place In my opinion, people should avoid filezilla. Once your account has been compromised you must assume that any sensitive or confidential information accessible through that account has been compromised as well. Even if the passwords are stored encrypted on disc, at some point they have to be decrypted anyway, at which point they become vulnerable. Hope this explains, If you read some of the discussions about this vulnerability, there are many stories of accounts being compromised. I'm not talking theory, but something happening right now on many systems. The Filezilla application is popular, and therefore a common target of malware. As some of us have to guard systems which have many users on them, this is of interest. It isn't my account I'm worried about. We have to do what ever possible to reduce the size of the target to the hacker. In this case we advise users to uninstall Filezilla and use something else. Not all Windows users of FTP tools are IT savvy. They need warnings and guidance frequently. I passed this on so others can reduce their threat potential. Hope this explains... So what do you recommend as an FTP client? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4feba789.1090...@gmail.com
