Is it safe to use a web based FTP client? If so, when? What should I watch out for?
Asked
Active
Viewed 3,609 times
3
-
5Clarification: do you really mean "web based file transfer"? Because FTP, in and of itself, is insecure since it transfers credentials in plain text. – Scott C Wilson Nov 23 '15 at 16:04
-
1It'd help if you could edit your question to clarify what you mean by web-based FTP client. I can imagine two possible interpretations, but I shouldn't have to guess or imagine: it'd be better if you could tell us what meaning you have in mind. (One possible interpretation is that you type `ftp://...` into your browser address bar. Another is that you visit a web server and it acts as a FTP client for you.) – D.W. Nov 24 '15 at 06:27
6 Answers
8
Probably not - if you enter your FTP details into a website, you have no idea where they could end up. Furthermore, FTP is insecure anyway - any data transferred over it (including your login details) is viewable in transit in clear text. This could be between the web service and the FTP server, even if the connection to the web service uses HTTPS. In this case, you can't see what is going on, since you personally have no access to that connection.
Ideally, use SFTP, directly from your machine, or over a VPN - in either case, everything beyond the initial connection is encrypted, including credentials and data.
Matthew
- 27,233
- 7
- 87
- 101
-
2
-
A discussion about SFTP vs FTPS is a complex one and probably too broad for this forum. It's all about context. – symcbean Nov 23 '15 at 23:33
8
Is it safe to use a web-based FTP client? If so, when? What should I watch out for?
It depends. A web-based FTP client is in a way like a proxy. How much you trust such a proxy depends on how much control you have over it. If this web -based FTP gateway is in your company’s network, you could probably trust it like you trust your local proxy, because the gateway is in full control of your company.
If it is instead some random FTP gateway outside, you should not trust it, the same way you should not trust some random external proxy. Instead, you should ask yourself why the gateway is there and what their business model is. For instance, public proxies often inject advertisement into the traffic or even grab your credentials to use them somewhere else.
TRiG
- 609
- 5
- 14
Steffen Ullrich
- 184,332
- 29
- 363
- 424
4
Let's restate your question from:
When is it safe to use a web based FTP client?
to:
When is it safe to use FTP?
We can restate the question because if you are using regular FTP (non-encrypted), the answer is the same whether it is web based or not:
It is safe to use regular FTP when you don't care if your credentials are compromised.
It's really that simple. You could add a caveat about the FTP server and client both being on an internal network, but then you have to make the assumption that the internal network is completely secure. It's probably safer to not have to make that assumption if you care about your credentials.
TTT
- 9,122
- 4
- 19
- 31
0
Sure, it is as safe to use as any other random thing on the web (which is to say, actually "not very" -- but that's not the point, as you're already on the web here). But trusting it is an entirely different matter.
Your trust of any web service that you don't control is a belief-based threat/risk/reward decision. It is exactly the same as deciding to trust a proxy or not. In most cases it doesn't really matter whether you are using a proxy or not, as you also have no control over the originating source -- though it does require you now to trust a minimum of three or four entities instead of just two (the CA of the originator, the originator, the CA of the proxy, and the proxy). Its a trust decision, nothing more, nothing less.
zxq9
- 340
- 2
- 8
0
Well actually it doesn't really matter if you use a web based FTP client or a desktop one as long as you trust the developers. Web based FTP clients aren't generally less secure just because they're web based but you have less control over the data sent and can't see or analyze what is done with it. Any desktop app could gather your credentials the same way as a web based one.
BUT as already mentioned in other answers the FTP protocol itself isn't even secure! It isn't encrypted. In other words your login credentials are sent in plain text and hackers could easily retrieve them by for example a Man-In-The-Middle Attack.
So if you really want to be secure use the FTPS or SFTP protocol together with a open source app after analyzing its code. Another option would be using a desktop app you trust and use a pcap software to see what data is sent by the application and verify it isn't sending your credentials to any other location than the server you want to connect to.
Nico Hauser
- 101
- 3
0
You might consider it safe to use FTP web based client, when :
- You consider connection between client and FTP server as safe
- when you are fine with
ftpsniffing vulnerabilities (for example you connect over trusted connection, like VPN or local network and you trust there are no sniffers on the way and no any device on the way is compromised - what might be hard in times when most home routers are in question...). - or when such client supports FTPS or SFTP and handles certificates properly
- when you are fine with
- You consider web based client as safe (not disclosing any data + not vulnerable to XSS and others)
- e.g. running on your local machine, and knowing it's source you know it does not share information with any 3rd party (i.e. outside your machine)
- as variation of that variant you might consider this web based client to be implemented as browser plugin -> again, double check if it does not share data with any 3rd party
- audit if web based client is resistant to Cross-site scripting AKA XSS and other attacks against browser applications
Grzegorz Wierzowiecki
- 657
- 1
- 6
- 15