1

One of my hosting providers still just offers FTP access to the server...

  • Is authorisation safe (i.e. resistant to network sniffing) despite the content of the transmission is plain text?
  • Is it possible to hijack such a FTP session?

When is comes to content, I only upload resources available publicly, and eventual auth keys by websites are strong salted hashes, so network sniffing of content is not my concern. What I am afraid is if network sniffing could allow others to gain unauthorised access. I am not sure what FTP authorisation mechanisms are possible and how to check which one a given server is using.

To make the question/answer complete for the reader, am I correct that such a FTP connection would still be vulnerable to man-in-the-middle attack and session hijacking?

Anders
  • 64,406
  • 24
  • 178
  • 215
Grzegorz Wierzowiecki
  • 657
  • 1
  • 6
  • 15

1 Answers1

2

The authorization with FTP is plain text username and password and there is no protection against passive sniffing.

FTPS (FTP over TLS, not to be mixed up with SFTP which is file transfer over SSH) offers protection against sniffing. But many FTP clients don't check the TLS certificate properly or let the user easily skip the check and thus can be vulnerable against active sniffing (man in the middle attack).

Classical session hijacking as known from HTTP is not a problem here because there is no such kind of session. It is still possible to hijack the underlying TCP connection. But this needs an active man in the middle and works only with plain FTP in which case using passive sniffing to get the password would be the much simpler attack.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • So it seems like me suggesting provider to offer `sftp` or `ftps` (or obscure way: `vpn` to pass `ftp` over it) is the only way. (Yes, they do not provide ssh account, so I could do ssh tunelling...) – Grzegorz Wierzowiecki May 16 '16 at 08:13
  • To confirm. Is following fair summary of your answer? : Yes, sniffer gains all authorization details, so attacker can later own account. – Grzegorz Wierzowiecki May 16 '16 at 08:17
  • @GrzegorzWierzowiecki: correct, with passive sniffing the attacker gets all credentials to own the account. – Steffen Ullrich May 16 '16 at 08:19
  • Thank you ! I hope this question/answer will be helpful also to other readers -> (cross-linking:) http://security.stackexchange.com/q/123413/4077 – Grzegorz Wierzowiecki May 16 '16 at 08:26