Should I use FileZilla?

Question

Recently, an increasing number of people have started advising moving away from FileZilla. However, the only reason I can see for this is that FileZilla stores the connection information in a completely unencrypted form, but as Mozilla says - surely it is the job of the operating system to protect the configuration files?

So, is there any other reason why I should no longer use FileZilla, as I've never had any problems with it? Somebody mentioned to me that the way it works isn't secure either, but I think they were just getting confused over the fact FTP transmits passwords in plain text anyway.

@bgvaughan I don't know specifically but I've had family members tell me they've read it on blogs and I've read a few forum posts myself. — Andy, Jul 24 '13 at 10:41
Filezilla itself isn't bad (it's a crap piece of software, but security-wise it supports SFTP so it's fine), but FZ often goes in pair with FTP and protocol that is definitely insecure. — , May 21 '15 at 16:38

Adi · Accepted Answer · 2013-07-22T13:16:58.483

FileZilla per se isn't inherently insecure. Yes, it's storing passwords in plaintext, but the alternatives are only slightly more secure. You see, encrypting the credentials requires an encryption key which needs to be stored somewhere. If a malware is running on your user account, they have as much access to what you (or any other application running at the same level) have. Meaning they will also have access to the encryption keys or the keys encrypting the encryption keys and so on.

Your best option here is to disable password storage in FileZilla

disable-password-save-filezilla

Then start using KeePass to store your account credentials. There are also many guides on the Internet about how to integrate KeePass with FileZilla. Doing this, you're storing the encryption key somewhere where malware don't have access; you're storing the encryption key (or rather, the password from which the encryption key is derived) in your brain.

Finally (and perhaps this is a bit outside the scope of your question), please make sure you move away from FTP in favor of SFTP.

Thank you for your answer - I thought this would be the case. I just wanted to check that FileZilla wasn't doing anything else that was compromising my security. As for moving away from FTP, I have that covered thank you. — Andy, Jul 22 '13 at 13:02
Nice answer, but the KeePass solution provided by this link doesn't work anymore with FileZilla v3.9.0.5 (Auto-type doesn't work because credentials input form is now different). To make it work, I had to use command-line options in KeePass URL to open a SiteManager site, with "ask password", and a tuned "Auto-type" — xav, Oct 16 '14 at 20:41

score 12 · Answer 2 · answered Jul 22 '13 at 10:33

12

Unless your alternative has an option where you need to provide a password (which is used to encrypt your settings containing IPs and credentials), I wouldn't see why you would need to migrate away.

If you are migrating from one application to another, you need to make sure why (in detail) the new application is better than the previous application.

answered Jul 22 '13 at 10:33

Lucas Kauffman

54,169
17
112
196

Thanks for the answer, basically what a thought. So would you actually recommend anything over FileZilla? – Andy Jul 22 '13 at 13:03
1

I use filezilla but I don't save my passwords in there, like Adnan says you are better of with using a password manager. If you trust your OS enough (for instance if you are using full disk encryption and no one else has access to your machine) then you might be ok as well. (allthough I wouldn't store any passwords for super critical production machines in it) – Lucas Kauffman Jul 22 '13 at 13:05
Ok, thanks for your reply. I think this is what I will do too (password manage solution). – Andy Jul 22 '13 at 13:14

score 2 · Answer 3 · answered Aug 26 '14 at 21:06

I think one of the main reason people advise to move away from Filezilla is clearly the fact passwords are stored as plain text and thus, easilly stolen. Filezilla bad reputation began some years ago when some malwares began to target specifically Filezilla. Using critical flaws in third party softwares (namely flash and acrobat reader) these malwares were able to steal the XML passowrd file Filezilla uses to store the passwords. Most of the time, these malwares were eradicated and cleaned in a few seconds, but the data was stolen. These stolen credential files were then handled in a very complicated bot zombie network which connected to each and every ftp contained in the file, scanned it then propagated malware in every index.html/php file found on these FTP. In less than 2 hours, all the ftp websites stored in filezilla were infected. At the time, the process has been very well documented by some victim webmasters.

Probably thousands of webmasters, tens of thousands of websites, were infected because of this. Many many complained about the fact the passwords were not encrypted.

The second reason people advise to move away from Filezilla is the reaction of the developper team : instead of adding this feature, they just refused every argument, either sending back the responsibility to badly secured systems or pretending that encrypting passwords would not change anything, that it was system's responsibility to secure data.

So for now, if you still want to use Filezilla (which is a good ftp client) you really should consider disabling all password storing options and using a third party tool like Keepass. It's a bit of a pain in the * but it's safer. You may even find bonus advantages with Keepass because you'll have a tool to centralize cross-protocol credentials in a safer way

It is known: https://forum.filezilla-project.org/viewtopic.php?f=1&t=11003&sid=aa3ece42499baa3916a3642811f73dbe — schroeder, Aug 26 '14 at 22:02

score 1 · Answer 4 · answered Oct 17 '13 at 02:21

It may be because they recently made deals to start bundling malware with their downloads, and one of their developers has given people real bad attitude, claiming things from it's not malware to it's not his decision to quips like you can choose not to install it once you first install the malware laden installer.

https://forum.filezilla-project.org/viewtopic.php?t=30240

It could be the passwords stored in plain text, but I really doubt that's so much an issue to the security crowd as bundling malware in the installer, adding options that nuke all your passwords poorly in the quickconnect bar, and just the recently poor attitude towards people trying to complain about these recent-ish changes. The attitude seems to be that you can always opt out of the malware install options if you know what your doing, once you download the malware laden installer.

The **adware** is bundled with the installer offered by Sourceforge. You can still download the unbundled installer from FileZilla servers by clicked "Show all download options". — Adi, Oct 17 '13 at 06:59

score 1 · Answer 5 · edited May 21 '15 at 02:10

FileZilla does come with malware now and the developers are aware and probably getting money from it.

Search for FileZilla Premieropinion in Google or read any of the MANY threads on Filezilla's forum:

https://forum.filezilla-project.org/viewtopic.php?t=31967&start=30
https://forum.filezilla-project.org/viewtopic.php?t=30240

The developer keeps saying that you have the option to opt-out but the installer is CLEARLY designed to misguide people. I work on the tech industry (so I am generally aware of security concerns) and I got fooled, like countless others. It was also my first experience of malware with Macs.

I will never use FileZilla again. Even if you can "opt-out" this is clearly designed to fool the users and worst of all the developer is just copy pasting a dishonest reply on FileZilla's forums. So even if the software might still work, I will never accept the attitude of the developer. The issue is not trying to monetize your work. The issue is trying to fool your users.

this has been covered by another answer – schroeder May 21 '15 at 02:34 — schroeder, May 21 '15 at 02:34

score 0 · Answer 6 · edited Apr 18 '16 at 16:10

0

I'm using the portable version 3.16.1 and the passwords are encrypted. Once the data file is in a different directory than usual (ex: portable disk) and all passwords are encrypted, it is sufficiently safe for me.

edited Apr 18 '16 at 16:10

schroeder

123,438
55
284
319

answered Apr 18 '16 at 16:06

SandroMarques

101
2

DecimalTurn · Answer 7 · 2019-09-24T07:37:31.263

0

Regarding the issue mentioned by Adi about passwords being stored in plain text, it's good to know that since version 3.26.0-rc1 (2017-05-25), FileZilla has support for encrypted passwords protected by a master password. Hence, there is no reason to say that FileZilla is less secure than other FTP clients.

See developement diary entry.

To change that setting : Edit > Settings > Password > ...

edited Sep 24 '19 at 07:37

answered Sep 24 '19 at 07:32

DecimalTurn

101
4

Should I use FileZilla?

7 Answers7