Opened 10 years ago

Closed 10 years ago

#9468 closed Bug report (duplicate)

encrypt websites data, irrespective of application password

Reported by: raanan barzel Owned by:
Priority: normal Component: FileZilla Client
Keywords: password, encryption Cc:
Component version: Operating system type:
Operating system version:


Five years ago (Ticket #4565) this request was rejected, with the conclusion "On a secured computer plain text passwords are secure".

There is no such thing as a secured computer, and recent events prove this without doubt.

If you trust your door lock, then you may conclude that you dont need to lock drawers, but in reality you do: you are protecting at different levels; you may want your kid not to have access to the drawer but you still give him a key to your house. The drawer lock may not be foolproof, but it does deter from prying.

Website data needs a drawer-level security.

Stating that "A (security) chain is only as strong as its weakest link" does not mean that making things more difficult to an intruder is useless.

I wish the developers take a different stand on this issue. Until then, I will replace FileZilla with a client more respectful of this point of view.

Bye FileZilla.

Change History (5)

comment:1 by Alexander Schuch, 10 years ago

Resolution: duplicate
Status: newclosed

This is still an open feature request as requested in #2935.

comment:2 by raanan barzel, 10 years ago

Resolution: duplicate
Status: closedreopened
Summary: encrypting site dataencrypt websites data, irrespective of application password

This request is not a duplicate of 2935: 2935 asks for a password for the application, while this request asks for the encryption of the websites data, to protet from network intruders.

At least one Windows ftp client stores that data in a way so that it is not easy to locate or understand, and that is what I would like FileZilla to do, so that I could use the same (FileZilla) ftp client with confidence on Windows, Linux and Osx. The application password is a different matter.

comment:3 by Alexander Schuch, 10 years ago

Status: reopenedmoreinfo_reopened

I don't get it. You either need to provide a password (master password - #2935) or use the OS for that - #5530. If FileZilla just encrypts the password using a constant key, anyone who has the file can decrypt it. There is no secret. FileZilla is FOSS (open source).

So what exactly do you mean?

comment:4 by raanan barzel, 10 years ago

Status: moreinfo_reopenedreopened

Right now you dont need even to use the application to get to the information, the xml is there for anyony to see. I just want to make things a little less conspicuous.

Evidently, an application password would be the ultimate solution.

comment:5 by Alexander Schuch, 10 years ago

Resolution: duplicate
Status: reopenedclosed

So this is a duplicate of #2935. Without a (user-provided) master password, the file just "looks safe", even though it is just another plain text representation.

Note: See TracTickets for help on using tickets.