I want to know if using FTP or SFTP compromises security

Custom / CUSTOM
July 13, 2012 at 10:57:08
Specs: Windows XP home sp3, 3.209 GHz / 3327 MB
I have been setting up an FTP client, FileZilla_3.5.3 in fact, to enable myself to share large files with others. The plan in my case is using the large unused space on my website, hosted by Network Solutions, to make folders not linked to the site itself, so are not accessible to site visitors, as a holding place I would upload or download files to. I would get the intended recipient of the files to install FileZilla_3.5.3 client on their end. I set up, via Network Solutions Web Hosting, an FTP account for the recipient including establishing user-name and password. On the phone I talk the recipient through making a login profile via FileZilla's Site Manager. They then can open FileZilla, easily launch this login profile, which I plan to set up using SFTP, upload or download files, logout and bingo.

The reason I am asking this question is one of the persons I want to get this working with works for a large corporation that for obvious reasons is concerned with Malware. My friend says or believes he had heard that FTP can bypass Firewalls and resident Anti Virus protections and allow Malware into his computer. In fact he tells me that files that I have checked for Malware before sending could be compromised while sitting on the web server and still make it into his computer.

I asked a rep. at Network Solutions about the state of files sitting on their server, he told me they sit there encrypted. How encrypted? I don't know. I am choosing to use the SFTP method as I understand some parts of a transfer using FTP remain unencrypted such as user-name and password. He only cautioned me if I use SFTP, the recipient may need to allow this connection in the Firewall. Doesn't sound to much of a problem to me.

The question is, is my friend right to be concerned, and thus I be concerned, and if so, what measures can be taken to prevent this possible security hole. I know Anti Virus programs can be dumbed down as well as Firewalls via Exceptions being established, etc..

I have told him I use winMd5Sum from time to time to assure I have identical files. I told him I could use this as a way to assure him that, say, a large .zip file made it through the system ok.

In fact I am not sure if an unencrypted .zip file containing Malware is even able to cause problems while still zipped. If Malware is nicely held in check prior to unzipping, I imagine an AV check of it, by the recipient, could uncover the demon. Is that so?

Well it doesn't end there with my friend. He, as well as you and I, know of VERY sneaky Malware out there that he would STILL be concerned about.

His computer is Windows 7 using McAfee AV and the Windows Firewall. I use on my end a Windows XP home sp3 machine using Microsoft Security Essentials AV and Windows Firewall. As an ace in the hole I have the Free version of Malwarebytes Anti-Malware loaded.

When I scan for files to send, I open Malwarebytes to do a manual update of the definitions, then close it. Nicely both MSE and Malwarebytes appear in the right click context menu to allow me to quickly scan selected files of concern to be sent.

Sorry I was a bit verbose on this question but have seen more than once you experts out there often have to keep asking questions of the questioner to get needed info to answer a question!

With respect, I look forward to your comments on this issue including references to where this issue may have already been well vetted.

See More: I want to know if using FTP or SFTP compromises security

Report •

July 15, 2012 at 11:34:18
I never used Filezilla but you said that you are going to use a client on your end & your friend will also have the same client on his end. Doesn't a server (daemon) have to be on your end, to listen, for connections? A client only requests connections.

How do you know when a politician is lying? His mouth is moving.

Report •

July 15, 2012 at 18:48:08
juapo, you are absolutely correct, FireZilla Client on both ends.

The way I intend to use it is: One end opens FileZilla Client and connects to the hidden folder on my web site, uploads file(s), disconnects and closes FileZilla. A phone call or email is made to the recipient saying 'I sent you something via FileZilla'. They then open their FileZilla Client, set up to connect automatically to said folder at my web hosting site, finds file(s), downloads to their selected location, disconnects and closes FileZilla Client. (I or they will likely also delete the file(s) on the host at some point when we know the transfer was successful.)

FireZilla also has a Server version that according my conversation with a Network Solutions rep. was not needed to do what I want. I have tested with just the Client at both ends and it does the job I want, as I just described.

Possibly related to Client vs Server versions, my cautious friend made this comment in one of his emails to me:

"I read where these FTP programs can be used to invade your computer. Can you refuse to accept FTP? Is the "put" command disabled? I doubt it. Thus you enable others to PUT on your machine if the program leaks so to speak."

Not knowing what a PUT command is in an FTP program, I went to the FileZilla help site, that launched when I selected menu item Help->Getting Help from within the running FileZilla Client, and selected 'Frequently Asked Questions'. Once there, I entered "put" into its search box at the left of the screen. Result, five items, nothing about any 'put command'.

Could have gone further but my gut feeling was this sounded like something a Server version would be more likely be up to. I already know the Client version at both ends does what I want. With many other questions, decided to make this broader post.

Maybe you or others could also clarify the FTP Server vs Client issue a bit as well, not to mention what this 'put command' is about.

Somehow I am getting the notion that a Server version would allow a continuous connection or something.(??)

Hopefully, with the help of you experts out there, we could make this post a one stop visit on using and learning FTP, and safely! Thanks in advance.

Report •

July 16, 2012 at 13:16:24
A server does not allow a constant connection. I have an in-house FTP server, on my own network & that connection times out pretty quickly, if it stays idle. The put command is saying send.

As I said, the server answers requests from the client. I never used Filezilla but I don't know how the connection would be made to the "hidden folder" on your machine. Are you going to use file sharing & port forwarding or are you going to use Go To My PC?

How do you know when a politician is lying? His mouth is moving.

Report •

Related Solutions

July 16, 2012 at 23:45:42
guapo, thanks for your response and questions. My reply may be a bit wordy but will add a little background as to why I am even trying to use FTP in the first place for passing files to and from friends and clients.

I can do the file transfers via the method in my previous discussion, due to the fact I have a web site, in my case, hosted by Network Solutions. My web hosting package allows me to have a web site as large as 300GB. My site currently is very small, less than 0.1GB. Since I made my, very primitive, site on my computer, I used FTP to upload it and to make changes to it.

As it turned out, Network Solutions has a web hosting feature called SpaceManager that allows me to make folders that are made near but not in my web site that I could upload and download files into via their https interface. I would then initiate an invitation from within this SpaceManager Network Solutions program to the intended recipient via email. Once the recipient opens the email, it allows them to create a password, provides a URL, and allows them access to the folder(s) I allowed them to have read/write access to. Their User ID is automatically their email address.

I am going to keep this short because two issues came up using SpaceManager. One I could deal with, the other was a show stopper that resulted in numerous back and forth service contacts that never resolved. The first issue was the total size of all files was limited to a few GB. The second was my uploads would hang, small files seem to work, files over about 50MB rarely worked. So a 460MB .mp4 file I made from my time laps sky photographs, never made it. They finally told me my computer must have an issue. Then a client of mine sent me two 50MB .zip files via SpaceManager. When accessing them via the SpaceManager interface, one successfully downloaded but the other failed on two tries! So downloading also became an issue as well.

Back to the phone with Network Solutions. Finally they came up with the FTP solution. They list two suggestions of FTP programs on their web site. One is a 30day free trial for smartFTP and the other the totally free FileZilla. I already had a FTP User Account set up so I could update my website. My hosting package allows me to make up to 25 FTP User Accounts.

First I installed FileZilla and created a stored logon, using my already established FTP User Account to access my entire web hosting area. Bingo. Not only was I able to access my web site but also the folders made by SpaceManager! The first thing I did was download the file that failed to download in SpaceManager. Flawless and intact!

Next I found out, from a very helpful rep. at Network Solutions, that there was no problem at all utilizing unused space in my web site area to upload and download whatever I want in the same manor as I would maintaining my web site. He talked me through creating another FTP User Account that limited access to only one folder in my web site area. In fact once I specified the path to a nonexistent folder on my web site, it actually created the folder for me! Creating an FTP User Account also required me to make a FTP User ID, Password, as well as specify read/write privileges. In this case the default privileges allowed read and write which is what I wanted. Since the new folder is not linked to from any of my web site pages, it would not be accessible or seen by web site visitors.

To make this work I need to get my friend at the other end to download and install FileZilla Client (or other FTP Client) and talk them through on the phone how to set up a canned logon. In the case of FileZilla I have them do File->Site Manager, when the dialog box opens, they click on 'New Site'. In the General tab I have them enter for Host my FTP Server/Host Address, leave the Port blank, for Protocol have them select SFTP, select Logon Type 'Normal', for User I have them enter the FTP User ID I made for them and the same for the Password. They click OK, and bingo they have a canned logon. I think somewhere in there they name what their canned logon is called.

So far I have not made any changes in the other three tabs in the Site Manager. Also selecting Logon Type as 'Normal' was a guess on my part, but seems to work. In the interest of making this most secure, I am interested if other selections would be better choices on the other three tabs as well as the Logon Type.

My friend at his end opens FileZilla, drops down the box at the left end of the tool bar, selects the canned logon and it just logs them in to the specified folder I made for them on my web site. No PUT command, just upload and download.

guopo, I don't know what 'Go To My PC' is. And file sharing seems to not be any issue with the procedure I just described.

Report •

July 17, 2012 at 10:17:35
At first, it sounded as if you wanted to host the SFTP server on your home machine but since it's on the web server, space manager is acting as the server. That's what was missing from the big picture. It sounds fairly secure at this point unless there is a trojan on your friend's machine. Otherwise, it should be okay.

How do you know when a politician is lying? His mouth is moving.

Report •

July 17, 2012 at 19:37:44
guapo, SpaceManager is a file sharing application at Network Solutions that I can use because I am hosting my web site with Network Solutions. Did you meant to say Network Solutions when you said Space Manager?

As I mentioned in my #4 post, Network Solutions SpaceManager application was failing me. Also its limit of I think 2GB would limit me. I am using Adobe Lightroom to render .mp4 videos of my photos. The largest I have made is about 1GB so far at about 30 min. As you know a 1.5 hour video can exceed 4GB.

My 299.9GB of unused web space will go a long way to resolve this issue but can not be utilized by SpaceManager even if it did work. Only FTP Clients at both ends can make this work.

Thanks, guapo, for getting back to me. I am hoping you follow up and say you did mean Network Solutions!

Report •

July 17, 2012 at 20:02:20
guapo or anyone else, I am dying to know if a resident anti virus program, properly set up, is able to scan downloading data from an FTP Client, as it is arriving.

Also I am dying to know if mal-ware contained inside an un-encripted .zip file can do any harm while the .zip file has not been unzipped yet. The gist of this question addresses the safety of a .zip file arriving, in any manor, on ones computer prior to anti virus checking. If mal-ware is unable to function in a unzipped .zip file, it could be scanned prior to unzipping. Is this true or not? Anyone?

Report •

July 18, 2012 at 13:59:07
Anti Virus programs only know what they are told, through updates. If a new virus is released today & it's sent to you tomorrow, it won't be in the updates. Therefore, your machine is not protected.

Malware sent in a zip file won't run until the file is opened or it's contents run, depending on the type of malware it is. It can be scanned but the same theory that I mentioned before applies.

How do you know when a politician is lying? His mouth is moving.

Report •

Ask Question