Tag Archives: SSH File Transfer Protocol

Which is the best up-to-date FTP client to use?

If you’re a heavy user of the File Transfer Protocol (FTP), for example more than once a week and more likely on a daily basis, then how do you go about choosing your FTP client?

I’ve pulled up three very recent articles today on the most up to date rollouts and feature sets of FTP clients, hopefully that can help you determine which one suits your needs best. Whether you are a Mac OS user, a light user like myself, or a heavy user  familiar with Linux/Unix Command Line code.

FileZilla 3.7.0 improves FTP performance


FileZilla 3.7.0 improves FTP performance | How to Grow Your Business Online | Scoop.it
From betanews.com – Today’s news

Open-source FTP client FileZilla 3.7.0 and FileZilla Portable 3.7.0 have both been released. The new build now allows users to view the total transfer speed as a tooltip over the transfer indicators, and replaces the depreciated term SSL with TLS.

Juliana Payson‘s insight:

There are a lot of FTP Client Programs available to choose from for you to Transfer files, but one that stands out of the Crowd is “FileZilla” which is an FTP client that works on any operating system. It was started as a computer science project by Tim Kosse and two classmates. They decided to release the code for the public use, and they licensed it. There have been minor updates to the software today that improve it’s security. Continuous rollouts like this I’ve noticed from Filezilla make it a big choice of comfort for users like myself who probably use FTP clients no more than once a week.

If you’re looking for something a little more in-browser friendly, since you may already be maxing out processor usage with high tech desktop client software, then maybe FireFTP is the client for you.

 

FireFTP is a Powerful Firefox FTP Client You Can Use in Your Browser


FireFTP is a Powerful Firefox FTP Client You Can Use in Your Browser | How to Grow Your Business Online | Scoop.it
From www.makeuseof.com – 3 days ago

If you’ve ever done any sort of web management, then you’ve probably used FTP at some point or another. Most web hosts will have a primitive file uploader than you can use straight from your browser, but those are often a pain in the butt to use.

Juliana Payson‘s insight:
FireFTP doesn’t skimp on its feature set, which makes it a strong and viable alternative to other clients like WinSCP and FileZilla.

I used to be a big user of Firefox, and am also now inclined to use more cloud hosted software that can run from my browser opening up more of my laborsome laptop to more serious software applications. This seems like a great idea to me, except that I haven’t yet found a viable alternative for users that have switched over to Chrome. Please let me know if you find one!

In the meantime, here’s some awesome tips for Mac OS users:

Options for file sharing via SSH in OS X


Options for file sharing via SSH in OS X | How to Grow Your Business Online | Scoop.it

From reviews.cnet.com – 10 months ago

Apple’s Remote Login feature in OS X can be used for securely transferring files using several protocols. Read this article by Topher Kessler on CNET.

Juliana Payson‘s insight:

Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. Topher presents a handy guide with screenshots to show you how you can access your server through the SFTP protocol. As with the SFTP protocol, using the command line to establish the connection may be cumbersome, but fortunately there is a tool called “Macfusion” available that can be used to store common server settings

Please point me in the direction of your favorite FTP clients in the comments below. – Juliana

 

 

 

The Case Against FTP & for SFTP

 

Secure FTP (software)

FTP (File Transfer Protocol) clients are standard parts of many web hosting packages. We even have them in ours. Host services include FTP because people are looking for it – but it’s not necessarily the best tool to use for your site. The reason it’s a questionable protocol is simple, as is switching to a replacement solution, SFTP (Secure File Transfer Protocol). All this will be discussed below.

For this article, I looked at various pieces from around the web, including “Why You Need to Stop Using FTP” from JBDFu.com, “Security Issues in FTP” from raditha.com, “FTP, SFTP and FTP/S” from InformIT, and “Backdoor (computing)” from Wikipedia.

FTP is not all bad. It is built on TCP, so it checks for errors and monitors for integrity. However, the basic problem with FTP is that it does not have the same security as SFTP does. We spoke similarly, in a recent blog post, about SSH (Secure Shell), another way to interact between machines securely. It’s common sense that choosing less secure methods to communicate and transmit data is suspect … well, depending what you’re doing.

FTP has good company in sending data out in the open. Other protocols that send unencrypted data are POP, IMAP, and Jabber. All things equal, though, secured is better than unsecured, right? After all, regardless if or how someone might use your data, isn’t there a creepiness factor about someone looking at your stuff?

Speaking of your “stuff,” maybe this is a good way to put it: Sure, leave your windows and blinds open sometimes if you like. But when the real gets real, when you’re having a private conversation with your divorce lawyer or making babies with your wife (hopefully in the reverse order) and all your “stuff” is out in the open, secure the perimeter. Simply put, FTP is peeping-Tom friendly, and SFTP is not.

What FTP Has in Common with Telnet

OK, the JBDFu.com gives a pretty clear understanding of why straight-up FTP is not preferable. It was invented in the early 70s. Oh, the 70s. They were a blissful time, when all we had to worry about was … our clothes and how we were painting our walls and designing our homes and buildings. We didn’t have any time to think there might be kill-bots trying to steal all our information and our souls if we freely streamed data between two points. Passwords, anyone? Who gives a s%$&, nobody wants it.

OK, so quick review of Telnet entitled

Telnet: A Magical Program that You are Bound to Love Forever!! Hurray for Telnet!!

OK well, I don’t know what the point of the title is, but Telnet … [sound of my throat clearing] Telnet is thirty years old. It’s outdated. It has the same unsecured problem that FTP does. Let’s talk about the unsecured issue within FTP in further detail.

Enter SSH

OK, so Telnet, mid 70s, no encryption. In the mid-1990s, people started switching over to SSH (Secure Shell). In other words, Telnet was recognized as being an inferior technology, and we moved on. Somehow FTP has stuck. It’s an established standard. There are tutorials all over the place telling us to use an FTP client to do such-and-such. Ideally, we don’t want to transfer or access files with FTP, though, because it has the same issues as Telnet re: security.

“Use an FTP client to do this.” “Use an FTP client to do that.” Everybody’s saying it to us all the time. It’s not an accident. You know why? Do you? Really, you do? I doubt you do. Are you sure? You think you know why? You do? Hm, we seem to be talking in circles. Lean your head toward me so I can whisper it to you in case a military surveillance aircraft flies by. “I often use this technique to allow me to whisper to people. It’s a really disgusting habit.” You heard it here first.

What’s wrong with FTP? It means well.

Basic issues with FTP:

  • Passwords 4 Free: It doesn’t encrypt passwords during transmission. What’s the point of a password if it’s not encrypted for transit? Seems kinda pointless. Like you lock the door and then leave your key under the mat. The protocol only allows the server to process login details as plain text. Partially due to this, the root account of a server typically is not usable for FTP or Telnet (which, again, has the same issues).
  • Data Free-for-All: Data transmission is not encrypted. Now, this does not necessarily matter, but be aware at all times that it’s easy for people to see what you’re doing. FTP should feel like a public rather than a private place. Also, since FTP is often used to upload files to web servers, getting into your account isn’t just a matter of reading it, as when someone gets into your email account. Access means they can change your website. Nobody wants “Bobby Lou Was Here” scrawled across the top of their website (except for Bobby Lou, that is).
  • Open the Hack Door: FTP servers that are publicly available have had hackers change the code and create backdoors (which are intrusions that allow an outsider to enter a server unnoticed and often involve implantation of software for spying purposes). Backdoors are often not found for lengthy periods of time – years sometimes.
  • We Have Bug Problems: Some of the more commonly used FTP servers have reputations for being buggy.
  • Um … This is Hard: An additional port is needed to perform transfers. This structure makes port forwarding and firewall admin more difficult, and those two components are crucial to increasing the speed so FTP isn’t sluggish.
  • Don’t Destroy the Evidence: Login details are stored in files on the client’s hard drive, unencrypted, in plain text. In other words, login details aren’t just unsecure during transit. They’re part of a paper trail that is automatically backed up on your computer.

Example Scenario

So as described above, everything passes through via FTP as clear text. That includes all the login credentials, and that’s the most glaring issue. However, downloading of files presents additional problems. You can’t ever really know if an ecommerce site is safe with your information, for example.

So, picture this, my friend: You go in to buy a product on a small website, such as a large blue vase with an image of naked men wrestling (which you’ll tell your wife you purchased purely for aesthetic purposes). They have a high-quality SSL certificate, maybe even an EV (“extended validation,” green bar) one. You think you’re fine. Input your credit card details. OK transfer successful, via SSL. You’re good. Then an administrator for the site pulls all the billing info from the site using an FTP client.

In other words, FTP can cause problems even when someone has safely transmitted their data to you. It’s not just about the client’s card information. It represents the potential for holes in your system. Swiss cheese is delicious, but I don’t trust it either.

Alternatives to FTP: Following Protocols

OK so again, FTP is not without its merits but it does not have the security we want for our passwords and much of the data we upload and download onto our website or network. Here are a few alternatives:

FTP/S: This is not SFTP. It provides secure authentication (integrity re: login credentials) and can also secure data transfer, both via SSL encryption. This protocol is not very popular because, as its name kind of suggests, it involves taking FTP and adding an SSL to the equation. In that sense, FTP is to FTP/S as HTTP is to HTTPS, loosely speaking.

You need an SSL certificate, which means you either have to create one yourself and get it set up correctly or buy one to use. It’s just a little annoying and can bear a small expense. It’s also not as easy to set up as some of the other methods are.

SFTP: OK, so let’s look at our winner. SFTP is probably the best alternative to FTP for four reasons.

  1. Secure Shell foundation: SFTP can be tied – optionally – into SSH, which is widely used and trusted for data encryption and transmission.
  2. Yes, it is a popularity contest: Because SFTP is popular, it’s easy to find free software that’s compatible with your OS.
  3. No sweat: Easy to operate and maintain. Typically you can have an SSH server  double as an SFTP server. SSH installation is quick too.
  4. Use of keys: With keys, everything is automated. The whole interaction is encrypted from beginning to end.

SCP: SCP, also known as Secure Copy, is similar in some ways to SFTP: it allows secure copying/transferring of files. SFTP can use SSH, but it is not reliant on that protocol; SCP, however, is reliant on and tied to SSH. SCP can be used for a number of different functions, including system tasks. SCP is more of a security concern – specifically because of its capabilities. The safest way to transfer files, then, is SFTP. Working with shell accounts, however, can be accomplished with either SFTP or SCP.

TP: Toilet paper is typically not recommended for secure connections. It should be kept in the bathroom where it belongs. Toilet paper should not be jammed into a server. It should not be turned into digital software and used to wipe a backdoor. One reason TP does not work well as a secure file-transfer protocol is that it is made out of tissue rather than code, so it doesn’t contain any encryption. Also, sometimes you run out. While you’re driving to the store to get more, you’ve opened the window for malicious entry.

Summary & Conclusion

So, SFTP: Think about it people. Make it happen. Remember, even if the particular data or files you’re working with at a given time are not sensitive, your password itself can easily be stolen using FTP. That means it’s never secure for sensitive situations. If you have any further thoughts or advice related to this, please comment below.

by Kent Roberts and Richard Norwood