Download don’t work in File Manager

Download don’t work in File Manager.

Please use filezilla


ftp has not protect password transfer.

Can you please describe the issue more clearly? And can you please provide screenshots?


Hi @Frank419

Screenshot is right here


I mean, he said

I’m asking about what is this.


The username is sent to the server using the USER command, and the password is sent using the PASS command. This sequence is unencrypted “on the wire”, so may be vulnerable to a network sniffing attack.

As long as you are connecting to our ftp server using FTP over (Explicit AUTH) SSL you’ll be fine.

If not then please change your password immediately and use the connection method I mentioned above.


Can I use FTP over TLS settings? I think you must discribe this in your documentation.

By default, server uses TLS. If you are not sure open your terminal and try login using the ftp command, there you’ll see a message saying connected using TLS


ok. thanks. I think you must describe this in your documentation.

Describe what exactly? “We’re not stupid so our FTP server supports TLS, and FileZilla is not stupid and will use TLS if the FTP server supports it, so it’s safe by default and you don’t need to do or worry about anything”?

What purpose would that documentation serve?

I think most people either don’t know enough about FTP security to care, and most people who do care also know that they can see (and enforce) that our FTP server does TLS already.


Users can get clear information in “Setting up the Connection” from How to upload files with FTP

But what Admin is asking, is what purpose does mentioning that InfinityFree’s FTP server uses TLS serve? It’s enabled by default, so there’s no need for the user to do anything on their end. And any FTP client with logs (including Filezilla) will show as such, so it’s not like users are kept in the dark about it. Most users of any service don’t really care about the technical side of things, besides what they need to know about their website’s required specs.


:grinning: It is impossible to add one line to the instruction.

It is possible, but it is useless. If the server uses TLS by default then it doesn’t make any sense to tell people to use TLS.


More documentation doesn’t make things better, and it definitely doesn’t make things clear.

Good documentation should be concise: it should give people the information they need, and nothing they don’t need.

And checking TLS configuration is something they do not need.

Today we could add a line about TLS. Tomorrow we could add a line about something else that people don’t need to worry about. And the day after that something else.

In the end, we’ll be left with a MASSIVE article of which 90% is information which is not actionable, and people have to sift through to get at the information they actually need.


ok. I see.
You do not control the developers of FTP client and cannot predict how a new versions of different programs will be connecting to the server by default.

This has evolved into some philosophy problems.

It’s true that we don’t control the development of those programs, but some of them like filezilla is open source and can have a lot of contributors. These contributors aren’t stupid for the sake of the user’s security. And if a client doesn’t take the safe way by default, you can say it’s a bad client.


That’s correct. Some FTP clients may not use TLS by default, and some may not support it at all.

But you’re also pointing out the exact issue: we don’t control the developers of the FTP client and we cannot predict how future FTP clients work.

So how can we provide actionable instructions for software that we’ve never heard of, or may not even exist yet?