Please use filezilla
7 Likes
ftp has not protect password transfer.
Can you please describe the issue more clearly? And can you please provide screenshots?
5 Likes
I mean, he said
I’m asking about what is this.
6 Likes
The username is sent to the server using the USER command, and the password is sent using the PASS command. This sequence is unencrypted “on the wire”, so may be vulnerable to a network sniffing attack.
As long as you are connecting to our ftp server using FTP over (Explicit AUTH) SSL you’ll be fine.
If not then please change your password immediately and use the connection method I mentioned above.
8 Likes
Can I use FTP over TLS settings? I think you must discribe this in your documentation.
By default, server uses TLS. If you are not sure open your terminal and try login using the ftp command, there you’ll see a message saying connected using TLS
8 Likes
ok. thanks. I think you must describe this in your documentation.
Describe what exactly? “We’re not stupid so our FTP server supports TLS, and FileZilla is not stupid and will use TLS if the FTP server supports it, so it’s safe by default and you don’t need to do or worry about anything”?
What purpose would that documentation serve?
I think most people either don’t know enough about FTP security to care, and most people who do care also know that they can see (and enforce) that our FTP server does TLS already.
9 Likes
But what Admin is asking, is what purpose does mentioning that InfinityFree’s FTP server uses TLS serve? It’s enabled by default, so there’s no need for the user to do anything on their end. And any FTP client with logs (including Filezilla) will show as such, so it’s not like users are kept in the dark about it. Most users of any service don’t really care about the technical side of things, besides what they need to know about their website’s required specs.
9 Likes
It is impossible to add one line to the instruction.
It is possible, but it is useless. If the server uses TLS by default then it doesn’t make any sense to tell people to use TLS.
9 Likes
More documentation doesn’t make things better, and it definitely doesn’t make things clear.
Good documentation should be concise: it should give people the information they need, and nothing they don’t need.
And checking TLS configuration is something they do not need.
Today we could add a line about TLS. Tomorrow we could add a line about something else that people don’t need to worry about. And the day after that something else.
In the end, we’ll be left with a MASSIVE article of which 90% is information which is not actionable, and people have to sift through to get at the information they actually need.
9 Likes
ok. I see.
but
You do not control the developers of FTP client and cannot predict how a new versions of different programs will be connecting to the server by default.
This has evolved into some philosophy problems.
It’s true that we don’t control the development of those programs, but some of them like filezilla is open source and can have a lot of contributors. These contributors aren’t stupid for the sake of the user’s security. And if a client doesn’t take the safe way by default, you can say it’s a bad client.
5 Likes
That’s correct. Some FTP clients may not use TLS by default, and some may not support it at all.
But you’re also pointing out the exact issue: we don’t control the developers of the FTP client and we cannot predict how future FTP clients work.
So how can we provide actionable instructions for software that we’ve never heard of, or may not even exist yet?
7 Likes
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.