FTP is is the method by which you can down and upload files from a server.
FTP login details are a desirable target for hackers, giving easy access to your site’s files. Not surprisingly, the PCI consortium which looks after security standards for online merchants has taken an interest in FTP security, and in May 2011 raised the threat level of plain text FTP login to Critical as plain text FTP login can be exploited.
PCI compliancy is required from all merchants who accept payments directly on their website, for example via PayPal Pro or SagePay. And as of May 2011, any merchant undergoing PCI testing is likely to fail if plain text FTP login is enabled on the server. McAfee have already raised the level to 4 (fail). Security Metrics is expected to follow suit.
For customers hosted by us this means that plain FTP login is being phased out from our servers. So if plain FTP login is out, what can you use instead? Two options: a) use FTP over SSL which is works for all FTP logins and is supported by all major FTP programs; or b) use SFTP/SSH.
Both methods are already support by our servers, so even if plain FTP login is currently still working for you, we’d recommend to switch to a secure method now.
For tutorials on this & step-by-step guides for popular FTP browsers, please head over to our knowledgebase: https://support.terranetwork.net/web/knowledgebase/138/FTP–FTP-over-SSL-and-SSH.html.
FTP program password storage warning
Some FTP programs such as FileZilla store FTP login details in plain text on your PC/Mac. Hence, even if the connection is securely encrypted with FTP over SSL, the stored FTP logins is easily obtained should the machine become infected with malware.
Hence, with programs such as FileZilla which do not encrypt the stored data, the FTP login details should never be stored. Instead, enter the details afresh with each connection request.
Looking at programs that do employ encryption for stored passwords such as Ipswitch WS_FTP, the situation is better but not perfect. Passwords are encrypted, so a casual malware attack won’t be able to get them; but a hacker intent on obtaining the password can break it.
In my view, storing a password for frequent FTP use is likely to be a necessity. Using an FTP program that encrypts stored FTP logins is a must, and Ipswitch WS_FTP is the one I’d recommend. But equally important is the overall security of the PC/Mac.
No comments yet.