Secure Your FTP Transfers

4 comments | Posted: 27 December 05 in General, by Ryan Hargave

As more and more web designers get out of the home or office and take advantage of the increase in wireless access points (A.K.A. your local coffee shop), the problem of websites being hacked could rise at the same rate if we are not careful. The majority of web developers should care about this, but they just don’t know what they need to do to be secure, nor do they know what tools to use. Surprisingly, the answer is fairly simple.

One of the most dangerous things a designer can do across a public (nonsecure) wireless connection is to start a FTP transfer of files to their remote server. The reason is that when you make that connection, you are doing it in an unsecured environment and therefore putting your username and password right out in the open. Even novice hackers can use sniffing programs to pull that data off of the wireless network, giving them full access to your server. Two steps later, they find your database connection file and they now have access to your database data as well. Best case is that you show up the next day to work to find all your files gone, worst case is that one year from now your client informs you that someone contacted them with a list of credit card numbers that went through their site and now this hacker wants them to pay.

So what can be done about it? Thankfully there is a protocol called SFTP which uses SSH to establish a secure connection to your server. It uses public key authentication and enhanced protection against spoofing the FTP session, to secure your data transfers. This will ensure that all your data that is sent across the wireless network is secured including your username and password. The easiest part is that most standard FTP clients will give you the option to turn on SFTP with a checkbox in the options. If yours does not, you may try a client such as FileZilla, CuteFTP, Fetch, WinSCP or WS FTP Pro

It’s really that simple. There are, however, a few drawbacks of which you need to be aware. SFTP will typically use port 22 (normal FTP uses port 21) which may be blocked on some wireless access points. Your remote server must also support SFTP, which most Unix style servers do. Windows servers, however, are fairly hit and miss. If either of these is an issue, try to contact the wireless access point provider and/or your hosting provider to resolve these issues. Please don’t press your luck. Look for alternate methods such as running a server on your local PC or creating a VPN to ensure secure transfers.

This article just scratches the surface of security when working over an unsecured wireless connection. Things such as checking your POP3 email can be just as vulnerable and require certain settings and/or procedures to ensure you are safe. While there are many of articles dealing with securing email, I have yet to see any that deal with things such as FTP transfers. If you are curious or need a starting point for securing your email, Stopdesign’s article, Secure wireless email on Mac OS X will give more than a primer on it. Don’t let the title fool you, as the majority of information presented is cross-OS applicable. Hopefully this will keep you more secure while trying to get the projects completed over that large coffee at the coffee shop.

Discuss This Topic

  1. 1 Yannick

    Thanks Ryan. I must admit I have never really taken security as it relates to FTP very seriously. It wasn’t until recently in one of my courses at University I learnt a bit more about security across networks. Though the course didn’t go too indepth into solutions it still opened my eyes to possible security risks. The same is now true of your article.

    Peace and God Bless.

     
  2. 2 Nathan Smith

    Great article, and a good precaution for those that like to work while out and about. I know of some hosts, like TextDrive, that make SFTP a requirement. That’s actually what made me switch from the free version of WSFTP to FileZilla, for the SFTP support. I ended up liking FileZilla so much that I never went back.

     
  3. 3 Ryan Hargrave

    Thanks all. I actually plan on doing some real world testing on this to see how vulnerable people are on public access points. Maybe doing a follow up article with some actual figures of unsecure people. I think this may help us to not only secure our own data but also help our churches and ministries become aware of the problems associated with making Starbucks the official Christian “office”. I’d hate for usernames and passwords to fall into the wrong hands.

     
  4. 4 Shawn Anthony

    Great advice Ryan. I was forced to familiarize myself with SFTP earlier this year when I decided to finally leave Yahoo! Web Hosting for TextDrive. TextDrive demands SFTP, for all the good reasons you point out in your article. I was previously ignorant of the risk involved in simple FTP.

     

Comments closed after 2 weeks.