Go Back   FlashFXP Forums > > >

Suggestions Post suggestions for upcoming versions

 
 
Thread Tools Display Modes
Old 08-05-2004, 06:21 AM   #1
OngL
Member
FlashFXP Beta Tester
 
Join Date: Aug 2004
Posts: 51
Default Security, Security, and Security

Sites.dat should be encrypted with strong algorhytm e.g. AES. A logon prompt can be implemented to 'unlock' sites.dat in memory for as long the ffxp is open. This feature can be made as optional.

The file contains username/password, and should not be as vulnerable as it is now... even if it get leaked out with AES encryption, it wouldn't be easy to break it.
OngL is offline  
Old 08-05-2004, 06:47 AM   #2
Harm
Too much time...
Ultimate Scripter
 
Join Date: Jul 2003
Posts: 1,430
Default

What about Sites > Security > Set Password ?

All files that contain sensitive data will be encrypted and FlashFXP will ask for a password each time it's started.
I don't know what algorythm is used.
Harm is offline  
Old 08-05-2004, 07:49 AM   #3
DayCuts
Senior Member
FlashFXP Beta Tester
 
Join Date: Dec 2003
Posts: 421
Default

I use the security feature, but i believe even when not enabled passwords in the sites.dat are encrypted. No idea what to though as i've never had the urge to look.

The problem with all ftp clients is that the passwords can not be TOO secure and unbreakable... because the program itself needs to be able to decrypt/decode them to operate correctly.

But, and im not sure, i would assume the password used for the security feature has some kind of impact on the encyption of the dat files, making it unique for each user?
DayCuts is offline  
Old 08-05-2004, 12:00 PM   #4
slash
Senior Member
FlashFXP Beta Tester
 
Join Date: Apr 2003
Posts: 122
Default

The way I remember it is that your sites.dat file is encrypted using that password as a hash key. When you enter the correct password, FlashFXP is then able to decrypt the sites.dat information. If you haven't set a password, the file won't be encrypted.
slash is offline  
Old 08-05-2004, 03:29 PM   #5
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

yet again i wish ppl would ACTUALLY USE FLASHFXP before making any suggestions
flashfxp had sites.dat encryption since v2.0 that's like for about 2years

if you consider your site info to be "vulnerable" then you enable password protection, or better yet don't store sensitive data.
if you don't consider it to be at risk then....it's up to user to deside if they want their sites.dat to be encrypted or not
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Old 08-05-2004, 06:12 PM   #6
OngL
Member
FlashFXP Beta Tester
 
Join Date: Aug 2004
Posts: 51
Default

What is the algorhytm then? if it's a RC3-RC4 or DES then it's as good as none.

If there is more info, it would be good and assurance that it does provide some security.
OngL is offline  
Old 08-05-2004, 09:51 PM   #7
DayCuts
Senior Member
FlashFXP Beta Tester
 
Join Date: Dec 2003
Posts: 421
Default

Quote:
Originally posted by slash
The way I remember it is that your sites.dat file is encrypted using that password as a hash key. When you enter the correct password, FlashFXP is then able to decrypt the sites.dat information. If you haven't set a password, the file won't be encrypted.
Thats what i thought.

OngL, ANY encryption is as good as NONE if the person knows what they are doing. Simply due to the fact that the program itself has to decrypt the file to use it, means the decryption algorithm is stored within flashfxp... it simple then uses the password to complete that algorithm.

Anybody that REALLY wants you info, and has the skill to get in and get your sites.dat in the first place, (since i assume your security concious this would not be something any old script kiddie could do) would be able to decrypt the file whatever method it uses.

I personally think FlashFXP has a very good security feature, unlike most other ftp client software that mearly stores the passwords as an md5 (for example).

I really dont see what more you want, you could use a better encryption, you could use something like blowfish 128bit (just an example). But then flashfxp would not be able to decrypt it and get the information needed very efficiently now would it?
DayCuts is offline  
Old 08-05-2004, 11:16 PM   #8
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

Quote:
Originally posted by OngL
What is the algorhytm then? if it's a RC3-RC4 or DES then it's as good as none.
do you really belive that bigstar would be so careless to use easily crackable algo?
it is not RC3, RC4 or DES or byte-shift.
it uses an encryption algorithm that have been around for a long time and have proven to be secure.
encryption key size is 160bit
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Old 08-06-2004, 02:30 AM   #9
OngL
Member
FlashFXP Beta Tester
 
Join Date: Aug 2004
Posts: 51
Default

Hi Maxxcon,

Thanks for your feedbacks... I'm not trying to imply that security/algorhytm is not good in FFXP, nor do I want to assume it is good without knowing the fact.

I just don't believe security by obscurity. There are many programs out there that functions as PIM/wallet to encrypt your personal information e.g. PIN, CC number etc. They failed to mention or assure consumer their encryption strengh (by key size and algorhytm). By not mentioning the information, security-consious people ( they are growing day by day) wouldn't look at such products.


At any case, I don't see the harm of stating 'Our products uses xxxx encryption with xxx key size'. So when there is a vulnerabilities discovered in the algo, people can quickly notify support or keep cautious.... Not knowing, of course, fatal.
OngL is offline  
Old 08-07-2004, 02:18 AM   #10
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

When Application Password Protection is used your data files are encrypted using Blowfish.
bigstar is offline  
Old 08-11-2004, 07:31 AM   #11
Thany
Junior Member
 
Join Date: Apr 2003
Posts: 29
Default

What keeps you from encrypting the file yourself? Check the properties of the file, go to Advanced and check Encrypted.

This only works with Windows 2000/XP and an NTFS partition, but it's very secure, because other users can't even begin to read the file anymore
Thany is offline  
 

Tags
aes, file, security, sites.dat, vulnerable


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 01:27 PM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)