FTP and security

[commodore]

Until recently, I wasn't much security-aware when it came to FTP. I admit this was probably the last protocol I started "securing". Can someone please explain me what the main differences between the following are:

-using the SSL/TLS checkbox in FTP stored session;
-SFTP plugin mentioned in the forums;
-or using WinSCP instead of TC for secure FTP transfers.

(In terms of security, encryption, etc.)

[white]

Can someone please explain me what the main differences between the following are:

-using the SSL/TLS checkbox in FTP stored session;
-SFTP plugin mentioned in the forums;
-or using WinSCP instead of TC for secure FTP transfers.

(In terms of security, encryption, etc.)

Here is how I see it.

You can use two methods for secure transfers with Total Commander:

1. FTPS - using the SSL/TLS checkbox in FTP stored session
2. SFTP - using the Secure FTP plugin (or other plugin) accessible via Network Neighborhood

You can only use either of these methods if the server you connect to supports it. So, you do not have a choice when the server supports only one way or none at all.

FTPS is an enhancement of the FTP protocol to support secure transfers (like https is an enhancement of the http protocol for secure http communication). When using FTPS, you are using the (enhanced) FTP protocol. So working with FTPS is working with FTP connections. You use it the same way as any other FTP connection.

SFTP is NOT an enhancement of the FTP protocol. It is completely different. It stands for SSH File Transfer Protocol. It's an extension of SSH to provide file access, file transfer, and file management functionality over SSH. So FTP(S) and SFTP are different things although there functionalities overlap.

In Total Commander SFTP functionality can be added by installing a file system plugin accessible via Network Neighborhood. So SFTP connections are managed separate from FTP(S) connections which probably makes it harder for people to use.

WinSCP provides SFTP and FTP functionality. Whether you want to use WinSCP or Total Commander (with plugin), is up to you. Using Total Commander you can use the full power of Total Commander. Note however that the Secure FTP plugin by Christian Ghisler is still in beta stage. Although it works quite nicely already, there hasn't been a final release yet. WinSCP has been around for quite some time. FTP connections and SFTP connections are not saved separately, but managed in a combined list containing both FTP and SFTP connections. WinSCP is open source and has other features you may like.

[KucingLapar]

Coincidently, I am having a trouble to upload files to ftps using tc so I'll just post it here.

I could connect to the ftps, its just I'm unable to upload anything to the server, though it works just fine with filezilla. I already tried with passive mode but that made no different. So any idea what's wrong here?

[ghisler(Author)]

I had the same problem recently with PureFTPd, but only for a short time - it seems that it was fixed in the meantime. Maybe it helps to update your server if you use PureFTPd too. The problem was that the server expected that the SSL data connection was negotiated before sending the STOR command, but if that was done, the client would hang if the upload was refused.

[patience]

[mod]This post is a fake copied on the Web. Contains removed.
Clo, moderator[/mod]

[KucingLapar]

ghisler

You are right about it. I grabbed the latest build of pure-ftpd today and compiled it from source. Seems all the problems have gone. Thanks!

[commodore]

I can't seem to use Secure FTP (from the plugin via \\\Secure FTP\) -- this is the dialog box that I get:

Image: http://dl.dropbox.com/u/5070709/forum_posts/Image1.png

However, the required files are in the plugin's folder. These are the files in the plugin's folder (c:\Program Files\totalcmd\plugins\wfx\sftp\):
libeay32.dll
libssh2.dll
libssl32.dll
pluginst.inf
readme.txt
sftpplug.wfx

Any ideas what could be wrong?

[ghisler(Author)]

Try putting them in the Total Commander directory. If this doesn't help, you should try to get newer versions of the dlls, e.g. from the libcurl package as described in this thread:
http://ghisler.ch/board/viewtopic.php?t=19994

[commodore]

Funny, it seems to "randomly" work -- I haven't been able to establish a pattern yet. It worked soon after updating to 7.55 yesterday (without moving the DLLs), then again today when I wanted to connect to a regularly saved FTPS (not SecureFTP) I received a dialog box about needing the DLLs in TC's root directory (I moved them there afterwards, but they were never requested for FTPS before).
And a few minutes ago, I received the same dialog box as described above. Closing and starting TC did the trick. Maybe FTPS and SFTP are "fighting" somehow (i.e. after using one, the other one won't work until restart).

[commodore]

Nah, I tried consecutively an FTPS connection and an SFTP -- both worked fine this time around.
One funny thing is -- when SFTPing to my shared hosting account, I will be put into the server's root directory and not inside my home directory (as it is with FTP, FTPS, and on WinSCP in any supported mode).

[ghisler(Author)]

Maybe you have outdated copies of the dlls in some other location too, e.g. system32 directory?

About the path, you can set that in the connection settings. Just append it to the URL, separated by forward slashes.

[commodore]

Indeed, I found libeay32_0.9.6l.dll in system32 (this one is probably innocent, as it was renamed at some point), and libeay32.dll from 2003 in a /bin directory where i keep various command line utilities (so it is in the PATH). I renamed the latter and put the new version from TC directory there.