Hi,
Nonetheless the quite good commercial AV protection I'm using and rather healthy habits while surfing the web, I've experienced multiple malicious attacks, that where
focused on stealing the passwords from within the TC.
I am aware of the security issue of storing the passwords in FTP Client not only from TC itself ( "Warning: storing passwords is insecure"),
but in general, however I use FTP access to such extend that it's highly inefficient for me to enter credentials every time I log on to FTP (I simply does it 10 times a day to different servers).
I know that from some version TC offers to encrypt FTP connections with master password, but from what I've understand (perhaps I'm wrong?)
it encrypts the FTP connection so that the data stream itself is protected from being easily sniffed (and passwords red by malware),
but what about all those malware that scans the passwords from configuration's file in TC dir ?
Is there any possibility to >>protect TC and keep the passwords<< in "FTP Connect..." ?
Ps. Or at least can there be done something to hamper the malware from reading the configuration file that stores passwords (I guess, putting that conf file in a custom location, and setting path inside TC, and making this only an option would make 99% malware harmless).
Best Regards,
Jan
Securing the TC conf file used for FTP connections..
Moderators: Hacker, petermad, Stefan2, white
-
interferential
- Junior Member
- Posts: 3
- Joined: 2012-02-28, 09:12 UTC
Hello, Jan.
You can protect selected connection credentials or all of them by using an encrypted master password.
Once you have done so it will not be possible to recover any passwords from wcx_ftp.ini without knowing the master password.
Karl
The current stable release Total Commander v7.57 and the current Total Commander 8.0 beta versions offer the requested feature to protect the wcx_ftp.ini entries.Is there any possibility to >>protect TC and keep the passwords<< in "FTP Connect..." ?
You can protect selected connection credentials or all of them by using an encrypted master password.
Once you have done so it will not be possible to recover any passwords from wcx_ftp.ini without knowing the master password.
- Menu item Net
- FTP Connect
- mark all existing connection configurations
- button [Encrypt]
- button [Protect marked connectins with master password ...]
- in the next dialogue box select (*) Protect all connections
- Read the information box => click [yes]
- enter a new password as requested
- re-enter the same password
- done
Karl
MX Linux 21.3 64-bit xfce, Total Commander 11.50 64-bit
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
-
interferential
- Junior Member
- Posts: 3
- Joined: 2012-02-28, 09:12 UTC
Oh, so it is actually protecting the file storing the passwords not the connections ?
Sorry, but I get cofused reading the message during this process "Protect all connections".
It rather suggests, imho , that when you initiate a connection to FTP server, the connection (between client and server) is somehow protected. But it does not make sense, if the connection is FTP it's FTP and passwords are sent in plain text anyway, right ?
So it have to be the conf file that's encrypted, or formally - the entires in the file.
If you are 100% certain , please confirm, I'll sleep better, then
Sorry, but I get cofused reading the message during this process "Protect all connections".
It rather suggests, imho , that when you initiate a connection to FTP server, the connection (between client and server) is somehow protected. But it does not make sense, if the connection is FTP it's FTP and passwords are sent in plain text anyway, right ?
So it have to be the conf file that's encrypted, or formally - the entires in the file.
If you are 100% certain , please confirm, I'll sleep better, then
-
ghisler(Author)
- Site Admin
- Posts: 50934
- Joined: 2003-02-04, 09:46 UTC
- Location: Switzerland
- Contact:
Yes.Oh, so it is actually protecting the file storing the passwords not the connections ?
To secure the connection, check the option SSL/TLS in that connection (the OpenSSL dlls must be put in the TC folder first). However, not all FTP servers support FTP over SSL/TLS.
Author of Total Commander
https://www.ghisler.com
https://www.ghisler.com
Hello, Jan.
Open the file wcx_ftp.ini in an editor before and after securing the passwords stored inside the file with an AES256 encrypted master password.
It is the password entries which are protected and which cannot be (automatically) used or recovered without knowing the master password.
The file itself is not protected. Whoever has got read access to the file will be able to create a copy e.g. But the thief will not be able to make use of the stored logon credentials to your ftp servers, because he will not know your master password.
The fact that the password is sent unencrypted to the ftp server is part of the insecure ftp protocol. Yet, sniffing network traffic in order to intercept and analyze tcp/ip packets is a different story. You can avoid this risk by using FTP over SSH (SFTP) e.g.
What Total Commander tries to do and can do is protecting the logon credentials stored inside the file wcx_ftp.ini. No more, no less.
Kind regards,
Karl
Open the file wcx_ftp.ini in an editor before and after securing the passwords stored inside the file with an AES256 encrypted master password.
It is the password entries which are protected and which cannot be (automatically) used or recovered without knowing the master password.
The file itself is not protected. Whoever has got read access to the file will be able to create a copy e.g. But the thief will not be able to make use of the stored logon credentials to your ftp servers, because he will not know your master password.
The fact that the password is sent unencrypted to the ftp server is part of the insecure ftp protocol. Yet, sniffing network traffic in order to intercept and analyze tcp/ip packets is a different story. You can avoid this risk by using FTP over SSH (SFTP) e.g.
What Total Commander tries to do and can do is protecting the logon credentials stored inside the file wcx_ftp.ini. No more, no less.
Kind regards,
Karl
MX Linux 21.3 64-bit xfce, Total Commander 11.50 64-bit
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
The people of Alderaan keep on bravely fighting back the clone warriors sent out by the unscrupulous Sith Lord Palpatine.
The Prophet's Song
-
interferential
- Junior Member
- Posts: 3
- Joined: 2012-02-28, 09:12 UTC