View Single Post
Old 09-29-2009, 01:27 AM  
MxxCon
Super Duper
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
Default

Quote:
Originally Posted by paul_9 View Post
OK .. but that prevents people from using the actual site manager to enter your sites ... if they are sitting at your computer ....
WRONG!
This will prevent ANYBODY from accessing your sites without knowing the original encryption password. that password is not stored anywhere in flashfxp. Without that password your sites are inaccessable.

Quote:
Originally Posted by paul_9 View Post
What I am talking about is much more sinister ... I'm talking about malware designed to scan your local computer and look for the password flat files themselves.
I'm well aware of what you are talking about and bigstar knew about this well before this parasites blog came to existence and hense why he implemented ENCRYPTION into sites.dat.

Quote:
Originally Posted by paul_9 View Post
And believe me this is very real, as I just had 9 of my hosting clients get hit by this ... and 6 of them that I know for sure use FlashFXP.
I'm well aware this is a real problem. Doing tech support for one of the largest hosting company in US, I've seen my share of exploits and hacks and malware and what-have-you

Quote:
Originally Posted by paul_9 View Post
If this was not possible to do with FlashFXP, why would it be listed on a report that just came out last week?
Did you COMPLETELY read that article or just looked at the pretty "top 10" list?
in that article it says:
Quote:
Or invest some time to read your program’s documentation and find out what they can offer to security-minded webmasters. Some clients support public key authorization, some offer encrypted site managers, etc.
Did you read what i posted in my last message?
Did you look at FlashFXP and try to figure out what I told you?
Quote:
Originally Posted by paul_9 View Post
I do hope Bigstar takes this matter more seriously than you do!
I expect an apology from you for this!

Of all the people that post on this forum, bigstar will confirm that i'm one of the most security minded people here. He'll tell you numerous times when i was bugging him to fix potential exploits in flashfxp or modify a feature to make FlashFXP more secure.

FlashFXP by default scramble your password. It is so that casual browser won't see your passwords stored in plain text. But, once you get somebody's sites.dat file and persistent enough, it's relatively simple to de-scramble those passwords. De-scrambling algorithm have been posted online.

However, AT LEAST SINCE 2003 FLASHFXP HAD AN OPTION TO PROPERLY *ENCRYPT* THE WHOLE SITE MANAGER WITH A MASTER PASSWORD THAT IS NOT STORED ANYWHERE.

Even if malware still steal your ENCRYPTED sites.dat file, it'll be useless to them without knowing the original master password.

Furthermore, if you are afraid of somebody sniffing your network connection but you can't use full encryption like SSL or SSH, FlashFXP always had support for S/KEY logins. it's a one-time-one-way password derived from your site password. Even if somebody will get a hold of your S/KEY password, they won't be able to login to your site 2nd time.

And FlashFXP supports SFTP.

FlashFXP provides all the tools and features necessary to keep your sites secure.
It's up to the user to decide what kind of security measures they want to enable and use.
You can lead a horse to the water, but you can't make it drink.

People on this forum take security very seriously.
Your uneducated reaction is along the lines of running in a movie theater and shouting fire just because they are showing a movie about firefighters.
Get all the facts before you react.
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline