Security, Security, and Security

OngL · 08-05-2004, 06:21 AM

Sites.dat should be encrypted with strong algorhytm e.g. AES. A logon prompt can be implemented to 'unlock' sites.dat in memory for as long the ffxp is open. This feature can be made as optional.

The file contains username/password, and should not be as vulnerable as it is now... even if it get leaked out with AES encryption, it wouldn't be easy to break it.

Harm · 08-05-2004, 06:47 AM

What about Sites > Security > Set Password ?

All files that contain sensitive data will be encrypted and FlashFXP will ask for a password each time it's started.
I don't know what algorythm is used.

DayCuts · 08-05-2004, 07:49 AM

I use the security feature, but i believe even when not enabled passwords in the sites.dat are encrypted. No idea what to though as i've never had the urge to look.

The problem with all ftp clients is that the passwords can not be TOO secure and unbreakable... because the program itself needs to be able to decrypt/decode them to operate correctly.

But, and im not sure, i would assume the password used for the security feature has some kind of impact on the encyption of the dat files, making it unique for each user?

slash · 08-05-2004, 12:00 PM

The way I remember it is that your sites.dat file is encrypted using that password as a hash key. When you enter the correct password, FlashFXP is then able to decrypt the sites.dat information. If you haven't set a password, the file won't be encrypted.

MxxCon · 08-05-2004, 03:29 PM

yet again i wish ppl would ACTUALLY USE FLASHFXP before making any suggestions

flashfxp had sites.dat encryption since v2.0 that's like for about 2years

if you consider your site info to be "vulnerable" then you enable password protection, or better yet don't store sensitive data.
if you don't consider it to be at risk then....it's up to user to deside if they want their sites.dat to be encrypted or not

OngL · 08-05-2004, 06:12 PM

What is the algorhytm then? if it's a RC3-RC4 or DES then it's as good as none.

If there is more info, it would be good and assurance that it does provide some security.

DayCuts · 08-05-2004, 09:51 PM

Quote:

Originally posted by slash
The way I remember it is that your sites.dat file is encrypted using that password as a hash key. When you enter the correct password, FlashFXP is then able to decrypt the sites.dat information. If you haven't set a password, the file won't be encrypted.

Thats what i thought.

OngL, ANY encryption is as good as NONE if the person knows what they are doing. Simply due to the fact that the program itself has to decrypt the file to use it, means the decryption algorithm is stored within flashfxp... it simple then uses the password to complete that algorithm.

Anybody that REALLY wants you info, and has the skill to get in and get your sites.dat in the first place, (since i assume your security concious this would not be something any old script kiddie could do) would be able to decrypt the file whatever method it uses.

I personally think FlashFXP has a very good security feature, unlike most other ftp client software that mearly stores the passwords as an md5 (for example).

I really dont see what more you want, you could use a better encryption, you could use something like blowfish 128bit (just an example). But then flashfxp would not be able to decrypt it and get the information needed very efficiently now would it?

MxxCon · 08-05-2004, 11:16 PM

Quote:

Originally posted by OngL
What is the algorhytm then? if it's a RC3-RC4 or DES then it's as good as none.

do you really belive that bigstar would be so careless to use easily crackable algo?

it is not RC3, RC4 or DES or byte-shift.
it uses an encryption algorithm that have been around for a long time and have proven to be secure.
encryption key size is 160bit

OngL · 08-06-2004, 02:30 AM

Hi Maxxcon,

Thanks for your feedbacks... I'm not trying to imply that security/algorhytm is not good in FFXP, nor do I want to assume it is good without knowing the fact.

I just don't believe security by obscurity. There are many programs out there that functions as PIM/wallet to encrypt your personal information e.g. PIN, CC number etc. They failed to mention or assure consumer their encryption strengh (by key size and algorhytm). By not mentioning the information, security-consious people ( they are growing day by day) wouldn't look at such products.

At any case, I don't see the harm of stating 'Our products uses xxxx encryption with xxx key size'. So when there is a vulnerabilities discovered in the algo, people can quickly notify support or keep cautious.... Not knowing, of course, fatal.

bigstar · 08-07-2004, 02:18 AM

When Application Password Protection is used your data files are encrypted using Blowfish.

Thany · 08-11-2004, 07:31 AM

What keeps you from encrypting the file yourself? Check the properties of the file, go to Advanced and check Encrypted.

This only works with Windows 2000/XP and an NTFS partition, but it's very secure, because other users can't even begin to read the file anymore