The Portable Freeware Collection Forums

Am I missing something here - how is FileZilla (http://www.portablefreeware.com/index.php?id=9) portable? It writes the user settings to Application Data. I thought I understood the purpose of this and I was all for it, but now I'm really confused. I do see that a portable FileZilla portion is presented as a sidenote, but the primary download link is certainly not to that section. If the intention is that FileZilla Portable qualifies the app, then the entry is really confusing....

First thing to check: did you follow the instructions in the How to extract section of the entry? Those are the steps you need to take to make the original FileZilla portable, after all.

mrsimpleton - Portable Freeware Collection approach to portability is a more do-it-yourself approach than you may be used to. Apps will often have instructions on how to extract them from their installer and manually configure them to enable 'portable mode' for the given app. Additionally, you should pay attention to the 'Stealth' line. If it doesn't say 'Yes' then the app will leave things behind on every PC you use. And pay attention to the 'Writes settings to' as an app could write it's settings to the registry and still be considered portable. Finally, watch the Path Portability line. Unless it says automatic relative path, some things will break as you move between PCs (last opened file list, favorite files, custom backgrounds/themes, etc).

If you're looking for a more 'just download and use it' experience, I'd humbly suggest PortableApps.com's apps. All of them are 'stealth' (according to PFC's definition), self-contained, require no manual configuration, use an easy-to-use self-extracting installer and automatically adjust paths.

While I only use a few of JohnTHaller's PortableApps Filezilla is one of them, and in this case I agree with him that that might be a good alternative for your use.

mrsimpleton wrote:Am I missing something here - how is FileZilla (http://www.portablefreeware.com/index.php?id=9) portable? It writes the user settings to Application Data. I thought I understood the purpose of this and I was all for it, but now I'm really confused. I do see that a portable FileZilla portion is presented as a sidenote, but the primary download link is certainly not to that section. If the intention is that FileZilla Portable qualifies the app, then the entry is really confusing....

Retested the instructions. Works fine.

Also went back and edited the extract instructions, since you cannot edit the XML file with the default Windows XP Notepad. It can't handle the line breaks.

I've been using FileZilla for some time quite unaware it's been storing my passwords in plain text.

I was really surprised especially when one considers this software has been around for ages and in constant development. It's certainly not the sort of thing one expects in this day and age of heightened awareness over security.

A quick search on the FileZilla forum reveals the developer is blatantly unconcerned citing the option to 'Not save passwords' as adequate.

I find this basic lack of security quite shocking and think a note should be added to the description on the software page so people are aware of this 'feature'.

As for me, I've used FileZilla for the last time >.<

P.S.
Keep up the great work - love this site

domestique wrote:A quick search on the FileZilla forum reveals the developer is blatantly unconcerned citing the option to 'Not save passwords' as adequate.

I put FileZilla and most other programs inside an encrypted volume (via TrueCrypt). I want more than my passwords to not be stored in plaintext: I don't want someone connecting to the sites they include and, without some kind of master password, that's not something that can be prevented.

Why not just introduce a master password? I think it's easy for the devs to be cynical to the idea that *one more password* is going to make your computer secure. I have it enabled in Firefox but I think people see the necessity there because a browser is used for almost everything including taxes and purchasing.

domestique wrote:As for me, I've used FileZilla for the last time

Which FTP program are you using instead?

domestique wrote:Keep up the great work - love this site

Thanks

Thanks for the advise re. TrueCrypt, I'll look into that.

I'm currently using WinSCP, which seems adequate, though I suspect I'll be on looking at others on the ftp list in more depth.

FileZilla 3.9.0.2 fully drops Windows XP support and won't run. I've updated the entry and added a link to the older and unsupported 3.9.0.1 build for Windows XP users.

Looks like the latest versions of FileZilla no longer stores passwords in plain-text any more, but it's still very easy to decode it. (Not going to list how, but it's pretty straightforward. If you know the answer, don't post it.)

Synopsis

A modified version of Filezilla dedicated to keeping your FTP passwords secure.

tl;dr FileZilla does not encrypt your saved FTP passwords and I got hacked. FileZilla Secure will encrypt your saved FTP passwords with a master password.

Bonus: More Speed!
The maximum number of transfer threads has been increased from 10 to 1000! While 1000 is not recommended 20, 50, and even 100 threads has been shown to work and has increased transfer speeds by over 5x.

Links
http://www.filezillasecure.com/ - FileZillaSecure web-site
http://www.softpedia.com/get/Internet/F ... cure.shtml - FileZillaSecure at Softpedia

Note
Source code of FileZillaSecure is available for download.
FileZillaSecure is behind the official FileZilla version- Secure - 3.18.0.0, Official - 3.22.2.2.
FileZillaSecure still supports WIndows XP- http://www.filezillasecure.com/download-windowsxp.php.

Edit!!!
It seems that FileZillaSecure does not respect FileZilla portability settings- it always writes to AppData (C:\Users\UserName\AppData\Roaming\FileZillaSecure)- sloppy work, I will not test this program any more.
Probably the developer intended to get some donations by cheating the users that the Windows XP version is still in development. I think that it is no coincidence that the latest FileZillaSecure version is the last FileZilla version which supports Windows XP- 3.18.0.0. This looks like a fraud. I am sorry I posted about FileZillaSecure.

Don't be so hard on yourself, we all learn by trial and error -- and not always our own...

Looking at the Filezilla Secure page, I don't think the dev is trying to deliberately deceive anyone. Using the last XP version was likely just a dev choice. FS isn't being passed off as being any new type development effort, just a modification. I think the more important question is if the program is virus-free and if it is indeed more secure.

The more important question is why isn't FileZilla keeping your passwords secure?!

joby_toss wrote:The more important question is why isn't FileZilla keeping your passwords secure?!

Because keeping the passwords truly secure is impossible.

If FileZilla stores your passwords, it needs to store them in a format where they are still accessible to FileZilla. In other words, reversible encryption. And if FileZilla can reverse the encryption, so can malware. For that reason, Tim Kosse (the author) decided not to encrypt the passwords at all.

However, complete lack of encryption means that accessing the passwords is extremely easy, which is why FileZilla is a popular target for malware that steals passwords.