In an effort to continually improve security on the servers we have now set all our servers to require TLS Encryption.
Did you know that standard FTP sends your password and usersname through text?
That means anyone with a packet sniffer could easily scoop up your login details and access your account. As that can be detrimental to you and others on the server we feel it is important to close that hole permanently.
I have tested and the current release of FileZilla has no problem with SFTP. If you get any error be sure you upgrade your FTP software to the newest one or download the free FileZilla software and use it.
Carol
December 9, 2009 4:52 pm
I can’t believe you made this change without telling your customers in advance. That’s just phenomenally inconsiderate to your users. You have my email address, you should have sent out announcements in advance that this was coming, not make everyone call and say What Happened, and then suggest that probably they don’t know their own password.
blogadmin
December 9, 2009 5:03 pm
Carol we do not use nor have we ever used email to send out notices to customers. We have always used this blog to push out updates. If you wish to receive those updates through email you can subscribe to the RSS feed and have it send to you via email.
The need to upgrade this was very high and leaving it to plan a future upgrade would leave the servers open to attack. There are vulnerabilities that are making it easier for people to grab plain text passwords.
I am sure you would agree that your customers accounts and files are important and that making sure they are secure is very important.
Bob
December 10, 2009 8:49 am
I have used SFTP which is FTP over SSH. It is also secure and available with my bluefur account. Just use your cpanel login on port 40007.
If you are a Windows user you can use a free tool like WinSCP.
Chris Pollard
December 10, 2009 10:04 am
Okay, this is fantastic for file transfers from an FTP client, but here’s a BIG problem – how many code editors out there have support for FTPES? None of the ones I’m using do. Now I have no way to edit/change any code!!!!!!!
Sorry, that’s not entirely correct. I can now run TWO applications to do it – FileZilla to download the source files locally, edit them, save them locally, and then re-upload via FileZilla. Now what took one application and a quick CTRL+S now takes a bunch of steps and an extra application open. Fantastic. Really improved my workflow. (And everyone else’s, I’m sure.)
Don’t get me wrong, security is GREAT! But sometimes it comes at a pretty high cost.
Jon Jennings
December 10, 2009 12:00 pm
I agree with Carol. I spent time trying to find what I’d broken, then more time checking the Bluefur status pages to see what YOU’D broken. Then came here via a web search.
Then I had to try and reconfigure my FTP client, find out it didn’t support SSL, go find another client and learn how it works.
And of course because I didn’t receive advance notice, this all happened at a time when I was in a hurry to upload something and delayed my changes.
I happily accept that this is a change for the better (it was only 2 days ago that I was on a public hotspot thinking “I mustn’t use FTP from here cos I don’t want my password flying through the air”)
I also happily accept that it’s my problem that I was using a client which bizarrely doesn’t support SFTP. (I should also point out that in your recommended FTP client, the protocol you’re implementing is called FTPES and not SFTP – which slowed me down again).
It’s the lack of advance warning that annoys me. When you do something that breaks people’s workflow, it would be advisable to:
– give some advance notice
– implement the changes and support the old mechanism in parallel for a period
or
– contact customers directly by email
…(or a combination of all three) so that people can make the necessary changes at their leisure before they NEED to upload anything.
To tweet and blog about the change AFTER you make it is no help at all. Yes, I subscribe to the blog but I don’t read it every day as much of the content is non-technical information. If this is your intended channel for service-affecting notices then maybe you need a separate blog for editorial content?
In summary, I’m glad you’ve made the change but not happy with the way you handled it.
hizlindir
December 10, 2009 12:32 pm
? think that Filezilla is the safest ftp programme. so l use it.
Thinkreferrals
December 10, 2009 1:08 pm
I have to agree, I am now doing things 3 times and am seeing errors all the time due to many years of ctrl-s to upload. This is not going to help get things done on time. Dreamweaver has a secure ftp setting but I have no idea how to set it up to access the server. Does anyone have any idea how to set it up or Is there a help file on this somewhere at bluefur.com
blogadmin
December 10, 2009 1:24 pm
As there are so many versions of Dreamweaver I would suggest doing a search in the Help of the software for Secure FTP. It is possible to do it in Dreamweaver.
I understand it is an inconvenience but it is you and your customers files that we are ensuring are secure here and not doing it to make your life harder.
Chris Pollard
December 10, 2009 2:00 pm
Actually, in a full afternoon of surfing for answers, best I can find is that NO version of Dreamweaver supports explicit TLS FTP connections. So no, it appears that it CAN’T be done in Dreamweaver.
Although if you’ve found a magic fix or configuration that makes it work, please share it with us!!
Tyler
December 10, 2009 2:14 pm
Nice to see that sFTP is being used.
I keep all my files offline (my local dev server) and then upload them when they are ready. So this doesn’t phase me much.
Thinkreferrals
December 10, 2009 2:15 pm
Is the Secure FTP login information the same as the FTP Information
Jeff Kee
December 10, 2009 3:40 pm
I have to agree that this measure is much better than what we had before. Security is the #1 thing.. I’ve suffered passwords being sniffed through this. Those who have not suffered it do not understand how painful it can be when an FTP password gets sniffed and abused. It’s so easy when its regular FTP at #22. And shocking that so many people assume that it should be the norm to just do regular FTP transfers for such secure material!
Good call.
Jeff Kee
December 10, 2009 3:41 pm
And I must add – many other hosting companies must have just switched over, because another client’s website is also rejecting regular FTP connections sayign “Cleartext is nota vailable”. Kudos. The only problem is I don’t know what port # this specific company is using.
blogadmin
December 10, 2009 4:31 pm
I found it under Manage Sites.
For me to get it to work I used Use Firewall and Use Secure FTP setting. Also set the Firewall to be port 40007.
My version is CS3 so not sure how it works with other versions. Anyone else have a different version?
blogadmin
December 10, 2009 4:31 pm
Yes it is.
blogadmin
December 10, 2009 4:37 pm
Jon I understand your frustration and hear you loud and clear.
The problem is that the risk had become to much of an issue to wait and plan.
When it comes to security sometimes our actions have to be swift and clean up the mess afterwords so we do not have upset customers with hacked sites.
It has always been our policy to not spam users when there is a change and this blog serves as a tool for spreading that news.
I believe you can subscribe to one category if you wish to only receive those details by adding /feeds to the end. For example the security category would look like this….
http://blog.bluefur.com/category/security/feed/
Thinkreferrals
December 10, 2009 4:53 pm
I now have dreamweaver CS3 working with secure ftp. Bit of experimenting but simple enough.
I used IP Address, passive mode, use firewall and set firewall to 40007, and used secure ftp.
Chris Pollard
December 10, 2009 10:17 pm
I can get PSPad to make a connection to the server, but it won’t list any of the files available. So it’s just about as good as no connection at all. This could be the start of the search for a new host for me. Which sucks, because I’ve been very happy with bluefur. And I’m not going to shell out hundreds of dollars for Dreamweaver (of which I’m not a fan) just to get integrated FTP support.
What exactly is wrong with standard FTP over SSH again? It’s widely supported!!
Tasman
December 11, 2009 8:22 am
I’m using Transmit 3.5.3 on mac os x 10.5.8
Could you please tell me how I can set it up to work with your new secure FTP requirements?
thanks,
t
—
blogadmin
December 11, 2009 9:48 am
if you mean sftp it is supported and has been for years. Open a ticket for help.
blogadmin
December 11, 2009 9:48 am
Not sure what transmit is. I suggest contacting them on how to use ftps or sftp.
Melissa
December 11, 2009 10:43 am
are you saying you would rather use a host that is unsecure?
That doesn’t seem very logical to me.
Thinkreferrals
December 11, 2009 11:22 am
after being a bit bitchy at first, I have concluded that it took me about 25 minutes to figure out how to make it work with my software. The security is well worth that 25 minutes.
Chris Pollard
December 11, 2009 3:04 pm
Well, the Dreamweaver CS4 trial is connecting after much fanangaling. Now to break it to the boss that I’m going to need $400US to license the thing if he wants updates to the website.
Not the best solution, but I guess we’ll take ‘working’ over ‘best’.
Doug
December 11, 2009 3:09 pm
Maybe you should tell your boss that Filezilla is free :)
blogadmin
December 11, 2009 3:21 pm
Did you see this a solution for PSPad?
http://forum.pspad.com/read.php?2,13549,page=3
Chris Pollard
December 11, 2009 3:42 pm
Take a long hard look at the thread. File TRANSFER isn’t the problem here. FileZilla works great for that. But it’s not much of a PHP/JavaScript/CSS editor. REEEEEEAALLLLLLY isn’t.
I’m a hand coder. I’ve used text-editors with built-in FTP support since the 90s. PSPad is great. Notepad++ works very well too. HTMLKit is another nice free editor with FTP support. Flip to linux, and I’ve found no equal to Quanta+. None of them will connect any longer. THAT was the problem.
Dreamweaver is a solution for Windows/Mac … but a very expensive one.
Snide remarks are free too … and they are worth about as much when they’re apparently uninformed.
blogadmin
December 11, 2009 6:45 pm
Chris I am a hand coder too so I hear you.
Have you ever tried just using putty with vi/pico on the server? I find it easier then any editing software.
Chris Pollard
December 11, 2009 7:05 pm
AWESOME!! Tunnelier works GREAT with PSPad. No joy with HTML Kit. But that’s okay … because PSPad puts me back in business without having to drop $400 on Dreamweaver. That’ll make the accountants real happy.
For settings, under Login, I used:
Host: http://ftp.yourdomain.com
Port: 40007
Username: >your username>
Initial Method: password
Password:
Under Options, uncheck Open Terminal and Open SFTP, unless you want to use their FTP client as opposed to FileZilla.
Under Services, check FTP-to-SFTP Bridge “enabled”. Leave 127.0.0.1 as the Listen Interface – that is “localhost”.
Probably a good idea to save your profile once you’ve set it up. Just in case you later manage to botch some settings.
One thing to note: if you have more than one bluefur account, you will need to create multiple profiles in Tunnelier and logout/login between them. It ignores the FTP settings in PSPad entirely and connects to whatever account you have Tunnelier connected to. So I can’t work on both accounts at once this way, but the number of times I ever did that anyway could be counted on my thumbs.
Thanks for finding the link on the PSPad forum. It’s gonna save my sanity!!!
Mark Strange
December 12, 2009 2:01 pm
I’ve change the setting in Cyberduck to FTPS and it will connect to the server but won’t list files. It gives me an error message “I won’t open a connection to 192.168.2.10 (only to 70.xx.x.xx).” obviously my ip. So what to do now?
Mark Strange
December 14, 2009 5:53 am
Bluefur staff advised me to set port to 40007 instead of 21. That, along with using SFTP has allowed me access again. Thanks!
Minnesota Attorney
December 14, 2009 8:56 pm
I had no idea that standard FTP sends your password and usersname through text.
Tasman
December 16, 2009 2:58 pm
yeah, it’s not really an issue with the ftp client. I’m asking about sftp access.
my login and password don’t seem to work. Is this because there is some kind of syntax or format for SFTP passwords and usernames?
I’m used to connecting via ftp so since the change has taken place on your side, any tips would be appreciated.
t
Tasman
December 18, 2009 12:41 pm
there’s nothing wrong with my ftp client, it’s dead simple to set up for SFTP with a simple drop down. I’m using port 22. Incidentally, Transmit is a very popular FTP client.
could you please:
a) suggest something more helpful
or
b) tell me who I can talk to to get some support
thanks,
t
—
Jon Jennings
December 24, 2009 1:34 pm
Tasman,
Bluefur calls the new FTP requirement “SFTP” and “Secure FTP” but a) these mean two different things and b) as far as I can tell neither of these is what’s actually implemented.
There’s a third method of securing FTP called FTPS (FTP over SSL) and THIS is the protocol I eventually managed to get to work in FileZilla.
I see that Transmit has an option for “FTP with TLS/SSL” – I recommend trying this. You don’t need to specify anything fancy for port numbers.
Note that if you’ve tried and failed to login too many times using SFTP then Bluefur will have blacklisted your IP address and even using the correct method won’t work. If you can’t FTP into your site using FTPS then double check that you can still see your site by accessing it in a browser. If the browser can’t see your web pages then I believe you’ll have to file a support ticket to get yourself un-blacklisted.