FTPES, but plain data transfers.

Discussion in 'Free Hosting' started by karrx10h, Apr 1, 2021.

  1. karrx10h

    karrx10h Member

    Messages:
    44
    Likes Received:
    2
    Trophy Points:
    8
    FileZilla v3.53.1, Windows 10 x64. The screenshot says it all.

    FTPES.png

    Why is this happening? I've never seen this before with any FTP server in the Net. Weird.
    This server does not support TLS session resumption on the data connection.

    TLS session resumption on the data connection is an important security feature to
    protect against data connection stealing attacks.

    If you continue, transferred files may be intercepted or their contents replaced by
    an attacker.
     
  2. spacresx

    spacresx Active Member

    Messages:
    893
    Likes Received:
    59
    Trophy Points:
    28
    i dont use filezilla, i use dreamweaver cs5 but ive never seen that issue.
    i do have ssl on my website as well.
    is it possible that you do not have ssl on the website, but you have
    the ssl selected in filezilla ??

    did you just update filezilla?
    or maybe its a 1st time warning about the connection hazard.
    and clicking accept makes the message go away.
     
  3. karrx10h

    karrx10h Member

    Messages:
    44
    Likes Received:
    2
    Trophy Points:
    8
    Yes, I've always have selected SSL in FileZilla. And now, in the website too; that recent Let's Encrypt "magic".
    As I write these lines, the version still is v3.53.1. So, yes; the up-to-date version.
    Exactly.

    Right before starting to write this answer, I've tried to capture traffic with Wireshark. If I connect to a "plain FTP", when I transfer a file, Wireshark captures/shows the "ftp-data" (protocol; in the filter bar) traffic. But if I do the same test with this server, Wireshark doesn't show any "ftp-data" traffic. I've done more tests; with other "FTPES" servers; and... with "ftp.xmission.com", the warning never shows up, but it does with "ftp.pureftpd.org". Again, the "ftp-data" traffic doesn't show up with this one in Wireshark.

    And it seems not to be a bug in FileZilla: https://forum.filezilla-project.org/viewtopic.php?f=2&t=53710

    Not so weird now.
     
  4. spacresx

    spacresx Active Member

    Messages:
    893
    Likes Received:
    59
    Trophy Points:
    28
    that post generally states that the host dont support an
    option that he new release of filezilla now searches for.
    which quite honestly i dont think many hosts do support.

    until now i never even heard of FTPES, only FTP.
    and i do have a paid hosting account with another host.
    so i know this is not just x10 that dont support it.

    they may have what filezilla describes but i wouldnt know.
     
    Last edited: Apr 3, 2021
  5. karrx10h

    karrx10h Member

    Messages:
    44
    Likes Received:
    2
    Trophy Points:
    8
    FTPES = FTP with Explicit Security

    In this mode, you connect with plain FTP first and then, the FTP client tries a secure session:
    Code:
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    220-You are user number 6 of 50 allowed.
    220-Local time is now 16:03. Server port: 21.
    220-This is a private system - No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    AUTH TLS
    234 AUTH TLS OK.

    "ftp.cubic.org" doesn't support FTPES:
    Code:
    220 ProFTPD Server (ftp.cubic.org) [::ffff:193.108.181.132]
    AUTH TLS
    500 AUTH not understood
    AUTH SSL
    500 AUTH not understood
    Estado: Servidor no seguro, no soporta FTP sobre TLS. (Something like: «Status: Unsecure server, it doesn't support FTP over TLS.»)
    

    And you have also FTP with implicit security (FTPS). The FTP client connects to the port 990 (default) and you have a secure connection as soon as you connect to that port; from the 0 second. Currently, not enabled here.
     
    Last edited: Apr 7, 2021
  6. spacresx

    spacresx Active Member

    Messages:
    893
    Likes Received:
    59
    Trophy Points:
    28
    just a mention,
    i would just check that box off and click "accept" then you wont see the
    message anymore which you never saw in earlier versions of filezilla,
    i doubt x10hosting would change its standard protocol for free hosting.
    because filezilla suggests it. just my opinion though.
     
  7. karrx10h

    karrx10h Member

    Messages:
    44
    Likes Received:
    2
    Trophy Points:
    8
    Hm... I don't know. Now I'm curious about which servers have that "extended security" and which ones don't. o_O
     
  8. garrettroyce

    garrettroyce Community Support Community Support

    Messages:
    5,407
    Likes Received:
    221
    Trophy Points:
    63
    I thought FTP on port 21 supported STARTTLS. I'm reading this thread really really quickly because I have to log out, but hopefully that'll add something to the conversation
     
  9. spacresx

    spacresx Active Member

    Messages:
    893
    Likes Received:
    59
    Trophy Points:
    28
    @ garrettroyce
    i beleive originally karrx10h was referring to FTPES and not just FTP.
    its supposed to be a feature in newer releases of filezilla.
    generally for extra security over normal FTP.
    but i didnt know if x10 would support FTPES.
     
  10. karrx10h

    karrx10h Member

    Messages:
    44
    Likes Received:
    2
    Trophy Points:
    8
    Resume:

    FTP - File Transfer Protocol
    SFTP - SSH File Transfer Protocol
    FTPS - FTP through implicit TLS/SSL
    FTPES - FTP through explicit TLS/SSL

    Anyway. I've been doing some research and I found that FileZilla doesn't complaint about these servers not supporting that "TLS session resumption on the data connection" feature: FileZilla Server (installed locally), ftp.xmission.com, ftp.swcp.com, ftp.softlab-nsk.com, ftp.snobol4.com, ftp.sandpile.org, ftp.rubicon.ca, ftp.robelle3000.ai, ftp.robelle.com, ftp.qosient.com, ftp.procergs.com.br... I decided to stop here.

    But I've been unable to find no... "special" thing that makes any difference between that servers and the x10Hosting one. The FEAT command didn't help me with the comparissions and I have no idea of how FileZilla "knows" what servers support the "TLS session..." and what ones don't.
     

Share This Page