Free, Secure, and Open-Source: How FileZilla is Making an Old School Protocol Cool Again

It's a free and open-source, cross-platform FTP application that allows secure file transfering — and it's making an old-school protocol cool again, according to a recent blog post.

Started about 21 years ago — and downloaded by millions each year — FileZilla remains "committed to their role in liberating technology, by making it accessible, open and also secure," according to the blog post. But it also explains how FileZilla has beefed up that security through a collaboration with the internet freedom nonprofit, the Open Technology Fund (or "OTF"): Over the past year, FileZilla has utilised support from OTF to undertake two activities that enhanced and ensured the security of their tools. The first was integrating FileZilla Server with Let's Encrypt, a free, automated, and open source certificate authority that ensures secure communication between the two end-points sending or receiving a file via FileZilla.... Secondly, FileZilla ran a penetration test, a service offered by OTF's Red Team Lab. A team of independent researchers attempted to force access to the FileZilla server to see if they could gain control. These researchers were highly skilled, and the testing was extensive. The team conducting the test only found very minor security vulnerabilities that FileZilla were able to fix immediately. As a result of this process, anyone wanting to use the FileZilla software can trust that it has been cross-scrutinised by a third party and found to be secure....

FileZilla respects users' confidentiality: they do not track your behaviour, nor sell your data to other companies. While they do have advertisements on their website, they are posted exactly as advertisements would be posted in a newspaper. Nobody knows that you are reading the advertisements, or that you decided to call or connect to the advertised website. The advertisement has simply been attached to the webpage, without any underlying tracking.... . "Our mission hasn't changed in over 20 years: design, develop, maintain and enhance free tools to securely transfer files with ease and reliability," said Tim Kosse, FileZilla Lead Developer. This decision was a political one taken by FileZilla, to always preserve the freedom of their tools, and of their users. "We aren't the typical commercial open-source venture that starts doing things for free, and over time, closes this and that to make money" said Roberto Galoppini, FileZilla Director of Strategy. "While you might not see FileZilla listed at the NYSE [New York Stock Exchange] any time soon, the freedom of our tools will never be questioned...."

[I]f you work in an industry that requires the secure transfer of sensitive files, or if you simply have personal photographs or videos you want to keep confidential, using proprietary platforms to share or store them can put your information at risk of being exposed.... FileZilla offers an alternative that is secure and private. Their tools are developed by a team that is deeply invested in protecting users' confidentiality, and liberating technology is central to their work and decision-making....

At the same time, projects like FileZilla remind us that there exists a global community of technologists, activists, coders, bloggers, journalists, software developers, and mindful internet users making internet freedom a lived reality and daily practice. Supporting, experimenting with and using free and open source tools, such as the FileZilla client and server, enables us to disinvest from the capitalist pursuit of corporate control of technology and unchecked surveillance of our data.

Rather, we can step into alignment with an alternative, parallel narrative being created by a community of resistance that is grounded in principles of cooperation, solidarity, commons and openness.

Really? I don't buy it.

[TigerPlish]

I don't believe a word in TFA

Filezilla had descended into bundled adware, spyware and such. What used to be a really cool little FTP and SFTP client became tainted.

It takes quite a bit of due diligence to get a "clean" install. I don't trust it anymore.

Similar to Adobe Acrobat Reader.. would you like a side of McAfee with that?

Nice try, but once you lose my trust as a software writer / publisher.. it'll take more than a slashvertisement to make me nibble.

Re: Really? I don't buy it.

[Kobun]

Yep. Distribute adware - instant placement on the shitlist.

Good thing WinSCP is right there.

Re:

[xession]

Funny, the version I got for free didn't have any of the extra crap and all these extra premium features. Yar.

Re:

[drinkypoo]

I just installed it because I needed to use FTP for something locally. It doesn't take much diligence at all to not get the crapware installed. IIRC it was Chrome and something. Just read the dialogs. I agree that's sleazy and I want them to stop it, but it wasn't actually a problem for a thinking being.

I started using Filezilla back before they added the shovelware. It's still a good FTP and SFTP client. I haven't used the server.

Re:

[RazorSharp]

If you're using old school FTP locally, why not just use your file manager? I know on macOS and most *nix DEs you can access FTP directly from a file manager window. With some, like Dolphin, it will even use any ssh keys you have installed automatically if you're using sftp.

Re:

[drinkypoo]

Because I like having the old school* two pane interface, and because I was doing it on Windows, where the file manager is poop.

* Yeah, text is more old school. I might have used ncftp, but there were weird filenames involved.

Re:Really? I don't buy it.

[Joce640k]

If you're on Windows then WinSCP is much better than FileZilla.

terrible forum support too

[RegistrationIsDumb83]

Plus the devs support is terrible. Last I used the software, it had some weird slow bootup problem (like 90 seconds to start). In a forum thread, the devs advice was 'try reinstalling windows' and he got real pissy when people said 'lol no'. Between the crapware and the bad support / bugs, seems dude does everything he can to get rid of his userbase. I don't feel bad one bit his software has fallen into irrelevance.

Re:

[DaFallus]

I don't believe a word in TFA

Filezilla had descended into bundled adware, spyware and such. What used to be a really cool little FTP and SFTP client became tainted.

It takes quite a bit of due diligence to get a "clean" install. I don't trust it anymore.

Similar to Adobe Acrobat Reader.. would you like a side of McAfee with that?

Nice try, but once you lose my trust as a software writer / publisher.. it'll take more than a slashvertisement to make me nibble.

I've been using Chocolatey to install and maintain FileZilla. Through this method, I haven't seen adware, spyware, etc bundled with the installation in the past few years.

Effort

[JBMcB]

They have a non-ad supported download. It takes about five seconds to find it from their download page.

Also, it's FTP.

[Spazmania]

FTP(S) is a firewall-unfriendly protocol. You have to open a lot of TCP ports and it's relatively hard to guarantee that the only thing listening on those ports is Filezilla. It doesn't matter how secure Filezilla is if something else stumbled into binding one of the ports it transfers data on. This is why security-conscious folks abandoned FTP two decades ago.

SFTP doesn't suffer this problem since it's overlaid on SSH operating on port 22. It's relatively easy to guarantee that SSH is the only thing listen

Re:

[Bert64]

SSH is in some ways worse, because the service is capable of multiplexing and tunnelling almost anything.

FTP provides features which SFTP does not, for instance the ability to initiate transfers directly between two remote hosts.

Some firewalls and especially NAT gateways include an application level gateway specifically for FTP. This dynamically opens ports in response to FTP traffic the gateway sees. Not only can this be tricked into opening arbitrary ports with malicious traffic masquerading as FTP, but i

Re:

[drinkypoo]

FTP(S) is a firewall-unfriendly protocol. You have to open a lot of TCP ports

That is true without PASV mode, which was invented a long long time ago. You still need to allow egress, but ingress only on one port. Some FTP clients will automatically fall back to using it, others just use it by default. Firefox does it by default, Chrome has to be configured to do it (but has a checkbox.) Way way back in the day there used to be clients and servers that didn't support it, but that was a long time ago. It's also very common for firewalls to have some form of FTP gateway. Packet inspecti

Re:

[Spazmania]

Active mode FTP was worse - the *client* had to allow the server to connect to it. Even with passive mode FTP, the server has to open a new port for each file transfer. Since you need a different port for every active file transfer, that ends up being a range of ports. And unless your software explicitly restricts it, the range chosen is the same OS dynamic range it uses for literally everything else running on the server that doesn't request a specific port.

Re:

[tlhIngan]

FTP(S) is a firewall-unfriendly protocol. You have to open a lot of TCP ports and it's relatively hard to guarantee that the only thing listening on those ports is Filezilla. It doesn't matter how secure Filezilla is if something else stumbled into binding one of the ports it transfers data on. This is why security-conscious folks abandoned FTP two decades ago.

Actually, protocol wise, you have to open every port.

You connect to the server port 21. When you download a file the server connects to you on whatev

Re:

[Spazmania]

I'm talking about passive mode. Active mode FTP hasn't been workable since NAT became commonplace.

Most FTP servers (and I presume this includes Filezilla) have a mechanism by which you can restrict the port range used for data transfer connections. But it's still a userspace range where other programs can bind ports the FTP server isn't using at the moment.

Re: Really? I don't buy it.

[kdemetter]

What do you mean ? I have never had any adware with filezilla

Let's Encrypt?

[93 Escort Wagon]

I've only seen Filezilla used as a client application. The linked blog post talks about integrating Let's Encrypt with Filezilla Server - which I didn't even know was a thing - but it also seems to be implying that somehow Let's Encrypt is securing any communications using Filezilla in any manner. I might be missing something, but that doesn't make a whole lot of sense to me.

On a side note... Filezilla's Mac client works well, except when it doesn't. I've seen it quietly fail (in sftp mode) just often enoug

Re:

[drinkypoo]

it also seems to be implying that somehow Let's Encrypt is securing any communications using Filezilla in any manner.

That's probably not true. It could be true though that they have enabled encryption for any communication between a (current) filezilla client and server.

Re:

[bn-7bc]

well if he filezilla server uses ftp over tls, I certainly hope no one uses un encrypted transfer nowadays at least not for places you need to log in), you will need a certificate, and Let's encrypt is a good a place as any to get one when all you need is DV

Re:

[RazorSharp]

Personally, I just work with sftp or scp from the command line; but I know not everyone likes to do that.

People uncomfortable with that are probably using password based authentication, which means they can just use Finder to connect to their server. This sounds like an advertisement for FileZilla because so few people even use FTP client software anymore. People either use ssh through the command line, as you do, or they have software installed on their server like CPanel to provide a web interface for file transfers.

For the most part, FTP clients just aren't necessary anymore. I don't have one installed on a

Re:

[walshy007]

For the most part, FTP clients just aren't necessary anymore.

For home and sane scenarios I agree. SFTP does the trick for linux machines and there's integration using kio slaves/other means.

For work.. it depends how sane they are with infrastructure and how far down the rabbit hole they are with microsoft onedrive.

Sometimes you just want to transfer some large files with another PC on a LAN. Filezilla server/client is a really simple/elegant/reliable means to do this.

You can upload it to 'the cloud', wait for it to sync, then download it again from the other machine.

Itâ(TM)s clunky

[rgbe]

I donâ(TM)t use FileZilla much, but I find it clunky as hell. It used to to be real buggy, so much so that I donâ(TM)t have much trust in the developers. I havenâ(TM)t used it much recently, so I donâ(TM)t know if itâ(TM)s more stable. I avoid it as much as I can.

Slashvertisement?

[backslashdot]

The only thing missing was a line that if we act now we can get 10% off by entering the code SLASH at checkout.

Re: Slashvertisement?

[RegistrationIsDumb83]

Install two bundled adware, get one free!

Nope

[DrXym]

Filezilla is certainly one of the least awful ways of using FTP but there are far better, more secure ways to transfer files. And Filezilla isn't helping itself by bundling crapware into its installer or constantly nagging about updates when it's FTP we're talking about. So no, FTP is not cool and nor is Filezilla.

FTP is a horrible protocol and should die fast

[Crass Spektakel]

FTP is an outright horrible protocol and should die as fast as possible!

It uses an utterly stupid separation between command and data channel, rooted in a time far before the internet even remotely became what it is today.

it is overloaded with old burdens and has an atrociously lousy structure.

It depends on a shitload of outdated libraries and frameworks.

It scales HORRIBLY!

Fixing all that is wrong with FTP would basically create a totally new protocol. We don't need a new protocol.

alt.ftp.die.die.die

Re:

[ArchieBunker]

I use gopher you insensitive clod!

Re:

[Moridineas]

It depends on a shitload of outdated libraries and frameworks.

What does all of this even mean? FTP is pretty damn simple. We're talking several thousand lines of code and NO external libraries or frameworks beyond the C stdlib.

I don't think anyone is going to argue that FTP is a good protocol, but this one is new to me.

Re:

[Pinky's Brain]

Getting it across NAT pulls in a lot more shit by proxy.

Re:

[Moridineas]

Passive mode? That doesn't really add that much complexity... I still don't see how FTP relies on "a shitload of outdated libraries and frameworks"

Re:FTP is a horrible protocol and should die fast

[codebase7]

It uses an utterly stupid separation between command and data channel, rooted in a time far before the internet even remotely became what it is today.

It took security seriously. Unlike "modern" protocols it doesn't require a parser to handle splitting up data VS. commands. So an uploader cannot send a crafted file that will DDoS (or worse) the server.

it is overloaded with old burdens and has an atrociously lousy structure.

Define instead of complain. What's the problem you have with it? FYI, it's most basic structure is the same as HTTP. Which I guarantee you 95% of the alternatives will be using at some point.

It depends on a shitload of outdated libraries and frameworks.

That's pure FUD. Nice try. Most FTP servers today are their own self contained programs. Unlike the vast majority of the alternatives which require some kind of LAMP stack and a DocumentRoot. Some may have plugins to offer extended functionality (such as LDAP / RADIUS authentication, anti-virus integrations, etc.) but they are not required for basic functionality. An FTP client is the same. Most OSes provide a builtin FTP client somewhere. Hell most jailbroken video game consoles provide an FTP client / server somewhere. Most alternatives require an up-to-date modern web browser on the client. Not to mention that web browsers were one of the first programs that bundled FTP client support. (It's been removed recently in all of the major browsers.) Hard to claim your replacement is better framework / library usage wise if the client had support for your competition baked in from the start.

It scales HORRIBLY!

It's also one of the few things that actually works. Things like nextCloud choke on large directory structures. Things like scp require giving a system account and shell access to the end users. Google / O365 / Apple Drive is nothing but giving your data to a huge conglomerate for them to sell to the highest bidder. (And every spying agency on earth.) Mega and friends are overkill for a one-time transfer between two machines, and require payment for anything above certain sizes and bandwidth speeds. FTP on the other hand just works. Most of it's scaling limitations come from it's need to use multiple TCP / UDP ports from a static range per session, but as it is standards based, someone could easily propose an RFC to do away with the requirement.

Fixing all that is wrong with FTP would basically create a totally new protocol. We don't need a new protocol.

Again. FUD. You don't need a new protocol to fix FTP's issues. You would need a new protocol if you wanted to hide the details of your implementation from the public, or ensure no-one else could build a competing service. Which is what most of the "replacements" have done. Silo off everything and give the provider centralized control. (Because we can't ensure copyright compliance if the end users can transfer things without our involvement!) The remaining replacements are targeted by the media and governments alike because they are decentralized. Just like FTP is. The main difference from FTP and the other replacements is the mass distribution aspect. FTP was meant for one to one transfers, although it could be set up for one to many transfers. The other replacements are meant for one to many or many to many transfers, and often without authentication of any kind. As a giant fuck you to the media cartels. But I digress. Wanna fix FTP? Propose a new RFC with your changes. If not, quit complaining.

alt.ftp.die.die.die

User complains about FTP being an outdated protocol and makes a Usenet reference? Hmm......

Re:

[AmiMoJo]

The two big flaws with FTP are that it has issues with firewalls and NAT, and that it lacks any kind of security in the most widely supported variant.

Both of those have solutions, but they aren't good solutions.

SFTP isn't perfect either but does at least solve those two problems.

Re:

[Bert64]

NAT is the problem rather than FTP, and NAT is also the primary reason why unencrypted FTP is still in widespread use because the NAT gateway can't inspect an encrypted channel.
Do away with NAT, migrate to IPv6 and these problems go away.

FTP also has useful features, like being able to send data between two remote hosts without having to download and reupload it. In these days of asymmetric connections, long distance links and metered connections this is even more useful than ever.

Re:

[codebase7]

The two big flaws with FTP are that it has issues with firewalls and NAT

That could be fixed by an RFC declaring a known passive data port and changing the filtering logic from filtering based on dest port to src port. Granted, that causes security problems as the server now needs to authenticate each incoming data packet, but so do most modern protocols and it shouldn't create anymore additional overhead than they do.

that it lacks any kind of security in the most widely supported variant.

So does HTTP. FYI: Much like HTTPS is a TLS wrapper around HTTP, FTPS is a TLS wrapper around FTP, and already supported by many implementations. It's just rarely

And what protocol would that be?

[Arnonyrnous Covvard]

Certainly not FTP, that inband-signaling POS protocol.

Re: And what protocol would that be?

[umopapisdn69]

Perhaps sftp? Which FileZilla has always supported?

Use Filezilla to greatly speed up SFTP transfers

[echo123]

Plus, FileZilla allows you to keep *many* sftp connections open per file transfer, for a somewhat dramatic transfer speed improvement overall.

https://theitbros.com/speed-up... [theitbros.com]

Filezilla?

[jd]

Huh. I've been using Bitvise for so long, I'd almost forgotten about Filezilla.

Besides which, if you're going to go old-school, what's wrong with Gopher?

I'd personally have recommended FLUTE, but the open source file transfer software that used it seems to have vanished. (FLUTE has the benefit of being multicast, so files can be shared with multiple targets simultaneously without increasing bandwidth requirements.)

Wow! I had no idea

[king*jojo]

there's so many FTP haters out there. I always thought of it as one of those essential internet building blocks that's sturdy and true, and everyone is more or less cool with.

Anyway, I'll go to bat for Filezilla Server. It makes creating a LAN server on Windows a simple and straightforward process (as it should be), and I've never had a problem with it installing bundled spyware.

Doesn't Windows Support FTP in File Explorer?

[MonkeyProgrammer]

Haven't done this for years because no one uses FTP anymore, but I could swear Windows File Manager/Explorer used to allow you to "mount" an FTP source just like it was a local volume and then traverse the folder structure and create/move/copy/delete files just like you would with local files.

I'm guessing all the *nix variants have similar functionality, so why would anyone need a separate client?