4

Recently I noticed in WireShark I could see my FTP username/password that I used for connection to my FTP Server to upload a file (Delphi 6 with Indy 9 or 10, I belive). I would like to prevent that by encrypting the password but I am not sure where to start.

What would you suggest to prevent a hacker from gaining the credentials ? Please no components (even free ones) or anything that cost money.

TLama
  • 75,147
  • 17
  • 214
  • 392
user0
  • 129
  • 3
  • 9
  • 1
    You might try switching to the FTPS protocol, see http://en.wikipedia.org/wiki/FTPS – R-D Dec 18 '12 at 22:24
  • I do not know how to use FTPS though.And I think my version of indy does not support FTPS as I could not find anything with FTPS in it. – user0 Dec 18 '12 at 22:27
  • wait would it be IDtrival FTP?If so I have that.Let me go check and report back one sec. – user0 Dec 18 '12 at 22:28
  • nope doesn't look like it uses a secure connection or auth. to connect... – user0 Dec 18 '12 at 22:30
  • 1
    No, to use FTPS you need to assign a proper `IOHandler` for your `TIdFTP` and establish a secure connection before you login. Of course the server where you're going to connect must support FTPS. – TLama Dec 18 '12 at 22:48
  • I believe my server accepts ftps http://i.imgur.com/jwY62.png but about an IOHandler would that be used for handling errors?And where would I find more about the subject of transferring files to my server through explict FTPS? – user0 Dec 18 '12 at 22:51
  • IOHandler is the way Indy uses to handle the I/O, for example, encrypting what is sent and decrypting what is received. You can create an instance of TIdSSLIOHandlerOpenSSL class to do this encryption using the popular OpenSSL library (the dll's must be present and accessible to the executable at runtime) – jachguate Dec 18 '12 at 23:18
  • Thank you for explaining that,I will try and use that =D – user0 Dec 18 '12 at 23:20
  • 3
    Here's where [`you might start`](http://www.indyproject.org/KB/index.html?howdoiuseftpwithssl.htm). And, [`Indy 9 doesn't support SSL for FTP`](http://stackoverflow.com/a/9241411/960757), so if you're using Indy 9, it's time to upgrade if you want to use FTPS. – TLama Dec 18 '12 at 23:36
  • 1
    I've made a [`demo project`](http://projects-stackoverflow-tlama.googlecode.com/files/13942445.ZIP) (in Delphi 2009 though, but if you're lucky, it might work for you), that connects and lists root folder of the public secured FTP server hosted by [`http://secureftp-test.com`](http://secureftp-test.com). – TLama Dec 19 '12 at 03:36
  • 1
    You can also try to switch to HTTPS (WebDAV) protocol – Arioch 'The Dec 19 '12 at 07:04
  • Use a VPN connection - this will use SSL. – mjn Dec 19 '12 at 09:46

1 Answers1

6

In pure FTP protocol, you have no means to encrypt anything, so the credentials travel as a plain text and the files, list, etc travel unencrypted to/from the server.

If your sever supports FTPS, which is a plain normal FTP session over a SSL encrypted connection, you can do it using the same TIdFTP object you're using, but changing the default IO handler to a SSL capable one, for example, an instance of TIdSSLIOHandlerSocketOpenSSL, which does the encryption using the popular OpenSSL library.

In code it looks like:

var
  ftp: TIdFTP;
  ssl: TIdSSLIOHandlerSocketOpenSSL;
begin
  ftp := TIdFTP.Create();
  try
    ssl := TIdSSLIOHandlerSocketOpenSSL.Create(ftp);
    ftp.IOHandler := ssl;
    ftp.Host := 'ftp.myserver.com';
    ftp.Username := 'myuser';
    ftp.Password := 'mypass';
    ftp.Connect;
    DoWhateverYouWantToDoWithThe(ftp);
    AndUploadMoreFiles(ftp);
    ftp.Disconnect;
  finally
    ftp.Free;
  end;
end;
jachguate
  • 16,976
  • 3
  • 57
  • 98