When e-commerce software insists on LESS security!

By: Steve Sant in Security

Posted on: May 25th 2016 at 15:33pm

Today, we have re-enabled plaintext (unencrypted) FTP services, because of customer pressure – from customers who use e-commerce software that doesn’t support secure FTP!

FTP (File Transfer Protocol) is a commonly used language that computers on the internet use to transfer and manage files. Like all traffic on the internet, it is prone to eavesdropping.

For a long time, our premium accounts have required that FTP connections are made using SSL/TLS – ensuring that the data passing between your computers and our servers remained private.

A year or so ago, we extended this policy to our standard hosting accounts, because we wanted to provide the best protection against FTP data being tampered with or leaked in transit.

However, today we have had to back peddle on that decision. Why? Because many FTP packages still have poor or no support for SSL/TLS. As a result, customers have become frustrated, increasing our support burden and even costing us business.

Most disturbing, is that some of those FTP software clients – such as SellerDeck (Formerly Actinic) – despite being e-commerce solutions – still don’t intrinsically support secure FTP upload at all (according to their phone support today), leaving their users with no option but to leave us or try and figure out how to install and run their own proxy service.

Other packages such as Serif WebPlus have support, but only provide TLSv1 and SSLv3, of which neither are considered secure by the community. These are just two examples from dozens of FTP clients which are insecure.

So today, we have re-enabled plain text FTP on all non-premium services. We have NOT disabled secure FTP (which is still available as FTPS and SFTP) – so customers who are enjoying secure FTP connections will continue to do so.

We can’t stress enough how strongly we recommend you DON’T use plaintext FTP – but at least the option is there again for those who are forced to use less secure software.