Secure File Transfer Protocol (SFTP) in place of FTP

[PXeuda]

hello,
it is possible to use Secure File Transfer Protocol (SFTP) in place of FTP?

The problem with FTP is that Plain old FTP isn’t secure. If you use an FTP application to connect to your site, you’re sending your password in plain, human-readable text every time you log in. Hackers have ways of ‘listening in’ to intercept that information, which they can use to gain access to your site via FTP.
FTP is unsafe, and it’s over 23 years old.

Regards

PXeuda

[squinky86]

Submit a ticket to enable ssh on your account, then scp the files over if you are concerned about security.

[Tony]

I use FTP all the time in various apps (Dreamweaver, Dopus, etc.), and would hate to give it up. I know what you say is true in theory, but has there ever been any kind of real world breach because of it?

[squinky86]

Yes, all the time.

1. Example 1- my local university. The default password was the social security number. As a proof of concept, I sat on the school's network and sniffed the http passwords that were sent to the server. I got everyone's SSN. I turned over all data to the school and made it clear what I was doing beforehand. The security issue was fixed by using https the next semester.
2. I've seen people sit at local wifi hotspots with programs like http://www.nirsoft.net/utils/password_sniffer.html up. This isn't as popular due to extra security layers that are in place, but it works sometimes. Always use secure email protocols.

Never ever ever log in to your webhostingbuzz site via unsecure ftp from a public internet hotspot. You're inviting script kiddies with password sniffers (or just some fool playing with netcat) to compromise your account. This is true for unencrypted pop and imap connections, also.

Quick summary:
Always log in to gmail using https. Always use imap and pop in conjunction with ssl. Never click on links you get from "paypal!"

EDIT: Just to make it clear, I had the network administrator sitting beside me during the exploit proof. I had full permission to perform these actions to prove that a portion of the network was unsecure.

[Tony]

Ya, like I thought, in circumstances similar to mine (at home, not on any kind of public network), these passwords would be almost impossible to sniff.

These days it's much more likely passwords will be swiped via keylogging, and SFTP isn't going to stop that at all.