During my daily work I often connect to my Linux server, usually that is over SSH connection. But when I want to do some file-transferring I often use SFTP (that is FTP over SSH). My primary OS is around 50% windows 8.1 and 50% Ubuntu GNOME. Today I accidentally tried to connect to address sftp://my.server.tld/ on my windows machine to upload some files. And I have found that SFTP protocol automatically silently (!) fails back to FTP.
Let’s go back, so I wrote sftp://my.server.tld/ into explorer’s bar. After a few seconds windows greeted me with unfamiliar window that asks for username and password. At that moment I realized that I was not connecting from Ubuntu machine and I become suspicious – from when did Microsoft implement SFTP into windows?
In that second I run Wireshark and started to capture traffic and analyses traffic between my PC and my server. I have confirmed that sftp protocol failedback silently to ftp (wireshark logs further down page). The only record that this happened is in login window. This is total security risk as we all know that 90% of users won’t read everything on system login form like this. Just remember what are notifications in any browser if something is wrong with HTTPS’ certificates. Let’s see two cases where this would have gone through without user knowledge (besides the one that small note in the login window is missed).
Case 1: User has somehow saved username and password for this domain and login window doesn’t apear. User would be using FTP without knowing, while expecting that their paswword and files aren traveling in plain text over ethenet.
Case 2: If server would be configured to allow anonymous logins, I would be logged in anonymous FTP. I wouldn’t miss login form, because I would think that I was logged in SFTP via public/private key system. (this one is more obscure, but can also happen – why would you have anonymous login allowed?)
In any case user wouldn’t have known that SFTP connection failedback to FTP. I think this is severe security risk and it should be fixed. It is bad enough that windows ignores SSH and SFTP, but that secure connection fails back to unencrypted in such a suptile way is hundred-times worst.
Same as written above holds for FTPS connections.