I noticed that many people still use versions affected by the heartbleed vulnerability of wide spread TLS/SSL enabled Windows clients like WinSCP and Filezilla.
To be able to make safe recommendations, I want to have a list with safe versions.
Probably there are old versions which use OpenSSL before 1.0.1 (see http://heartbleed.com/) that seem safe to use (if there are no other reasons not to use them).
For example WinSCP 5.5.3 (not released yet) will be safe with TLS/SSL core upgraded to OpenSSL 1.0.1g.
WinSCP 4.3.7 seems to be not yet affected because it has OpenSSL before 1.0.1, can someone confirm this and is there a later version that works?
What about Filezilla?
Answer
WinSCP used the affected OpenSSL 1.0.1 since versions 4.3.8 and 5.0.7 beta in respective branches.
WinSCP 5.5.3 upgraded to the OpenSSL 1.0.1g to address the vulnerability. Branch 4.x is not supported anymore and is not planned to be upgraded.
Note that OpenSSL is used by WinSCP with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!
The vulnerability is tracked here:
https://winscp.net/tracker/1151
FileZilla replaced OpenSSL 0.9.8d with GnuTLS since version 3.0, so there is no vulnerable version of FileZilla.
Fortunately an exploit of the vulnerability in clients is less probable than in servers. As a client you are in charge of where you connect to. I.e. do not connect to servers, you do not trust.
No comments:
Post a Comment