Hi,
Feature request for upcoming version(s):
Make the FTP account setup use SFTP by default.
This will ensure that users dont type their main Webuzo password in plaintext when using tools like CuteFTP on Windows or FileZilla on Linux / Windows.
This is an important security upgrade for Webuzo although it is not obvious that this could be a valid attack vector - FTP passwords being monitored over Wi-Fi is not something you might normally think of when making a server administration package :-)
Given that any credentials being sent unencrypted on the internet is risky nowadays, this seems important to me.
An alternative would be to force users to create a new FTP account by not allowing the main webuzo user account to login into FTP - this however does not prevent the password being sent across a couple of times till the Webuzo user is convinced that indeed he needs to make a new FTP user.
This can surely be considered to be doing extra work to cover up for lack of user's security awareness, but ultimately a good software is that which does not allow a user to break things, no?
Thanks & regards
/optsoft
|