sftp.json is unsecure

[sundowatch]

I've experienced this problem so many times.

This extension is awesome for me. I couldn't find any extension like that.

But when we're using this extension, we've realized that some mallwares are attempting to break into our server.

It's of course possible that our computer may be infected by mallwares, but sometimes we can't control mallwares in Windows. And I know that it's not problem of developer of this extension because of our computers.

As far as I know mallwares scan all computer if it has some passwords etc.

I think it would be great to make the sftp.json crypted. For example it can ask for password, or something else to access to sftp.json file.

I don't know but, it's easy to capture a json file in the computer.

[FastieSystems]

The obvious solution to password security with SFTP is to require the password to be entered rather than stored.

However, I develop Web sites for many different clients, all with different FTP credentials. It would be extremely difficult to remember all those passwords (especially because of my age!).

All the previous tools I've used stored connection credentials securely. sftp.json is in the clear. It is a very serious problem for an otherwise excellent extension.

I have no idea what to suggest. Perhaps VSC itself needs a password repository. Perhaps SFTP could use the Windows vault when on a Windows system, at the very least. It would then ask for the password once and after that retrieve it from the vault. With Windows handled, solutions could be found for Mac and Linux.

[sundowatch]

The obvious solution to password security with SFTP is to require the password to be entered rather than stored.

However, I develop Web sites for many different clients, all with different FTP credentials. It would be extremely difficult to remember all those passwords (especially because of my age!).

All the previous tools I've used stored connection credentials securely. sftp.json is in the clear. It is a very serious problem for an otherwise excellent extension.

I have no idea what to suggest. Perhaps VSC itself needs a password repository. Perhaps SFTP could use the Windows vault when on a Windows system, at the very least. It would then ask for the password once and after that retrieve it from the vault. With Windows handled, solutions could be found for Mac and Linux.

The passwords couldn't be remembered nowadays and there is no need to that.

I've looked for the other solutions, i.e. filezilla. It stores the passwords as base64, and that's to unsecured. And you're right to it's all about VSC.

[FastieSystems]

It stores the passwords as base64, and that's too unsecured.

I'm not in a huge panic about this because my development PC is reasonably secure. The intruder needs to get into it first before he/she can look at those sftp.json files. I don't allow .vscode to be uploaded to servers.

But what if I wanted to store my clients' sites in OneDrive? I think OneDrive is secure but we're always hearing about breaches. The first line of defense is my system and how the passwords are stored there.

Thanks for that tip about FileZilla. I thought it was using the Windows vault.

[IacopoOrtis]

You might want to use a private key. If your computer is so unprotected you might want to consider storing it on an external usb stick, it's better than nothing. I personally prefer to secure the machine.

[FastieSystems]

@IacopoOrtis My computer is secure.

[phaseOne]

@sundowatch this isn’t a problem unique to vscode-sftp. Don’t reveal private keys to an untrusted machine (or one where other users have root). Use a passphrase with the private keys. If you want something to remember your passphrase on a trusted machine (with an encrypted disk), store the passphrase in a secure system keychain. Here’s an example where ssh-agent is used with keys for authenticating to GitHub. The vscode-sftp extension should already pull from your ~/.ssh/config.

You must strike a balance between convenience and security for your use case.