2

I noticed that many people still use versions affected by the heartbleed vulnerability of wide spread TLS/SSL enabled Windows clients like WinSCP and Filezilla.

To be able to make safe recommendations, I want to have a list with safe versions.

Probably there are old versions which use OpenSSL before 1.0.1 (see http://heartbleed.com/) that seem safe to use (if there are no other reasons not to use them).

For example WinSCP 5.5.3 (not released yet) will be safe with TLS/SSL core upgraded to OpenSSL 1.0.1g.

WinSCP 4.3.7 seems to be not yet affected because it has OpenSSL before 1.0.1, can someone confirm this and is there a later version that works?

What about Filezilla?

Martin Prikryl
  • 21,071
  • 9
  • 77
  • 157
mit
  • 1,533
  • 15
  • 29
  • 3
    PuTTY? PuTTY does not have _any_ SSL support at all... – u1686_grawity Apr 09 '14 at 16:21
  • 2
    Filezilla uses GnuTLS for its TLS implementation, so it is not affected by Heartbleed. – heavyd Apr 09 '14 at 16:39
  • 1
    There are no versions before the current release of OpenSSL that should be use because earlier versions are vulnerable. – Ramhound Apr 09 '14 at 16:49
  • A list of Heartbleed responses from file transfer server software and projects has been posted here: [http://www.filetransferconsulting.com/managed-file-transfer-heartbleed-ftp-server/](http://www.filetransferconsulting.com/managed-file-transfer-heartbleed-ftp-server/) (Some are affected, many are not.) – user87481 Apr 10 '14 at 15:59

1 Answers1

5

WinSCP used the affected OpenSSL 1.0.1 since versions 4.3.8 and 5.0.7 beta in respective branches.

WinSCP 5.5.3 upgraded to the OpenSSL 1.0.1g to address the vulnerability. Branch 4.x is not supported anymore and is not planned to be upgraded.

Note that OpenSSL is used by WinSCP with FTP over TLS/SSL only. Majority (about 98%) of WinSCP users use SSH (SFTP/SCP) and plain FTP only and are NOT affected!

The vulnerability is tracked here:
https://winscp.net/tracker/1151

FileZilla replaced OpenSSL 0.9.8d with GnuTLS since version 3.0, so there is no vulnerable version of FileZilla.

Fortunately an exploit of the vulnerability in clients is less probable than in servers. As a client you are in charge of where you connect to. I.e. do not connect to servers, you do not trust.

Martin Prikryl
  • 21,071
  • 9
  • 77
  • 157