Announcement

Collapse
No announcement yet.

Using Actinic/Sellerdeck with FTPS (Explicit FTP with TLS encryption)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Using Actinic/Sellerdeck with FTPS (Explicit FTP with TLS encryption)

    I am a developer and some of my clients use Actinic/Sellerdeck v10 and v11. The server provider on which these sites run has informed me that they are switching off plain FTP and FTPS or Explicit FTP with TLS encryption must be used. This is for "PCI compliance reasons".

    I have seen a post from last year on a similar subject, but I wonder if there are any new recommendations from Sellerdeck on this issue?

    I skimmed throught the latest v3.0 PCI compliance guidance and my feeling is that it does not apply to my clients as their Actinic/Sellerdeck does not use FTP to transfer card holder data as they use payment service providers like WordPay, Paypal, SagePay etc.

    Advice welcome. Thanks.

    #2
    I'll answer my own post.

    Actinic uses plain text FTP to upload files to the web server. Interception of the network will allow anyone to know the username and password of the FTP account. If the default web hosting FTP account is used, then often this is the same as the web hosting control panel!

    Actinic is showing its age by not supporting secure FTP connections.

    My solution was to install an FTP proxy service on the PC Actinic is installed on. This wraps the plain text communication using a secure TLS connection. Then configure Actinic to use the proxy.

    Now my Actinic clients don't need to change hosting provider. Hooray.

    Comment


      #3
      Thank you for adding the answers to your posts which may help others in the future.

      Comment


        #4
        I have attached a PDF guide based on my solution for using a secure TLS FTP connection with Actinic or Sellerdeck.
        Hope this helps someone else.

        [Edit: I have added instructions for sites that use the Sellerdeck Feefo feature.]
        Attached Files
        Last edited by adaptive; 03-Sep-2014, 07:51 AM. Reason: Updated information regarding Feefo

        Comment


          #5
          Thanks Jon It was really helpful, we have had to ditch Plain Text FTP to remain PCI compliant and I had a secure TLS connection up and running in minutes, but a number of my customers are gettng the error:

          An Error occured while checking the FTP transfer mode - 200 TYPE is now ASCII 421 connection failed

          Yet all their settings are the same as mine. Have you had any problems like this?

          Comment


            #6
            OK I have figured it out , it was an iptables issue.

            In the meantime Sellerdeck have been persuading our customers that we are somehow in the wrong to adopt industry best practice regarding security and that they would be better off moving to one of Sellerdeck's less than secure servers in Reading where it would seem they have no plans to stop transmitting passwords in plain text.

            Actinic would never have sunk that low in the old days eh Phil?

            Comment


              #7
              Originally posted by Simon G View Post
              Thanks Jon It was really helpful, we have had to ditch Plain Text FTP to remain PCI compliant and I had a secure TLS connection up and running in minutes, but a number of my customers are gettng the error:

              An Error occured while checking the FTP transfer mode - 200 TYPE is now ASCII 421 connection failed

              Yet all their settings are the same as mine. Have you had any problems like this?
              Thanks Simon, I'm glad I helped you. I installed Sellerdeck 14 a few days ago, and it does not support secure TLS FTP. GIven the PCI compliance issue, it seems rather surprising that Sellerdeck still have not addressed this.

              Comment


                #8
                Can't Install tlswrap

                Thank you Jon for your instructions to install ftp proxy service so that can upload a Sellerdeck site to hosting that is sftp. However, I have downloaded the tlswrap.com software following your instructions but it will not install - comes up immediately with unable to install. Any suggestions to help sort this?

                I am pretty p***** off that SD does not work with sftp. My 1and1 package recently purchased has no option other than sftp. I wish I had realised.

                I have tried installing 3 other ftp packages as recommended by 1and1, but cannot find out anywhere in their help files how to use with SD.

                Sarah

                Comment


                  #9
                  Originally posted by saucysal View Post
                  My 1and1 package recently purchased has no option other than sftp. I wish I had realised.

                  Sarah
                  There seems to be a lot of confusion regarding FTP protocols

                  FTP is the standard file Transfer Protocol that has no security so anyone with the right tools can read the data being transferred and recreate the data including the logon names and password.
                  FTP usually uses port 21 as the listening port on the server for the transfer, this is the port you would specify in the client software (the SellerDeck end in this case) to use for the connection.

                  FTPS is the FTP protocol running on top of the TLS/SSL protocol which provides encryption to prevent the hacker from reading the data in the transfer. FTPS usually uses Ports 989 or
                  990 as the listening port on the server.

                  SFTP is the FTP protocol running on top of SSH protocol which is another security protocol, as SFTP runs over SSH it uses the port that is configured for SSH which is usually port 22.

                  The protocol in these discussions is FTPS and not SFTP.

                  EDIT:
                  According to 1and1 help files they use SFTP on Linux servers and FTPS on windows servers so you need to check which type of server you have. If it is linux then TLS Wrap will not help you and you will need a SFTP solution. The FTPS solution now uses port 990 so you may need to replace the :21 in the instructions with :990 to get TLSWrap working correctly.

                  I currently still use standard FTP to connect to my sites at 1and1 and it works fine, even though my 1and1 control panel clearly states I need to use SFTP. I have a 1&1 Business account so its on a shared server, but I have had this account since 2009 and I do not think this type of account is still available.

                  The reason that FTP is still working on my sites is that I am not connecting to the secure server *******.1and1-data.host but instead I am using the web domain in my FTP settings. It is quite possible 1and1 will close this loophole in future but it works for me at the moment.
                  Last edited by malbro; 05-Jul-2016, 11:26 AM. Reason: Extra info

                  Malcolm

                  SellerDeck Accredited Partner,
                  SellerDeck 2016 Extensions, and
                  Custom Packages

                  Comment


                    #10
                    TLSWrap no longer working - another solution

                    An update on using the TLSWrap software as a solution for hosts that do not allow plain (insecure) FTP:
                    My host recently updated their server and TLS1.0 and its associated ciphers are no longer supported. As a result Actinic/Sellerdeck could no longer publish to web as the TLSWrap software was receiving a communication error.
                    The TLSWrap software is old and development stopped some time ago. I have been unable to contact the original developer and I do not have the time to rework the source code to be compatible with later versions of OpenSSL.
                    Faced with having to change hosting provider to one that supports plain FTP, I investigated alternative but similar solutions to TLSWrap. I was unable to find any suitable solution for using TLS i.e FTPS. I was able to find a solution that uses SFTP (not the same as FTPS). This solution uses the Bitvise SSH Client program for Windows using its FTP to SFTP bridge feature. It requires your hosting allows an SSH connection (not all hosts provide this). Although this solution is more complicated to set-up I can confirm it does work with Actinic v10 and Sellerdeck v11 (and later versions probably).
                    Bitvise SSH Client is free and appears to be well supported, working on Windows XP thru to 10.
                    https://www.bitvise.com/ssh-client

                    Of course, the other solution is to change your hosting to Sellerdeck which is what they want you to do.

                    Comment

                    Working...
                    X