SSL and FTP url on HTML file with username and password

Question

I have a doubt with one request/response across Web Browser and Server with SSL Certificate. Please, imagine the following case (similar question here):

I want that the server, response a HTML to the user (in his/her browser) with access to one file in the FTP, for example:

<a href="ftp://theftpserver.com/files/acounts.pdf">Download file</a>

In this case, accessing with Anonymous user not generate any problem to access to this file, but if the user has a access with username and password, put this on HTML, it will not be very secure, example:

<a href="ftp://username:password@theftpserver.com/files/acounts.pdf">Download file</a>

I want to prevent that this response with this username and password tag between the server and the user would be catched by "Someone" and get the Username and Password of the user.

The SSL certificate can solved this? Or the best way to do this is create a directory with username and password only with read properties?

Answer 1

Yes, SSL will make it more secure because your communication with the server will be encrypted. It is even better if you have a web server (an API endpoint for instance) receiving the requests from your frontend, contacting the FTP server, getting the file, and responding back with it. This way, the frontend does not need to know about the FTP server. Another good idea is to hash the password before sending it.

Answer 2

Serving the page containing the passwords with SSL (i.e. HTTPS) helps to protect the passwords inside the page. But, the links you provide are for FTP sites and the passwords will be sent unprotected if the user follows the FTP link since ftp:// itself does not use SSL. While there is FTP with SSL (FTPS) it is not commonly implemented in the browsers so you cannot use it. The best would be to serve the files with HTTPS too instead of FTP.