Optional Support for Legacy Insecure Ciphers for SFTP
For compatibility with older, insecure clients for SFTP, we also offer a configuration setting for Files.com to enable legacy insecure ciphers for the SFTP protocol specifically.
Legacy insecure ciphers are often used to maintain compatibility with older outdated apps, such as on-premise file transfer applications.
In many cases, you may be stuck supporting these because they are maintained by a client or vendor.
This setting previously also applied to SSL and TLS ciphers and versions on HTTP and FTP, but as of 2025, this setting applies to SFTP only.
Avoiding Use of This Setting
We strongly recommend not using this setting. Use of known insecure and weak ciphers is dangerous because an uninformed user of your site might think that they are using secure encryption when they are actually using encryption that is known to be broken.
Use of these settings will make your site ineligible for our HIPAA BAA program and most likely other compliance initiatives.
The best way to avoid the need for these settings is to ask all your clients, vendors, or counterparties to upgrade to the latest version of any app they are using.
Better yet would be if you introduced your clients or vendors to us! We'd be happy to have our Sales team reach out and help them upgrade to Files.com on their end, so they can take advantage of all the security offered by the Files.com platform.
Another course of action is to have users try to switch between FTPS (FTP with TLS encryption) instead of SFTP. In many systems, support for TLS-based security is stronger than SFTP-based security.
List of Insecure Ciphers Supported
With insecure ciphers enabled, the following security algorithms are enabled for SFTP. The following list is a complete list, not a list of the changes vs. secure mode.
| Type | Algorithms |
|---|---|
| Key Exchange |
|
| Server Host Key Algorithms |
|
| Encryption |
|
| MAC |
|
Enabling only Certain Insecure Ciphers
It is not possible to pick and choose certain ciphers to enable and disable. We are open to paid custom development to build custom configurations for certain customers, however, this would require a substantial Enterprise contract. Please contact us to learn more.
Enabling Insecure Ciphers For Only Certain Users
The Insecure Ciphers setting on Files.com is a sitewide-level configuration, so it is not technically possible to allow different ciphers for different users.
In the SSH protocol (used for SFTP), the cipher negotiation between the client and server happens prior to authentication, so the server would have no way of knowing which user it is negotiating with in order to offer different ciphers.
Allow Weak Diffie Hellman Parameters for SFTP
Allowing Weak Diffie Hellman Parameters for SFTP is another sitewide setting which enables support for legacy or broken SSH and MFT clients that incorrectly implement Diffie Hellman ciphers using parameters that are too weak.
If you need to support wide compatibility with SFTP clients, enable this option and we will allow weak Diffie Hellman parameters within otherwise-secure ciphers.
Client Cipher Preferences
Like other SFTP servers, Files.com adheres to RFC4253, section 7.1 when negotiating with SFTP clients to decide which ciphers to use.
Simply put, the SFTP client will send the list of ciphers it supports in order of preference, and the server will choose the first cipher on the list that it also supports. Hence, the choice is biased towards the client's preferences.
A well-written, properly-configured, and up-to-date client will prefer secure ciphers to insecure ciphers.
Unfortunately, many of the SFTP clients that we see actually connecting to Files.com are not necessarily well-written, properly-configured, or up-to-date.
Therefore we encourage our customers to assume the worst when deciding to allow insecure ciphers: assume they’ll be used.