FTP, File Transfer Protocol, has been around since the beginning of the internet in the early 1970s. It transfered files when the internet was a safer, more trusting, place. That isn’t the case anymore. Using FTP to host files is probably a bad idea for almost everyone. FTP is like Telnet. No encryption is used for anything. These days, we know that is bad.
In the mid-1990s most organizations stopped using telnet and switched to ssh, secure shell. FTP needs to be replaced for the same reasons. Below I’ll describe why very few people should use plain FTP anymore to remotely access files.
Problems With Plain FTP
There are lots of important issues with using plain FTP:
- Passwords are transmitted un-encrypted – this is reason enough to not use it anymore, IMHO.
- Data is transmitted un-encrypted – this may or may not be that important to any specific download
- Popular FTP servers have had the source code modified (by crackers) to introduce back-doors on multiple occasions. At least 3 times, this has happened. Last week, July 2011, another back-door was found in an extremely popular FTP server. The modifications tend to be undiscovered for many months, if not years. Ouch.
- A dynamic, secondary port, is needed for the data channels, which makes firewall and port forwarding more complex and beyond the abilities of most home network administrators. This is required to achieve the fantastic transfer speeds that many FTP proponents crow about.
- $HOME/.netrc files store FTP credentials in plain text for anyone with view access to the file on a computer to see.
Knowing this, won’t you please stop using FTP to refresh files on your web host? Sure, FTP is easy, but look at everything you are giving up by using it?
If you don’t believe me, check out what Standford University says about FTP security. The wikipedia article on sftp if you want more details.
Don’t Be Confused by FTP, SFTP, FTPS, SCP
This is plain FTP from the early 1970s. When folks say “FTP”, this is what they mean. This is what we need to stop using.
SFTP or Secure FTP, is a file transfer program based on the ssh protocol, secure shell, that adds encryption for passwords and data transmission, while retaining the same interface as used by the plain FTP. If you have programs that use FTP, perhaps in a script, changing from “ftp” to “sftp” is usually the only needed change to make it work. This similar interface was by design to make changing to a more secure method easy. Any ssh-based protocol also includes certificate-based authentication and on-the-fly compression, which allows for connections without passwords. This means automatic transfers are secure between trusted systems and probably more efficient, which is very useful.
SFTP clients and servers are available for pretty much every platform and OS because ssh has been ported to almost every platform and OS in the last 20 years.
Your web hosting company probably supports ssh access to your website files. My hosting company required a photo ID in order to allow ssh access. With the ssh access comes sftp and scp access – BONUS!
FTPS adds SSL/TLS encryption to FTP. The only issue I have with this option is that it is still based on FTP and a user can choose to not encrypt the data transfer. That seems counter productive to me. The default use DOES encrypt the data. FTPS never became too popular.
SCP or Secure Copy, is a file transfer program based on the ssh protocol, secure shell, too, like SFTP. It was designed as a replacement to the rcp command used on Linux/UNIX systems. Like the FTP/SFTP interface, the SCP/RCP interface matches. SCP adds encryption for passwords and data transmission. For scripting needs, using SCP instead of SFTP or FTP is usually easier. Any ssh-based protocol also includes certificate-based authentication, which allows for connections without passwords. This means automatic transfers are secure between trusted systems, which is very useful.
Better Options Than FTP
As a client, trying to download a file, we don’t have much choice over which protocol is used by the server to allow file access. The way that the server decides to allow access is selected by the server administrator. If you are charged with making files accessible to others, then you should be selective.
SFTP is the first choice for file transfers when user authentication is required. It is a well understood protocol and many options around access controls. SFTP is also friendly towards firewalls and network port forwarding.
When user authentication is not needed, use HTTP or HTTPS to share files with the world. HTTP servers are well understood, changes are closely monitored by security professionals, and you probably already have an infrastructure which provides this service. Any firewalls and intrusion protection/detection systems are already tuned for web servers. Reusing something that is already in-place makes sense. It is also friendly towards firewalls and network port forwarding.
When It Is Acceptable To Use Plain FTP
Over the years, I’ve learned to never say never. There are very specific reasons to use plain FTP even today. Here are the criteria:
- Everything on the FTP server is to be shared – Everything. All files, all directories.
- Anyone in the world will have access.
- No desire for user authentication. Anonymous users must be supported.
- No firewall or networking port forwarding is needed. These days, this is tough to achieve and still be secure for the other systems on the network.
We should only use plain FTP iff all the above criteria are met. This means that no home user should use FTP to remotely access their home network and PCs.
SFTP Client Programs
FTP is built into almost every web browser, but SFTP may not be. You’ll need a client SFTP program to securely access files remotely.
- Windows: WinSCP is a fantastic sftp/scp client. There’s a portable-app version which can be placed on a flash drive or other portable media. I’ve seen FileZilla recommended, but haven’t tried it in many years. WinSCP is good.
- OSX and Linux: Use any sftp client you like – most of the built-in file managers include sftp support, but there’s a CLI version included with the ssh program installation. This is what I use almost exclusively.
- If you use rsync, you can use ssh-based encryption pretty easily. Just add a -e ssh to the rsync command.
- Stop using plain FTP to host files. It is not secure.
- Start using SFTP, the ssh-based alternative instead. Authentication AND data are transmitted encrypted, users are authenticated – i.e. there is no anonymous access.
If your website hosting company doesn’t support SFTP and only supports plain FTP, it is time for you to find a new web hosting company. If they aren’t interested in protecting your logins, why would you trust them with anything? I found this 2009 article about FTP for GoDaddy users.
As long as we are here, you really should try to use HTTPS instead of HTTP these days too.
Any questions or comments?