FTP: untrustworthy file transfer

Summary:FTP - file transfer protocol - is the most commonly used method for moving files around Web. Now Steve Frank, a founder and developer for Mac software company Panic, has come out and recommended that people stop using FTP.

FTP - file transfer protocol - is the most commonly used method for moving files around Web. Now Steve Frank, a founder and developer for Mac software company Panic, has come out and recommended that people stop using FTP.

I wrote about this (see If hackers don’t get you, maybe Google will) after my other blog, StorageMojo, was hacked. I'm glad to see a vendor of FTP software - I use their fine product Transmit - jump on board with a strong recommendation.

Why? Here are a couple of the best reasons he gives.

  • Unless totaled over a secure socket, FTP is 100% insecure. Your password, and the contents of all your files are sent in the clear, free to be examined or captured by any network hop between you and your server. . . .
  • FTP is not friendly with firewalls. Because it constantly needs to establish new connections, this has led us to "passive mode" which might as well be black magic as far as most people are concerned. Briefly, passive mode means the client initiates data connections to the server, rather than the default where the server makes connections to the client (yes, really). Worse still, data connections occur on varying high port numbers (usually 49152 - 65335) which means since Edmonds would have to open over 16,000 ports in the firewall, almost defeating the purpose of a firewall in the first place. It's a mess, and it's really hard to understand.

If not FTP, what? As noted in my blog post two months ago as FTP - secure FTP - is an excellent alternative.

To quote Steve Frank again:

It's secure, it's consistently implemented, and its machine-readable. That all adds up to a more reliable future proof transfer client for you.

I've talked to a lot of people who didn't even realize their host supported SFTP. If your hosting service supports SFTP, you usually don't have to change anything except for switching your client protocol from FTP to as FTP period if it doesn't work, you should ask your host if there is anything else you have to do (such as use a different port number)....

FTP has served us well but it's time to move on. You wouldn't use a 23-year-old computer to do your work, so don't use a protocol from the same vintage. Demand of modern transfer protocols from your host.

Amen, brother.

The Storage Bits take Just one thing.

Steve, if this is such a great idea - and it is - why isn't SFTP the default FTP option in your company's product?

You are the expert. You have the knowledge. Your users typically have no more idea how FTP works than they do about ray tracing.

As computers become more pervasive the technical expertise of the average user continues to drop. Smart vendors will make an effort to meet their customers more than half way.

Comments welcome, of course.

Topics: Servers

About

Harris has been working with computers for over 35 years and selling and marketing data storage for over 30 in companies large and small. He introduced a couple of multi-billion dollar storage products (DLT, the first Fibre Channel array) to market, as well as a many smaller ones. Earlier he spent 10 years marketing servers and networks.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.