FTP: untrustworthy file transfer

FTP: untrustworthy file transfer

Summary: FTP - file transfer protocol - is the most commonly used method for moving files around Web. Now Steve Frank, a founder and developer for Mac software company Panic, has come out and recommended that people stop using FTP.

SHARE:
TOPICS: Servers
31

FTP - file transfer protocol - is the most commonly used method for moving files around Web. Now Steve Frank, a founder and developer for Mac software company Panic, has come out and recommended that people stop using FTP.

I wrote about this (see If hackers don’t get you, maybe Google will) after my other blog, StorageMojo, was hacked. I'm glad to see a vendor of FTP software - I use their fine product Transmit - jump on board with a strong recommendation.

Why? Here are a couple of the best reasons he gives.

  • Unless totaled over a secure socket, FTP is 100% insecure. Your password, and the contents of all your files are sent in the clear, free to be examined or captured by any network hop between you and your server. . . .
  • FTP is not friendly with firewalls. Because it constantly needs to establish new connections, this has led us to "passive mode" which might as well be black magic as far as most people are concerned. Briefly, passive mode means the client initiates data connections to the server, rather than the default where the server makes connections to the client (yes, really). Worse still, data connections occur on varying high port numbers (usually 49152 - 65335) which means since Edmonds would have to open over 16,000 ports in the firewall, almost defeating the purpose of a firewall in the first place. It's a mess, and it's really hard to understand.

If not FTP, what? As noted in my blog post two months ago as FTP - secure FTP - is an excellent alternative.

To quote Steve Frank again:

It's secure, it's consistently implemented, and its machine-readable. That all adds up to a more reliable future proof transfer client for you.

I've talked to a lot of people who didn't even realize their host supported SFTP. If your hosting service supports SFTP, you usually don't have to change anything except for switching your client protocol from FTP to as FTP period if it doesn't work, you should ask your host if there is anything else you have to do (such as use a different port number)....

FTP has served us well but it's time to move on. You wouldn't use a 23-year-old computer to do your work, so don't use a protocol from the same vintage. Demand of modern transfer protocols from your host.

Amen, brother.

The Storage Bits take Just one thing.

Steve, if this is such a great idea - and it is - why isn't SFTP the default FTP option in your company's product?

You are the expert. You have the knowledge. Your users typically have no more idea how FTP works than they do about ray tracing.

As computers become more pervasive the technical expertise of the average user continues to drop. Smart vendors will make an effort to meet their customers more than half way.

Comments welcome, of course.

Topic: Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

31 comments
Log in or register to join the discussion
  • Wow Robin, good blog!

    It is, of course, very old news that FTP is not secure by design but it is still good to get the word out.

    However, I'm a little disappointed that you didn't use the same logic you used when you blamed MS for file system errors on Linux and OS X. After all, Windows has 90% marketshare on the client so it makes sense that most FTP clients are run on a Windows machines. Therefore, MS is to blame for FTP's flaws. ;)
    NonZealot
    • Let the MS muppets suffer

      for they will reap what they didn't sow.
      fr0thy2
      • Hey!! Quit disparaging the muppets!!

        That was "filth by association"...the muppets don't deserve that!
        Techboy_z
  • Very Timely

    Wow. FTP Untrustworthy? Who'd have thunk?

    Welcome to this decade Robin. What's your next blog? POP3 untrustworthy? How about WEP encryption?
    MaxDensity
  • RE: FTP: untrustworthy file transfer

    "FTP - file transfer protocol - is the most commonly used method for moving files around [the] Web."

    Call me old-fashioned, but FTP does not "move files around the Web". The "World Wide Web" is a completely separate protocol on the greater thing, called "The Internet".

    It's like saying that FTP is used as a web browser.
    Joe_Raby
  • RE: FTP: untrustworthy file transfer

    "Steve Frank, a founder and developer for Mac software company Panic"

    Well LAH-DEE-FREAKIN'-DAH. That explains everything!

    Why doesn't he write security software to patch holes in OS X then. It's clear that Apple has no interest in doing it.
    Joe_Raby
  • RE: FTP: untrustworthy file transfer

    It is important to point out that most FTP server programs are able to use SSL for encrypting both the control and data channels if desired.
    In addition ports for PASV mode are also configurable. So firewalling is relatively easy.

    Anonymous FTP sites are a great way to publish files for a big audience. (hardware drivers, manuals, demo software)
    m1a2
    • Absolutely right on!

      Same what i was thinking. Also this is not news.. everybody knows that FTP is only suited for public stuff or indoors file transfers.
      TedKraan
  • Don't FTP. Go Fish

    Thanks for highlighting what should be an obvious security concern.

    You'd be surprised (or maybe you wouldn't) how many organizations are running clear-text telnet, ftp, etc connections lulled by the false perception that they are safe behind the perimeter corporate firewall.

    Linux Konqueror fish protocol allows you to open the file manager onto any remote site url and do drag/drop, cut/paste, edit any files over a secure ssh connection. More [url=http://www.novell.com/coolsolutions/feature/15895.html]here[/url]

    Dietrich T. Schmitz
    [url=http://www.dtschmitz.com/dts/]Linux IT Consultant[/url]
    D T Schmitz
  • Hmmm...

    A guy writes about the horrors of running FTP.

    He just happens to sell a product to replace it.
    Cardinal_Bill
    • I was thinking the very same thing...

      Remember the "the end is nigh" message from the AV vendors...as they release another new AV product!

      Robin, your blogs don't get any better do they!
      Scrat
      • LOL - nope...nt

        nt
        ItsTheBottomLine
    • Your right - what quowinkadink...nt

      nt
      ItsTheBottomLine
  • For a standard from 1971, it's done pretty well.

    RFC114 was published in 1971, and for a 37 year old "standard", i.e., it's lasted over 30 generations by internet timescales.

    For those old enough to remember, what happened to telnet, cu, vt100's connected over a 300bps serial line, gopher, wais, NFS, YP(NIS), and refrigerator sized 386 "servers" supporting 250 users?

    I mean, [b]come on[/b]. FTP is a dinosaur era technology which was developed in an era of truly open university networks where the main intent was to disseminate and share information and everything was based on trust.
    kraterz
    • FTP angst

      i use ftp for simple but huge file transfers that are not system critical but won't be accepted by email boxes. when the bozos in my system can't even figure that out, i give them an http download url. then i close the link.

      stop using it? nah. it's a practical tool. if someone accidentally (or maliciously) digs into my files on the one day i've left my server open beyond what i intended, ... go fish--useless stuff to them anyway.

      i see no need to look over my shoulder, but if you're nervous, get off the world wide web.
      jiagebusen
      • RE: FTP: untrustworthy file transfer

        @jiagebusen Good point but there's still a huge lag between taking up secure ftp hosting protocols. SFTP or FTP-SSL is waay more secure than standard FTP, but its rarely implemented. However, there is growing support. FileZilla server (free) now supports secure ftp:
        http://filezilla-project.org/
        And online ftp hosting providers such as these do too:
        http://www.iqstorage.com/
        http://www.ftptoday.com/
        http://www.box.net/
        simonl1
  • Incorrect terminology....

    Files don't move around the "web" on FTP protocol. The "web" is just a protocol used on the INTERNET. FTP is another protocol. Why is ZDNet confusing folks on what is and is not the internet's building blocks? That's as frustrating to me as the assumed need for "www" on each and every address.
    Narg
  • RE: FTP: untrustworthy file transfer

    I deal with these very issues every day. There is no one right answer.

    SFTP is typically found in a UNIX environment. Neither Windows or mainframes have native support for it.

    Secured FTP via SSL/TLS is more commonly used in non-UNIX environments.

    Products like WS-FTP Pro are good choices for Windows environments and an open source product ProFTPD works fine in a UNIX/Linux environment and both support SFTP, TLS and SSL.

    You also don't have to open up thousands of high ports. You can tell the FTP server, which ports to use for the working ports and give it a limited range.

    In the mainframe world, it is called passivedataports.
    bharris09
    • Not quite correct...

      [i]SFTP is typically found in a UNIX environment. Neither Windows or mainframes have native support for it.

      Secured FTP via SSL/TLS is more commonly used in non-UNIX environments.[/i]

      I've worked in F500 corporate mainframe applications for a long time. We've used Secured FTP for mainframe-mainframe, mainframe-server, server-mainframe, etc. file transfers for several years within the corporate firewall as well as with EDI files with suppliers/vendors due to the sensitve nature of the data (financial, HR, sales).

      It's pretty easy to set up in batch jobs to PKZIP and then SFTP the file to where it needs to go.

      You are correct, only specific ports need to be opened.
      dinosaur_z
  • Master Joe Says...

    To begin, as I often do, I would like to comment on one other post. The title is "Let the MS muppets suffer." For this user, reality is a distant thing. Are there more hackers targeting Windows than there are targeting Linux and Mac OS? Absolutely. This isn't because windows is less secure. This is because over 90% of the market is held by Windows. If you are designing a car, are you going to design a car that appeals to less than 1% of the market, as Linux does, or a car that appeals to over 90% of the market, as Windows does? I hope, for most people, that the answer is pretty easily the latter of the two. The fact that users sit on a Linux, or Mac, computer, and believe that they are invincible to malware, viruses, trojans, worms, and other malicious software programs, is hilarious beyond compare. Just because there are less of these threates out there doesn't mean they don't exist. Now, on to the article to which this reply is intended for. I definitely agree. FTP is not a very secure file transfer method, and yet many people, both personal and business members, use it. SFTP is certainly the easiest alternative, as it requires the least amount of new knowledge. For most, it woudl simply require changing the setting on their FTP account from FTP to SFTP. This is an easy thing to do in FTP clients, such as FileZilla and WS_FTP. I am sure, as time goes on, that something better will come along. However, as long as the average computer user's intelligence levels continue to drop, the less new information fed to the amsses, the better. Flooding their tiny brains with mro einformation will simply further shut them down to the adoption of new technologies. However, when you sell them on something that is easy, fast, and worthwhile, they will be more likely to adhere to the new policy. If switching from FTP to SFTP increases security, without much, or even any, interruption to teh user, I say go for it. If you have a web host that doesn't support SFTP, get a new web host. It's time that ALL companies be expected to meet some security standards, even if they are not overly high. SFTP capabilities wouldn't rank high on my list of complicated security implementations, so web hosts that currently do not offer it should be boycotted, until they do offer it. There are laws that require cars to ahve seatbelts and air bags. Why shouldn't there be a governing principle, in the community of the World Wide Web, requiring web hosts, and servers, to offer certain security tools? I am not suggesting that we ask, or allow, the government to make a alw, as their involvement in anything Internet-based only ever leads to disaster, wasted money, and wasted time. If you don't believe me, look at the DMCA.

    --Master Joe
    SteelCityPC