If you’ve ever uploaded a file to a web server, or used an ‘FTP client’, you’ve probably used FTP – File Transfer Protocol. FTP has been around for a long time, the specification was published all the way back in 1971 – in the mere infancy of the networked computer era we live in today. FTP remains the most common way to upload and download files from web servers – not so much by users but by website administrators and developers. Critical files and data are all transmitted using this common protocol.
However, regular old FTP was never designed to be secure. It was designed at such a time where web security was not really something to be concerned with, yet it is still used today.
Everything that is transmitted over FTP is sent ‘in the clear’, meaning without any encryption, in plain text. This means that when you send a file over ftp, the entire contents of the file are transmitted as they are, meaning any man in the middle can intercept it and do as they wish with it. Even worse, to log in to an FTP server, you have to send your login credentials (username and password) to the server – and that’s sent in the clear as well. Any eavesdroppers would not only be able to steal your login information (thus gaining access to the server you were using) but can also take those credentials and try them for other services – as it is unfortunately common to use the same password for multiple online services.
FTP, by default, also has a variety of other security issues, from vulnerability to brute-force attacks (by not preventing constant failed attempts), address spoofing, and port stealing.
However, you don’t hear people complaining about the drawbacks of the protocol. The reason is that there are plenty of secure variations have been created, and while not always used, provide all of the security that regular FTP lacks while being essentially the same protocol.
FTPS is a version of the protocol that enforces encryption of the communication between the client and server through TLS (Transport Layer Security) or SSL (Secure Sockets Layer).
SFTP (SSH File Transfer Protocol) is not actually FTP, but instead is a secure version of SSH, which provides a similar command set and functionality as FTP.
FTP over SSH is an alternative method, which is not an alternative secure protocol in itself, but is instead a method of tunneling the FTP connection in it’s entirety through an SSH connection.
So remember, whenever security is concerned – whether it be transmitting sensitive or confidential information, or you’re connecting using a password that you use for multiple web services – consider ensuring you’re using a secure version of FTP. By default, most FTP clients and servers are configured to use basic, unencrypted FTP – and it’s not for your benefit!