Rapidly Sunsetting FTP

by Tom Richards

Sunday, May 8, 2016

File Transfer Protocol, or FTP, is considerably insecure and should not be used anymore. Seriously.

Introduction

How many times have you heard this question?

Hey, can you set up an FTP server for us? We want to upload and share files with our whole team.

No. The answer is simply no. As a matter of fact, this is the most incorrect use case for FTP today.

But… why?

FTP is a plaintext protocol. Every time you use an FTP server, your credentials and data are sent over the internet in plain text. Any passive listener can intercept your entire conversation. Usernames. Passwords. Filenames. File contents. All these things are 100% unencrypted when you’re using regular FTP.

The following screenshot is that of a simple demonstration. Somebody on the same network as me is connecting to an FTP server. I’m casually eavesdropping on their entire FTP conversation from the comfort of my couch. The reason I can do this is not because I’m a clever hacker with mad skills. It’s because FTP is a plaintext protocol, and I know how to click a single button in a traffic sniffing application (Wireshark).

Eavesdropping on an FTP conversation {: .img-fluid}

I’ve selected the line with the FTP password (the blue one). In this particular instance, it’s an anonymous FTP server and the password doesn’t mean anything, but you get the point. If this were an important server and you uploaded private files here, I would be able to access all of them.

False concerns

But I don’t care that everyone can see my files.

I completely understand. Sometimes, you don’t have to be concerned about who can see your information.

However, did you use FTP to upload any of those files? If you used FTP for file upload, you’ve essentially allowed anyone to manage your files. An attacker could easily alter or replace any of the files you’re managing with FTP. I’m sure I don’t have to explain to you why this is bad news.

But my whole team already knows FTP! It’s what we’re used to!

Good for you! I’m confident in your ability to learn a new technology that is much less complicated and far more powerful.

I don’t want to pay for a cloud storage solution!

How much are you paying to run that self-hosted FTP server nightmare? In the long run, the complete lack of security on that thing is going to cost you a lot more than just money.

I don’t trust these cloud storage providers!

You don’t have to. Plenty of cloud storage providers implement end-to-end encryption. This means the storage provider couldn’t access your data if they wanted to! Only you have access to your raw data.

What should I use instead of FTP?

It depends. What do you want to accomplish?

I hate learning. I just want one giant shared folder for my team and I want to use my same FTP client.

Instead of using FTP to transfer files to your server, you should instead use the SSH File Transfer Protocol, or SFTP, to upload and download files.

I want to make some files publicly available for anyone to download.

Upload files to your server just like the above option. Use SFTP.

Allow public downloads of those files using a web server with HTTPS.

Any web server software that is worth using will have a feature called “Directory Indexes” or “Autoindex”. This feature will automatically generate a set of web pages which provide read-only access to the directory of your choosing. It usually looks something like this.

HTTPS is free. Let’s Encrypt empowers you to have HTTPS at no cost. No manual renewals. No lengthy verification processes.

HTTP servers are free. They’re also much easier to set up than FTP servers, in my opinion. Nginx and Apache are popular, open-source options.

I want a complex file-sharing system with restrictive, customizable user privileges.

Upload and download files using a third-party Cloud Storage / File Sync system. Preferably, choose an open-source solution. Privacy Guides has some good recommendations. Heck, you could even choose one of the big-corporation-backed cloud storage options that Privacy Guides recommends against. Just please, don’t use FTP.

…you weren’t seriously considering FTP for this use case, were you?

FTP sunset timeline

Given that FTP is frequently used in a grossly insecure fashion, I propose the following timeline for sunsetting FTP.

NOW, RIGHT THIS VERY SECOND:

  • Irrevocably shut down all FTP services.
  • Replace said FTP services with practically anything else.

Conclusion

Unless you know how to install an FTP server package and configure it yourself, you definitely don’t want FTP.

Powered by DuckDuckGo

About Tom Richards

Tom is an independent security researcher, software engineer, and GNU/Linux enthusiast.

Tom enjoys playing PC games and tinkering with electronics. He loves learning about all things related to technology. His favorite GNU/Linux distribution is Arch Linux.

Follow

Support

Enjoy this blog or find it useful? Please consider supporting it.

 Support Tom

Subscribe

Get notified of new content by subscribing to the official Atom feed.

Views and opinions expressed on tomrichards.net belong to Tom Richards, and do not necessarily represent those of Tom's employer.
This site displays images generated using AI. Some links may provide affiliate commission.