Is FTP, the once ubiquitous File Transfer Protocol, dead?

It’s certainly an ageing protocol. Invented in the 1970’s, most implementations follow RFC 959, published in 1985.

And there are plenty of criticisms of FTP. It isn’t secure – passwords are sent in plain text. Data transfers use a new TCP connection for each transfer, and this can cause complications with firewalls as well as exhausting system resources. Directory listings aren’t standardized, and timestamps aren’t preserved on transferred files.

And yet FTP still persists. A quick google reveals hundreds, if not thousands, of FTP products on the market, and millions of references. Given its flaws, why is FTP still in use?

The biggest reason is the lack of competition. There simply aren’t many viable alternatives for transferring files across networks, including the Internet. HTTP is primarily used for downloading files, and isn’t very flexible. More proprietary protocols such as SMB are for local networks only. Instant messaging clients do provide file transfer facilities, but these are tightly integrated with the GUI, and generally only work with other clients on the same messaging network.

Also, many NAT devices automatically work with FTP, opening and closing data ports as needed. The appropriately ports are normally open in firewalls, so if anything will work without reconfiguration, it will be FTP.

So it seems that FTP will be around for a long time yet.

Given that we haven’t got much choice, how can we best use FTP?

One of the most important criticisms is lack of security. FTPS (FTP over SSL) was designed to overcome this problem.

Often called secure FTP, in FTPS passwords are no longer sent in plain text, but over an encrypted connection. Both commands and data can be encrypted, and a number of ciphers are available. FTPS is becoming quite widespread, and is supported by many FTP servers. It is a good choice if it is a requirement to add security to existing applications that are using FTP, as the protocol is not significantly changed. It should be noted that firewalls may require some reconfiguration as NAT devices are no longer able to automatically open and close ports as required – since commands are encrypted they are unable to determine what ports are being used.

Another option is to use SFTP (FTP over SSH). This is actually a different protocol altogether, and one that was designed to provide security from the beginning. It also uses a single TCP connection for both commands and data, eliminating most firewall problems. As SFTP is a more modern protocol, it also provides standardized directory listings and other useful features.

In conclusion, FTP lives on and on. It is still the most popular way of transferring files, and both FTPS and SFTP offer more secure ways of doing so than ordinary FTP.