Web Hosting
David Addison
by David Addison
share this
« Back to the Blog

Do you still use ftp for file uploads - STOP

Do you still use ftp for file uploads - STOP

File Transfer Protocol (FTP) is a standard network protocol which is used to copy files from one host to another over a TCP-based network. Dirigo abandoned the use of the File Transfer Protocol in 2007. We no longer actively support this protocol. Moreover, we actively discourage FTP use. We’ve written this piece because each month one of our clients asks for an FTP account. We would like to explain our position.

The FTP protocol is specified in RFC 959 as "Request for Comments" (a collection of technical and organizational notes about the Internet). It was adopted for use on April 16, 1971 well before the FAX machine or the cell phone gained widespread use. A FTP client makes a TCP connection to the server's port 21. The initial connection is called the control connection which remains open for the duration of the FTP session. A second connection called the data connection is opened by the server from its port 20 to a negotiated client port (active mode) or is opened by the client from an arbitrary port to a negotiated server port (passive mode) to transfer file data.

The first FTP client applications were interactive command-line tools. These tools still exist and can be used from a Microsoft Windows command line. Once connected to an FTP server software, the command "RETR samplefile.docx" transfers the specified file from the server to the client. Graphical user interface clients were introduced in the early-90's making command line use limited to programmers or old time DOS-types.

So why has Dirigo abandoned the protocol? FTP is not secure! In our opinion, it should never be used in open (or even closed) environments. It was not designed to be a secure protocol by today's standards. As early as 1999 the protocol was prone to bounce attacks, spoofing, brute force, bucket capture, port stealing, etc. By design transmissions are not encrypted. POP, Jabber and IMAP are also guilty of sending credentials in clear text. These protocols can be configured to transmit securely.

FTP users may authenticate themselves using a clear-text sign-in protocol, normally in the form of a username and password. The clear-text thing is very bad!  For secure transmission that hides (encrypts) the username and password, and encrypts the content, FTP can be configured with SSL/TLS ("FTPS"). SSH File Transfer Protocol ("SFTP") is sometimes also used instead, but is technologically different.

SSH is a newer protocol with an update to the RFC 4253 as late as 2006.  Dirigo endorses the use of SFTP or SSH.

The alternatives to FTP

SFTP, the "SSH File Transfer Protocol," (sometimes called Secure File Transfer Protocol or incorrectly Secure FTP) is not related to FTP except that it also transfers files and has a similar command set for users. SFTP, is a network protocol that provides file access, file transfer, and file management functionality over any reliable data stream. Secure Shell or SSH is a network protocol that was developed in 1995 to allow data to be exchanged using a secure channel between two networked devices. SSH was designed as a replacement for Telnet and other insecure remote shells (e.g. FTP), which send information, notably passwords, in plaintext, rendering them vulnerable. In 2006, a revised version of the protocol, SSH-2, was adopted as the Web standard.

FTP over SSH (don't confuse this with SFTP) tunnels a normal FTP session over an SSH connection. Because FTP uses multiple TCP connections, it is particularly difficult to tunnel over SSH. For this reason, most of the market has shifted to SFTP.

We recommend Bitvise Tunneler (a friendly and flexible SSH client) for use on Windows machines. Tunneler provides a state of the art terminal emulation, graphical as well as command-line SFTP support, an FTP-to-SFTP bridge, and powerful tunneling features. Modern versions of Adobe Dreamweaver CS3/CS5 and other popular Web development software products support SFTP. FileZilla, is a popular free SFTP solution. Fetch by Softworks is a reliable, full-featured file transfer client for the Apple Macintosh whose user interface emphasizes simplicity and ease of use. Fetch supports SFTP (as well as the security prone FTP protocol). Mac users can also use the popular Cyberduck or Filezilla clients.


Thank you for contacting us!

We'll be in touch!

Back Home ×