Login

***Narf*** · 09-25-2017, 02:07 AM

(09-22-2017, 03:20 PM)PaulD Wrote:
(09-22-2017, 11:42 AM)Narf Wrote: I get what you mean, but FTP? No.
That technology should be buried already.

Really? Why?

Do you mean because FTP is insecure you should use SFTP or FTP-SSL, either way they are all FTP just with encryption on top. Or do you mean FTP as a whole, because if so, what would you do to upload, say, a google verification file or similar to the web server?

Not contradicting you in any way, just curious as to the reason for your anti FTP stance.

Thanks in advance for any elaboration,

Paul.

FTP-SSL is just plain FTP with encryption on top of it, yes. But SFTP not just FTP with encryption on top of it. It's actually an extension to the SSH protocol and the "FTP" part of its name is just due to the fact it was made primarily for file transfers.

And yes, that FTP is insecure by default is a major issue, but even with TLS on top of it, it is still inferior to SFTP and SCP (also a different protocol) in every way.

FTP is a dual-channel protocol, where you actually open 2 connections - one for commands and one for the actual data - and was designed in times where everything was direct P2P communication, which is why you have active and passive mode in it.

That second connection is initiated by the server, to the client. But then the client could have a firewall or otherwise have the target port unreachable, so the passive mode came around as a hack around this. No modern protocol has such things, because you shouldn't need them.

Then there's the ASCII and BINARY transfer modes (and even more actually, but hopefully nobody hears of the other modes ever again) - another hack. This one necessary, because when the protocol was designed, over 40 years ago, everything was text-based and built around the ASCII character set. But character sets break images and other binary data, and who is to say that you actually want ASCII and not another charset (that's what those other modes were for - custom/proprietary charsets).

As a brief summary of the above, FTP is an ancient protocol with lots of unnecessary network overhead, and wouldn't even be usable today without hacks introduced into it just to work around its very core mechanics. And that doesn't even touch on security.

SFTP and SCP, on the other hand, are secure by default and have none of the above-mentioned flaws. Plus the huge benefit of SSH keys and other authentication methods. Password-based authentication should be avoided whenever possible.