File Transfer Protocol (FTP) is as basic a method as sending files gets – no bells, no whistles…not even much security to speak of. It was invented back in the days when the word ‘hacker’ had nothing to do with computers, so the question is, is it time for FTP to finally retire?
The internet hasn’t always been the minefield it is nowadays, where we have to scrutinize every link before we click on it and constantly worry about how secure our connection is.
Security just wasn’t a concern like it is today, hacking wasn’t a career, and people sent their bank details in emails.
So this means that back in the early years of FTP, it had one job – transport the file/s from A to B.
This could be anything from uploading website content to servers (as commonly used in the world of WordPress) to downloading software packages from online repositories or even just transferring files that are too large for email.
It may have been the backbone of the file-transferring world for decades, but now there are more modern and secure methods, is it time to put FTP on the shelf, along with telegrams and fax machines?
Absolutely, and today we’re going to take a look at why…
Have you ever played the childhood game where you and a friend throw a ball back and forth to each other whilst another player stands in the middle and tries to intercept it?
This is a great way to picture what happens during a man-in-the-middle attack (especially if the guy in the middle is invisible!).
Attacks can come in a few different forms, but the main concept is that two parties are passing information between each other with someone in the middle desperately trying to snatch it from them.
They can range from silently observing the data exchange whilst the attackers look for an opportunity to use the information to their advantage or interrupting the exchange by setting up camp in the middle and manipulating the information.
This means that if sensitive information is being traded such as bank details or client information, an attacker would have a field day.
Unless, of course, the data is encrypted.
If the files are encrypted, this shouldn’t pose much of a concern, because if the man (or woman) in the middle manages to get their hands on the files, they would be completely unreadable.
Think of it as being able to speak only English and getting your hands on a ton of files in Elvish, with no way of translating them.
When it comes to man-in-the-middle attacks, the key is being vigilant and acknowledging that whenever you’re connected to the internet, there’s always a chance you could be vulnerable to some form of attack.
Whilst ensuring your files are only sent through encrypted channels a sensible backup in case your communication channel is breached, you should be actively trying to prevent attackers from gaining access to your files in this first place.
Simple ways to do this include:
- Use a Virtual Private Network (VPN), especially when connecting to public networks
- Don’t use WiFi connections that aren’t protected with a secure password
- Never conduct financial transactions or sending sensitive data over public networks
- Being cautious of websites that are flagged as unsecured by your browser.
If you take all of these precautions but someone still manages to get access to your files (hackers are really smart these days – think Mr Robot), at least you have the fact that your files are encrypted to fall back on…
…unless of course, you sent them using FTP.
Why is FTP Still a Thing?
If I ran the world, FTP would be thrown promptly in the trash.
It’s outdated, it’s unsafe, and with other much more secure alternatives readily available, it’s hard to find valid reasons why people still rely on it.
So, why do people still use it?
People Don’t Like Change
FTP has been around longer than the internet.
No, seriously – the specification was written in 1971, more than a decade before the internet and the world wide web were created.
So, it’s not really a surprise that a concept created almost 50 years ago doesn’t quite meet our needs in 2020.
But, as many developers would say “if it works, don’t touch it”.
FTP does still do what it’s supposed to, i.e. it moves files from one server to another…until you’re the target of an attack.
Think of it like leaving your front door unlocked. You know that thieves exist, and you probably even know someone who’s had their house broken into in the past, but do you ever leave the door unlocked whilst you pop to the shop?
The illusion of invulnerability, or optimism bias, is often a reason behind someone not taking the proper precautions. People are reluctant to believe that something bad might happen to them, so until it does, they are more likely to take unnecessary risks.
With so many safer alternatives out there, it’s safe to say it’s sensible to ditch FTP before you experience first-hand just how risky it can be.
FTP is Faster than SFTP
If you’re connecting to a server using SFTP after being a loyal user of FTP for many years, you may be slightly disappointed at the drop in speed compared to what you’re used to.
This is because there is a lot of additional packet and encryption taking place during an SFTP transfer that isn’t present when using FTP.
There are a few things that are worth sacrificing for speed, however, security probably isn’t one of them.
Some Regulations Prohibit the Use of FTP
Yes, you read that right.
As it’s widely known that FTP isn’t a secure method of transferring files, many countries have outlawed it.
There are various regulations that govern how data can and can’t be transferred, including the Health Insurance Portability and Accountability Act (HIPAA), which prevents healthcare organizations and their business partners from transferring files using FTP. It states that transfers should only be made using SFTP, and there may even be other components that need to be satisfied in order to ensure compliance.
When it comes to any form of card transaction, the Payment Card Industry Data Security Standard (PCI-DSS) stipulates that card details should only be sent via FTP when absolutely necessary and demands that the sender document the full details of the transfer including port and firewall settings and reasons behind using this method.
The General Data Protection Regulation (GDPR) defines personal data as any data that relates to “an identified or identifiable natural person (‘data subject’)”. This means it includes data on an individual such as “ a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
There are so many pieces of information that can fall into this category that it’s definitely better to play it safe rather than sorry. Even if you don’t think the data you are sending is particularly valuable, you should check to make sure it doesn’t fall under GDPR or other similar regulations before you opt for FTP.
Better still, you could switch to another method for good.
The bottom line is that if you are sending data that is confidential, sensitive, or contains any information that would be dangerous if it were to fall into the wrong hands, then FTP won’t suffice.
Alternatives to FTP
I can sit here all day and rave about the importance of binning FTP once and for all and switching to something more secure, but if it’s going to be a lot of extra hassle or require additional tools or cost, I know a lot of people won’t be convinced.
The good news is that other methods of file transfer look exactly the same at the user’s end.
You can literally use the same client and follow the same steps – you just have to tell the client which method you are using.
As you can see from the screenshot, there is an option to use plain FTP, however, it warns you that it’s insecure.
Only the port number should differ – at the user’s end the interface will look the same no matter which method you use, so there’s literally no reason to select the insecure FTP option.
FTP v FTPS
FTPS (File Transfer Protocol Secure) is your simple FTP with the added security of either TLS (Transport Socket Layer) or SSL (Secure Socket Layer).
This extra layer of security ensures that the connection is authenticated with certificates so that the client and server can form a trusted and secure connection.
This provides a good level of protection as long as the required certificates are present.
Of course, it’s always advisable that you have a certificate on your site to reassure visitors of its legitimacy and secure the connection, but if this isn’t possible, if, for example, you are uploading files to a new site you are currently working on, SFTP may be the better option.
SFTP All The Way
So we’ve mentioned SFTP a fair few times, but let’s take a quick look at exactly what it means.
Secure File Transfer Protocol (SFTP) also has a layer of protection that FTP does not benefit from, and that comes in the form of a Secure Shell (SSH) connection.
When you use an SSH connection, your files are encrypted and can only be deciphered with the key, which the recipient’s SFTP client will hold.
This means that although the recipient server may not have been authenticated with a certificate like with FTPS, your files are ‘bulletproof’ on their journey as they are completely encrypted and protected.
If you’ve read this far and still think that FTP has any form of value in today’s online climate, then I admire your commitment.
But, however, if you don’t have a genuine reason for using FTP, I’d suggest you check out our recent blog that explores the ins and outs of SFTP and shows you how to use it (hint: it’s exactly the same as FTP, besides the port number and the extra security).
And if that doesn’t change your mind, at least I tried!