This is your brain on FTP

by Sam Morris on September 29, 2010

Your brain on FTPThey say a picture is worth a thousand words.  Probably.  Back in 1987, the youth of America had been hearing the slogan “just say ‘no’ to drugs” for five years.  It had lost most of its value and according to the Partnership for a Drug-Free America™, “attitudes regarding drug use evolved from ‘acceptable and harmless’ to ‘addictive and dangerous.’” (The Partnership’s “Fried Egg TV Message”)

It must be human nature or something.  We hear statements like “wearing a seatbelt can save your life”, or “flossing your teeth can prevent gum disease”.  And yet we often let convenience trump wise precaution. 

Here’s another statement you hear a lot from secure file transfer vendors like Attachmate.

“FTP is not a secure file transfer protocol”

What does that mean exactly?

The FTP protocol specification makes no provision for the encryption of data in motion.  This means that while reliable and pervasive (convenient), FTP communications have some nonsecure behaviors including:

  • Usernames and Passwords are not encrypted as they are communicated over the network.
  • The contents of the file transferred (the data payload) are transmitted without encryption from FTP over the network.

If you are interested in seeing how simple it is to leverage a readily-accessible packet sniffing tool (like Wireshark) to capture a username and password from an FTP connection, check out the video “Password Sniffing with Wireshark” by Laura Chappell, founder of Wireshark University.

In addition, FTP has a few other shortcomings that more modern and secure file transfer approaches offer, including:

  • In FTP, it’s very difficult to know that a file transfer has been successfully and accurately completed.  This makes it difficult when automating file transfers, say via scripting, because you have to go outside of the file transfer command to ensure that the file transfer is finished and successful.
  • FTP logging is limited and makes it difficult for IT operations folks to know when a problem has occurred and what the source of the problem might be.
  • FTP doesn’t care what happens to the file after it arrives at its target location.  No one transfers a file because it is fun to do.  They need something to happen to the file after it gets where it has been transferred to. (In the managed file transfer world, we call this “post-processing”.)

So you could characterize FTP’s challenges as being in the areas of security, reliability, operational support, and automation.

Alright, rather than repeating the slogan “just say ‘no’ to FTP” in future blog posts, I’ll simply leave you with this little video.

Previous post:

Next post: