A colleague recently commented that we mentioned FTP (a file transfer program that is part of the TCP/IP suite) in Learning Tree Course 468, System and Network Security Introduction. “FTP is old,” he said. He’s right, of course, it has been around for decades. There are much better solutions now. I changed many of those FTP references, but FTP is still around.
A year or so ago I asked participants in the course how many used FTP at work: multiple hands went up. “Why,” I asked. The replies varied from “It is built into Windows and IE.” to “I don’t know – we always have.” As we talked about security that week they realized that there were indeed better choices.
When it comes to file transfer over the Internet, I’ve used WinSCP (for Windows) for some time. It supports SCP and SFTP as well as old FTP. Oh, and it’s free. If you don’t know about them, SCP is “Secure copy” it is based on a time-tested protocol called RCP (for remote copy) and it uses Secure Shell (SSH) for authentication and data transfer. SFTP (SSH File Transfer Protocol) is similar and also uses SSH. The command line version is basically a superset of FTP’s. Both use encryption and can use certificates for user authentication. I generally use SFTP. I suggest people stop using FTP and start using SFTP immediately.
But back to the initial point: does “old” equal “bad”. Not always, but often in the IP world. Let’s face it, the older protocols were not designed to be secure – the users were military and government contractors. Security used precious resources (many nodes had well under a meg of RAM) and the perceived need was limited. Things are different now.
As I noted above, though, that doesn’t mean we don’t need to talk about these older protocols: people still use them. There may be good reasons, but for the majority of situations, it is ignorance or laziness. I wish Microsoft would include SFTP in IE and Windows Explorer and deprecate FTP. (Yes, there is at least one tool – Swish – to add SFTP to Windows Explorer, but I wish the support were native. Not all users can or would add it.) It would be a pain even for me, though: I have a client that uses FTP for transferring files.
I kind of hate to ask this, but if you are still using FTP, please tell us why in the comments. Also, what other “old” protocols are you still using?
To your safe computing,