The personal blog of Steven Frank
Elsewhere: Email - RSS - Twitter - Flickr - Xbox - Panic

July 15, 2008

10:33 AM

This is going to sound a little weird at first considering what I do for a living, but I want you to stop using FTP.

There are too many aspects of it which have not kept up with modern computing environments. In particular:

So, if not FTP, what should you use instead? Of what's available today, I'd recommend everyone switch to SFTP if you possibly can.

It's secure, it's consistently implemented, and it's machine-readable. That all adds up to a more reliable, future-proof transfer client for you.

I've talked to a lot of people who didn't even realize their host supported SFTP. If your hosting service supports SFTP, you usually don't have to change anything except for switching your client protocol from FTP to SFTP. If it doesn't work, you should ask your host if there's anything else you have to do (such as use a different port number).

If your host doesn't support SFTP, you should find a different host. It's not hard to support, and it's ridiculous to force people into using insecure protocols in the year 2008. Ask them, for example, why they don't support telnet. FTP is no better.

FTP has served us well, but it's time to move on. You wouldn't use a 23 year old computer to do your work, so don't use a protocol from the same vintage. Demand modern transfer protocols from your host.


Several people have taken issue with me calling out the age of the protocol. After all, Ethernet, IP, Unix, HTML, and so on are also quite old, but seem to be holding up OK.

I guess it was a silly point to bring up. I hope it's at least obvious from the article that I'm not suggesting that FTP's age is its primary problem, but rather the issues in the bulleted list.

The difference between FTP and other old-but-still-useful tech is that the others have been updated periodically to keep pace with the rapid evolution of the industry.

Ethernet now has CAT6. IP is (sort of... slowly...) mutating into IPV6. Unix has had so many mutations it would be hard to name them all. HTML is coming up on version 5.

FTP is just FTP, pretty much same as it was when Jon Postel & co. wrote it. We've wrapped it in secure tunnels and thrown countless proprietary extensions at it (that nobody agrees on how to implement). But it's my opinion (and certainly not everybody's) that it's broken at a fundamental level for its intended purpose for today's internet.

So, yes, the age of the protocol BY ITSELF is a non-argument. It's that it has languished for that long without any cleanup from any standards organization or committee. SFTP seems the best candidate to replace it since it is widely deployed, solves pretty much all the problems I mentioned, and in most cases is an easy substitution for end users to make. Of the realistic solutions to the problem (not "let's write a new protocol!") it's the most accessible.

Folks, I'm a Newton user. You don't have to tell me that age does not necessarily equal irrelevance.

(Note: Technically speaking, I even understated FTP's age. I was going by RFC959, which is the implementation still in use today. However, a reader reminds me that the core FTP functionality dates back to RFC354, drafted in 1972, and was designed for the trusted environment of ARPANET. It predates both TCP/IP and the internet as we know it today.)

Update 2

There is some confusion over what I mean by "SFTP". I'm referring to the SSH File Transfer Protocol, not FTP-over-SSL which is informally known as FTPS. FTPS addresses FTP's lack of encryption, but is otherwise exactly the same protocol as FTP, with exactly the same problems.