display | more...

Unless it's anonymous FTP for download only, it is also the most foolish way to transfer files over the Internet. Most especially if a security bug-ridden FTP server like wu-ftpd runs the show. You could get r00ted and your server 0wn3d by some script kiddie h4x0r as soon as you plug it in.

The intrinsic problem (even if you had a bug free server) is that FTP transmits passwords and other authentication information in the clear across the network without any encryption at all. Any network between you and the server that has a compromised host that's sniffing passwords or has an evil router doing the same thing will be able to masquerade as you for any system where you use the same credentials. Far better to use FTP over TLS or SSL or SSH/SCP.

Another thing server administrators should be wary about doing is allowing anonymous upload. Allowing such things can quickly turn a server into a warez site if appropriate caution is not taken. If anonymous upload is allowed, to prevent such abuse the administrator can allow execute and write access to the upload directory (meaning clients can go to that directory and put files there), but disallow read access (so people can't list the contents). Other FTP servers provide additional features to prevent this type of abuse.

FTP as it was originally designed and specified in RFC 542 is a relic of a bygone age when the Internet was a research network and everyone could afford to trust everyone else. Sadly, that's not the case anymore, and FTP is really only useful as an anonymous file download protocol now, a task for which HTTP is showing itself to be far more capable.

Log in or register to write something here or to contact authors.