Will FTP ever be a secure way to transfer files?

A SearchSecurity.com member asks our network security expert Mike Chapple: Is the File Transfer Protocol a secure way to transfer files? As one of his many monthly responses to readers, Chapple reveals a better alternative to FTP.

Do you think FTP will ever be a secure way to transfer files to and from servers? What do you believe FTP is best used for and why?
No, plain old File Transfer Protocol (FTP) will never be a secure way to transfer files for one simple reason: it doesn't use any type of encryption. This means that anyone who can eavesdrop on the connection -- basically, anyone with access to a network segment between you and the server -- can view the contents of files as they're transmitted. Even worse, FTP uses unencrypted authentication, so the eavesdropper can view a username and password, and then use those credentials to connect to the server themselves.

FTP is only acceptable when running an anonymous FTP server that distributes non-sensitive information. Many software companies, for example, use this mechanism to distribute patches and other updates.

Fortunately, there are ways to secure FTP, and there are also safer alternatives to the protocol. If FTP must serve as the data transport method, the easiest way to bolt on encryption is to connect to a VPN first, provided that the VPN endpoint device is logically close to the server that you're connecting to. By default, a VPN offers encrypted communications over the Internet. Typically, a company will only let employees or close affiliates connect to its VPN, so this might not be an option in all circumstances.

If you're in a position to suggest an alternative protocol, go with a secure FTP (SFTP) client. It not only uses the same command syntax as a standard FTP client, but also adds encryption to secure the connection. There are many free SFTP clients available; I prefer the free PSFTP client.

More recent responses from Mike Chapple:

  • How expensive are IPsec VPN setup costs?
  • Is it possible to identify a fake wireless access point?

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing