FTP sends passwords in the clear. 'Nuff said.
FTP becoming Forgotten Transfer Protocol as Debian turns it off
Debian is shutting down its public File Transfer Protocol (FTP) services, because hardly anybody uses them any more and they're hard to operate and maintain. The project has told world+dog that come November 1st, 2017, ftp://ftp.debian.org and ftp://security.debian.org will cease operations. The reasons are pretty simple: …
COMMENTS
-
Thursday 27th April 2017 01:27 GMT Ole Juul
awkward to use?
He also notes that “Most software implementations have stagnated and are awkward to use and configure,”
I disagree. Security aside, just downloading with ftp is about as simple as it gets. Type "lftp filename", "ftp filename", or "sftp filename", whichever program you prefer, and that's it. And no, there's no configuration required on the client. Hard to imagine anything simpler to use.
-
Thursday 27th April 2017 06:01 GMT Richard 12
Re: awkward to use?
While HTTP is "click on link in the browser", and HTTPS is "click on link in browser".
The link can even have text and images to explain what it is for, how to use it and why you might choose one link instead of another.
That human-readable metadata is extremely useful to everyone.
FTP clients have stagnated, they haven't become any easier to use for a decade. In fact they've barely changed at all.
FTP servers are worse, as they are hard to balance and hard to configure.
Worst, common implementations of client and server are subtly incompatible with each other.
-
Thursday 27th April 2017 02:02 GMT Denarius
meanwhile, back in the coporate world
FTP chugs along feeding data from unices, Windows, whatever relics like VMS lying around to the organisations mainframe. Not something one uses outside of a couple of firewalls, but I can think of multiple government sites where FTP gets data from A to B quietly and reliably if one scripts decent post transfer log analysis. FTP use is fading as ssh takes over. Somehow I do not see Kermit coming back either.
As for hard to use argument, BH. Download WS-FTP or equivalent, read instructions, configure, compile and install or download existing compiled package if lazy and trusting. It is simple to set up an anonymous FTP server. Simpler than NFS even. Throughput I find better than http. Don't know about caching. Given the size of the files I transferred or their contents, non-caching is desirable. Perhaps this is another sign of the dumbing down of IT as the lowest common denominator consumer experience sets standards.
Agreed ftp is not secure. Once can add a little security by using Franceso Rosales shell compiler or using the equivalent in ksh93 that hides the account details from causal snooping.
Given the lack of use, decommissioning FTP is logical for Debian. Whether it will fade away or become another "Death of COBOL predicted" meme is debatable. Meanwhile, back to Devuan install
-
Thursday 27th April 2017 02:27 GMT Frumious Bandersnatch
"no caching"? Hmm.
I was going to complain that most people use something akin to apt-cacher-ng or squid on the client side, anyway. But then, realised that FTP doesn't have a standard way of getting file metadata, particularly the HTTP-like "last-modified" data that's crucial for avoiding downloading (mirroring) stuff you already have. Sure, running "dir" works, but there doesn't seem to be a standard way of presenting all the fields ...
Overall, probably a sensible move. Still, with FTP disappearing it does make me feel just that little bit more antiquated.
-
-
Thursday 27th April 2017 03:50 GMT Anonymous Coward
Sad but not terrible
I'll confess: I don't use FTP, and haven't for years in any proper scenario. Around my home network, setting up a web, SSH or NFS server is so quick now that I don't even bother there. So all power to Debian for pulling the plug.
I do feel a little wistful though, because with each passing the year, the number of things you can do on a network by just connecting to the socket and typing gets smaller. One day soon we won't be able to connect to any resource unless it's over a channel that has been preapproved by our Corporate Overlords, and that makes me a little sad.
Yes, I know no sensible person sends mail by "telnet <mx> 25" or reads El Reg with a "nc www.theregister.co.uk 80", but the thought of being able to in a pinch is comforting, and it's a great way to learn how things really worked.
-
Thursday 27th April 2017 17:00 GMT Herby
Re: Sad but not terrible
Yes, I know no sensible person sends mail by "telnet <mx> 25"
While this may be true, spammers do exactly that programatically. Spew to port 25 and just discard the result.
Me? One of my web cams nicely transfers pictures once a minute to my FPT server and has for over 10 years. Of course, FTP is a really weird protocol (PORT/PASV and all that), but if it is implemented, it DOES work. There is a lot of history around it and the problems/flaws are pretty well known, and for the most part pretty well fixed. It is like the energizer bunny, it keeps going, beating its drum.
-
-
-
Thursday 27th April 2017 06:10 GMT Richard 12
Re: Windows
For small values of "support", anyway.
SMB is much easier to set up in Windows (and multi-OS environments).
You just tick the box labelled "Share folder" and follow the prompts to set passwords and user access rights.
Yet even SMB is basically deprecated for local file sharing, there are far better things now and the tools to set them up - in a reasonably secure way - are becoming easier to use.
-
-
Thursday 27th April 2017 05:49 GMT CentralCoasty
FTP ...... ah the memories......
Lets face it, what would we have done without it back in the "good ol days!'. When we managed to sync the connections ftp made our life so easy! We could finally start actually moving data without having to use tape!
Well its been dying for some time now - am actually amazed its lasted this long given its insecurities - but its still sad to see it go...... (in some perverse, nostalgic and idiotic way).
-
-
Thursday 27th April 2017 07:46 GMT jake
Re: FTP ...... ah the memories......
ftpmail ... the reason AOL finally brought AOL's version of FTP online. The Stratus computer based email system couldn't handle the large quantity of uuencoded files users were requesting.
Which reminds me ... I still use UUCP in a few places, mostly to transport email within corporations, but also within the load balancing guts of a largish Usenet system I maintain. I'll leave the "why" as an exercise for the reader ;-)
-
-
-
-
Thursday 27th April 2017 09:16 GMT Jay 2
Re: Filezilla
Another Filezilla user here. Very handy for moving stuff to/from desktop to build/jumphost servers. we still use FTP a fair bit internally, though we also have a fair amount of HTTP/wget too. Also lurking is some SFTP, but I don't find it the easiest thing to set up (and quickly get working) on some of out Linux kit.
-
Thursday 27th April 2017 10:46 GMT Peter2
Re: Filezilla
yet another filezilla user who migrated from WS FTP Pro, since filezilla does the job, and is free so you don't have to try and get money authorised for licensing if you want to use an FTP client at work.
What has FTP been replaced with for uploading/managing a website? Yes, niche thing, but it's not going to go away. And no, CMS's aren't replacements for FTP.
Yeah, i'll get my coat.
-
Thursday 27th April 2017 13:13 GMT Bronek Kozicki
Re: Filezilla
"What has FTP been replaced with for uploading/managing a website?"
Depends on server software used, but if something relatively modern then webdav + authentication modules should be available. Or maybe setup a git repository for website files. Or use ssh and scp. I recon any of those would be safer and better performing that FTP, but I do appreciate the sentimental value of a very old protocol.
-
-
-
Thursday 27th April 2017 07:25 GMT Giles C
Still out there
Plain ftp maybe that is declining but I still do a lot of transfers using it along with sftp or similar protocols. Most hosting companies still use it to upload websites and it is a lot faster than smb.
Mind you saying it is unnecessary is a bit like having to install the telnet client on a windows box. Try troubleshooting firewall connections without a telnet xxxx port yyy command line to hand.
-
Thursday 27th April 2017 09:38 GMT Anonymous Coward
All this nostalgia ...
whatever happened to KERMIT ? My first exposure to FOSS in 1985 ... I still have some patches to Sperry KERMIT immortalised at Columbia. Very useful in interviews ..
"So what experience have you got ?"
"Well I've got a patch from 1986 (i.e. before you were born) lodged on the internet. What's yours ??"
-
This post has been deleted by its author
-
Thursday 27th April 2017 13:02 GMT Infernoz
User level login security (with FTPS or SFTP) in FTP.
I use FTP when Samba has file permissions glitches in FreeNAS, and it of course can supports user level login and user home restrictions, and can support TLS encryption, which are both useful to block unwanted access.
I don't see even user level security for WebDAV in FreeNAS 9.10.2-U3, just a useless shared basic/digest password over HTTPS; it seems you need to bolt stuff in front of WebDAV to get user level security, when it should be standard!
The result is I could safely expose an FTP service, with TLS, to the internet for people, but WebDAV is useless except for read-only access for people by I can trust with a common password/digest i.e. none so far.
-
Thursday 27th April 2017 15:02 GMT Zippy's Sausage Factory
So someone encourages their users to use a different method of doing stuff, then turns off the old way of doing things because users aren't using it any more.
Hmmm... couldn't this have easily gone the other way if they'd put the ftp link at the top and the word "recommended" against it, then hidden the http links smaller and lower down. Of course it could. It's simply Debian trying to only have one way of doing things rather than two.
I must put something in my calendar to download the lot in October and stuff it on the Internet Archive in their "ftp mirrors" collection (an absolute treasure trove of weird and wonderful stuff, well worth a browse)
-
Thursday 27th April 2017 16:22 GMT doke
routers and embedded devices
These days I mostly use ftp to get firmware images and data on and off of routers, switches, and embedded devices. The simple protocol, and low cpu / memory requirements make it a good fit in bootloaders and rescue images. Virtually all of those transfers are to or from an anonymous ftp server on the same protected management lan.
ftp is sometimes problematic on the internet, because the firewall has to inspect the protocol and open the ports for the data channel. Passive mode will get around your firewall, but not the other end's firewall. Active mode is the other way around. In linux, as a client, you have to load a kernel module, nf_conntrack_ftp, to get iptables to do the inspection to make active mode work.
-
Thursday 27th April 2017 18:25 GMT patrickstar
I use it all the time for downloading ISO images and source tarballs, especially when doing it straight to a server. Sure, there's always Lynx/links, but just firing up the basic always-available ftp client is quicker.
Plus I use it a lot for transfers within networks. Typically I will have an account with a not-very-secret password for uploading stuff, with FTP access only.
Many FTP daemons actually have an important security advantage to SSH - it's a lot easier to setup an account that can upload/download/list files in a specific directory and do nothing else. Try doing it with SSH - certainly possible, but a lot more work and things that can go wrong. Even to properly chroot the user you may very well end up having to run a separate sshd for the task.
Compared to, for example, vsftpd where it's a single configuration option and voila - all users end up chroot'ed to their home directories.
-
Thursday 27th April 2017 21:25 GMT Dwarf
The one good thing about FTP
You can go rummaging around the shared file system without getting any silly Apache error messages about folder listing being denied, or suddenly get to a web page that you are not interested in.
Simplicity does have its place.
I remember rummaging around in various vendors public ftp sites to find the specific tool I needed that doesn't appear on their web site.
Does anyone else remember when Microsoft used to think that it was a good idea to make their downloads available via an Internet visible SMB share, so you could just mount it from your office to get service packs and patches..
-
Tuesday 2nd May 2017 19:39 GMT Chrisd1004
I would say that FTP is definitely becoming outdated as companies are looking to modernize their infrastructure with more secure and user-friendly file sharing tools. There are many new file sharing platforms that enable companies to share files from multiple protocols like HTTPS, FTPS, SFTP without using separate tools.
-
Wednesday 3rd May 2017 15:38 GMT jake
"many new file sharing platforms ... without using separate tools."
Do you honestly not see the disconnect in that? Marketing sure has your number ... Me, I'll stick to good, old fashioned FTP for the bulk of the time when I want to ... uh ... er ... transfer files, to coin a phrase. One tool, works on all platforms. Unless those platforms intentionally block FTP, of course. Now why do you suppose they would want to do that? And please don't try to tell me it's "because they are hard to operate and maintain". That's just laughable.
-
Friday 15th September 2017 02:03 GMT llaryllama
Actually..
At a printing outfit we run a secure FTP service using FTPS (FTP over TLS) which is supported by all decent modern FTP clients such as Filezilla. It's used for clients who need to send very large files to us.
We do have a pretty advanced browser based uploader but it doesn't work well when e.g. clients are behind a slow or unreliable network connection. Also sometimes a combination of browser, add-ons and/or the phase of the moon just randomly stops things working.
A secured FTP service is useful over something like SCP because a) non tech savvy people have generally at least heard of FTP and any other acronym scares them off and b) it allows for very secure jailing of the FTP user from the system at large.
Sometimes it's easy to forget that not everybody has super fast and reliable internet, and FTP over TLS is nice for those users because you can choose to secure just the communications between client and server but perform the transfer unencrypted. The data we are receiving is not exactly top secret blueprints so that can be a lot faster and more reliable for these users.
-
Friday 15th September 2017 07:02 GMT patrickstar
Re: Actually..
The problem with running the FTP control channel over SSL/TLS (or encrypting it in general) is that it breaks NAT protocol handling. Which is fine as long as the relevant data transfer ports on the FTP server are accessible and the client configured properly regarding active vs. passive mode, but still.
-