Q

Will FTP ever be a secure way to transfer files?

A SearchSecurity.com member asks our network security expert Mike Chapple: Is the File Transfer Protocol a secure way to transfer files? As one of his many monthly responses to readers, Chapple reveals a better alternative to FTP.

This Content Component encountered an error
Do you think FTP will ever be a secure way to transfer files to and from servers? What do you believe FTP is best used for and why?
No, plain old File Transfer Protocol (FTP) will never be a secure way to transfer files for one simple reason: it doesn't use any type of encryption. This means that anyone who can eavesdrop on the connection -- basically, anyone with access to a network segment between you and the server -- can view the contents of files as they're transmitted. Even worse, FTP uses unencrypted authentication, so the eavesdropper can view a username and password, and then use those credentials to connect to the server themselves.

FTP is only acceptable when running an anonymous FTP server that distributes non-sensitive information. Many software companies, for example, use this mechanism to distribute patches and other updates.

Fortunately, there are ways to secure FTP, and there are also safer alternatives to the protocol. If FTP must serve as the data transport method, the easiest way to bolt on encryption is to connect to a VPN first, provided that the VPN endpoint device is logically close to the server that you're connecting to. By default, a VPN offers encrypted communications over the Internet. Typically, a company will only let employees or close affiliates connect to its VPN, so this might not be an option in all circumstances.

If you're in a position to suggest an alternative protocol, go with a secure FTP (SFTP) client. It not only uses the same command syntax as a standard FTP client, but also adds encryption to secure the connection. There are many free SFTP clients available; I prefer the free PSFTP client.

More recent responses from Mike Chapple:

  • How expensive are IPsec VPN setup costs?
  • Is it possible to identify a fake wireless access point?
  • This was first published in November 2007

    Dig deeper on SSL and TLS VPN Security

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close