I don't get it

why is it that people still use FTP?

Like, in current, fairly recent (2018) projects, for public downloads.
I get that when you're just hosting public files without any authentication you don't need to worry about the unencrypted passwords, but like
the random ports are a shitty and annoying practice and also http exists just let your custom patcher program download the release from github where it's already available

ftp is a ridiculously simple option for a dropbox. I think RHEL support still uses FTP for users' diagnostic snapshots to upload to

I don't get it, HTTP has been around for 33 years. Why is it still supported?!

Because people still use it....

Not because people still use it.

Because it's allowed to exist.

The FTP protocol is hideous...

People claiming it's easy, it's supported blablabla. Nope. It's a really broken protocol from nowadays perspective.

There shouldn't be any support whatsoever, just kill it.

HTTP has been it's successor since a long time and is as easy to setup if they would kill FTP for good.

Someone clearly doesn't work with enterprise integrations.

Ftp is more secure then some of the shit I've seen.

@C0D4 ok. Now I'm curious.

What can be more insecure than FTP?

@IntrusionCM http download over GET with the password in the url comes to mind 🥹

Page contains analytics tracking, so every bloody password is store in google.

Shall I go on?
Http or even https does not make a secure connection if the monkeys behind it are braindead.

A good one I almost cried over and refused to deal with was using a base64 string of the current date...
apparently know one would guess what that was 🤷‍♂️

@C0D4 how is FTP more secure than that?

@iiii how is ftp less secure then a date in a base64 string over a get?

@C0D4 all those things you've mentioned. As far as I know ftp isn't secure itself as well

@iiii both ftp and http can be sniffed, making both insecure for anyone that gets in the middle.

Https doesn't resolve the http issues if the request is making the same authentication in a sniffable way, typically over GET requests with the uri containing the credentials.

My point is, no transfer is secure if the monkey implementing it forces an insecure process.

@C0D4 but you said that ftp is more secure

@C0D4 uhm. . .

I really want to see your point here as I always thought you were a clever person. (Not meant ironically, but rather as an honest compliment).

But when you're saying "braindead monkey can make stuff insecure, hmkay?" we've left the field of reasoning. Yes, when you give someone a post it with your account details, no security will hold - no matter what protocol or measures taken.

But that's not the point in the FTP discussion.

FTP has no security mechanism implemented.

It's plaintext, text message based protocol.

HTTP unencrypted is still better - despite it's many flaws.

HTTPs with proper authentication, security and better.

Imho it's like IPv4 and IPv6...

If you desperately hold onto an old protocol just because it's "comforting"… you'll never get rid of it.

Is IPv6 perfect / the holy grail?

Nope. Absolutely not.

But it solves many problems. That's why it's better to use it and solve the problems it has than to keep hogging on to IPv4 just for comfort.

Same for FTP. Don't cuddle and cling to a dead body just because you loved them once. You'll end up dead.

@iiii 🤦‍♂️I was meant to write "no more secure", that's a my bad, I can see how this went side ways 😂

@IntrusionCM no no, god damn it, I missed a word and this took an ugly turn to the right. - 💀🔫

HTTP unencrypted is on par with ftp though, sftp attempts to correct this with key exchange instead of user/passwords.

Im not "intending" to say FTP is secure, that's far from the truth, but i'm trying to point out that HTTPS being "modern" doesn't immediately resolve the insecurities when plaintext or near plaintext is still being transmitted.

@C0D4 ok. That explains a lot.

Still though - FTP and HTTP are not on par.

FTP is worse for small file transfers and the split in control / file transfer connection is ... ugly. Ugly, but necessary as the protocol is text based.

Even worse for long running transfers as the control connection might get lost...

A lot of these troubles need to be mitigated by the client...

HTTP is compared to FTP way easier and simpler... Especially when it comes to support different encodings, compression etc.

@IntrusionCM How is FTP insecure when it’s supposed to be unsecured?
Yeah.. http is good but FTP does what it’s supposed to do without the extra bullshit.

@badcopnodonuts

*sigh*

Security doesn't mean TLS.

There's more to it.

Eg. PASV was invented to fend off the FTP bounce attack.

FTP is a text based protocol and a number of attack vectors are based on it.

Encoding shenanigans, trying out commands to test out the feature set to deduct which server is serving the FTP content to know which attacks are most likely to succeed etc.

Insecure as in "a protocol that was never intended to be used in a secure manner at all".

Even if you add the TLS, FTP is still very prone to attacks.

@killermenpl "it just works" you know what also just works on any device and doesn't come with all the negatives of ftp?
http(s)

@sariel my point is people should stop using ftp altogether

@LotsOfCaffeine it's still useful and used.

Just because you don't use it doesn't mean that it's still not useful.

I work with clients that run on 35 year old hardware. Sure, they should upgrade, but have you ever tried to rewrite Fortran? Have you ever tried to integrate with it? It's not easy...

My point is, it's less about who or how many use it. It's more about supporting legacy systems that have been created over the last 51 years.

FTP will not be going anywhere, at least not for another 20 years or so.

@sariel then they should rewrite their legacy garbage

business managers who have this weird idea that software can just be written once and forever maintained are a danger to humanity.

The project I encountered it with was started in 2018 as well, maybe I'll open an issue in their repo

Its used in shared hosting. Easy way for you to edit your websites directly. Not everyone can use git. Its easy to integrate a project like that in VS Code.

Its used in as a "standard" protocol in tons of companies sending files between each other. They are usually behing a private network or using SFTP. Reason? When you deal with 200 clients which use FTP and do not want to switch, you dont really have a choice and changing to a different protocol does not give much ROI. The only way to move them is if there was a government mandate not to use FTP.